Some stories are stranger than fiction.
If impersonating a CEO to extort billions of dollars sounds far-fetched, you know it could only happen in the real world. Business email compromises have become a technique that scammers love — defrauding companies of all sizes and across industries.
In 2018 alone, CEO fraud (as it’s more commonly known) scammed US businesses out of some $300 million.
And that’s every month.
How Scammers Use Emails to Extort
Picture the situation….
You’re sat at your desk, working on your company’s latest financial report when an email from a ‘personal’ address lands in your inbox — but it’s from your CEO.
The message is polite; yet forthright.
“Hayden — we are on the cusp of finalizing a takeover that the executive team has been working on for months. I’m stuck in meetings, so can’t handle this myself. Time is of the essence: please release the funds immediately to avoid delaying the deal.”
The email addresses you by your first name.
It requests that you finalize an urgent transaction. It may even reference FCA regulations and cite ‘the need to exercise absolute discretion.’
….and therein, the trap is set.
A Phone Call Legitimizes the Request
You may be thinking, “No-one would green-light such a transaction without checking it first.”
….but what if you received a phone call from an intermediary of the deal? A purported regulator, an advisor to your executives? An accountant confirming the details of the transfer, calling moments after you reply to query the email?
The sequence of events gives you confidence the deal is legitimate.
Then, a sense of pride washes over: your CEO has trusted you with this task, and so…
You give the nod. You beam with delight, step away from your desk — still maintaining discretion — so it’s not until a few hours later, a day even, that someone questions the ‘significant, unrecognized transaction.’
Only then, it dawns: there was no takeover — you have been duped, and it has cost your firm thousands.
Old Methods Work
Business email compromises still work because they are old-fashioned; not in spite of it.
These days, people are so alert to new-age threats (viruses, malware, ransomware) that dated techniques often slip through the net.
So when fraudsters manage to infiltrate a domain name or find an alternative address to dupe a recipient, their chances of success are alarmingly high. What can you do?
Your best form of defense is simply to be aware.
If you receive an email from a personal address (say, Gmail, Outlook, Yahoo) when you’re at work, disregard it. If someone emails a sensitive request from an external source, query it.
Even if the message suggests 100% legitimacy — using your name, your CEO’s name, follow-up calls with confirmation details — triple-check every last piece of information.
Your Personal Data Is Online
The most effective hacks are those that require no technical expertise. Just an email address, a phone number, and a few personal details — data that anyone can find via a quick Google search.
And that’s why CEO fraud has become so popular: the barrier to entry is disproportionately low versus the payoff.
Hence, it’s always better to exercise caution online by:
- Turning on privacy settings wherever you can
- Keeping work phone numbers and email addresses (and any other information a scammer could leverage) out of the public domain
- Viewing any personal communication received at work with its fair share of skepticism
And even though the technique is old-fashioned, technology brings it into the 21st century: all the scam artist needs to do is create an email address, customize the ‘sent-from’ field and tweak the ‘reply-to’ — and they’ve become the person they claim to be.
But remember: just because someone feigns to know you, it doesn’t mean they do.
Even if the person references colleagues, a department name, the email address of say, a Managing Director — do not immediately trust what you’re reading, and do not feel it impolite to ask questions.
Where Software Can’t Save You, Training Can
When it comes to business email compromises, people are your weakest link.
They know sensitive information; they’re liable to manipulation; they’re often so busy that simple requests can go unchecked.
….and this includes when wiring cash.
To infiltrate a business, a quick check of a company website can suffice: find the ‘Team’ page and the scammer will have their target. A scan of social media, a look at LinkedIn — anyone can unearth the pertinent information they need to add credibility to a claim.
And once a CEO impersonator has done their homework, no amount of security hardware — or software — can keep your business safe.
One single approval: and hundreds-of-thousands of dollars are lost. The good news? You can prevent any fraud from happening with basic training for the whole team:
- Employees — make them aware that CEO fraud is a widespread risk
- CEOs/Managing Directors/Finance Directors — speak to everyone in a position of authority who has direct access to business accounts. Assure them that no-one within the company will ever send an email requesting the transfer of funds.
Then, implement final checks and balances.
Set a company policy that puts a limit on the size of certain transactions. State that the transfer cannot proceed without a final verbal sign-off.
At the end of the day, human intervention is your only protection.
It’s your only way to avoid CEO fraud.
We’re Here To Help
CEO impersonation is a growing threat.
Yet, it’s not only in the office when you’re at risk. Using work devices at home can open doors to scammers, so you must do what you can to protect your business interests.
Keep your systems secure with remote monitoring — get in touch today at 207-236-0021.