Email scams have been around since we were first able to type and click to send a message over the Internet. What’s changed is spammers’ ability to target their scams to increase the chances you, or your employees, will be tricked into sending money or financial information.
Sometimes called spear phishing since unlike typical phishing, scammers don’t cast a wide net but rather target their efforts on a specific individual within an organization, the “CEO scam” is estimated to have netted several billion dollars in funds to date. Here’s how you can spot it and what to do if it happens to you or your business:
How to spot the CEO scam
Typically the fraudster will send an email impersonating a company executive’s email address, such as the president or the CFO, to individuals working in the accounting or finance department. The email will look like it comes from the senior executive and attempt to trick the employee into wiring money to a third party, and include language making the request sound urgent and highly confidential. The email address can look authentic too, since scammers are registering domain names that look very similar to the target domain such as @yourcompany1.com instead of your real company domain of @yourcompany.com. And scammers can look up company execs and use their real names to make the emails even more convincing.
For example, the accounting department might receive an email that looks like it’s from their Chief Financial Officer, Tim Smith - firstname.lastname@example.org - instructing them to wire $55,000 to a specific account and that the request is urgent. The email also tells them to only communicate through email so as not to infringe on “capital markets regulations” or something similar. The scammer will often follow up asking for an update on the transfer and reemphasizing the urgency of the request.
How to avoid being scammed
- Educate your employees about this scam and tell them to be skeptical of urgent or suspicious requests made by email. Encourage them to communicate with their manager if they feel a request seems unusual.
- If you, or your employees, have any doubts about an email that looks like it is from someone at your company, contact them directly by phone before responding to ensure the request is legitimate.
- Have policies and controls in place requiring more than one officer to approve fund transfers.
- As a business owner, be careful what you share on social networking sites. Fraudsters can use these sites, and your website, to glean information about you that they can repurpose to target your company.
Sign up for the CBA’s Fraud Prevention newsletter to receive regular updates about frauds and scams and how to protect your money.