When the CEO asks you to do something, most of us scamper away to fulfil the task right away without questioning their instructions. (Well, not out loud, anyway.)
A new type of cyberscam called CEO fraud or business email compromise feeds on this subservience.
What happens is that the fraudster sends a very legitimate looking email that requests a bank transfer, or personal information on employees. And very often, these emails link to a spoof of the company website that looks just like the real thing. Plus the fraudsters often research the names of who does what in your company, so they know exactly whom to target (by first name).
Example of an email with CEO fraud:
An employee received an email that looked like it came from his CEO. It said:
I will need you to process an urgent payment, which needs to go out today as a same value day payment.
Let me know when you are set to proceed so I can have the account information forwarded to you once received.
By sheer luck, the CEO walked into the accounting department shortly after this email was received. Tim in Accounts told the CEO that he was working on the wire transfer… and the CEO realised something was very wrong, as he hadn’t requested a bank transfer. And the fraudster was actually communicating with the Accounts team in real time, to get them to initiate the transfer.
Not everyone is so lucky…
With this kind of fraud, we always think it happens to someone else. But sometimes the “someone else” factor gets too close for comfort.
The Optimus Systems team recently spoke to a business owner in New Zealand whose friend lost $85k in CEO fraud.
CEO fraud is a very real risk, and there are large amounts of money involved.
How can you protect yourself from CEO fraud?
The best thing you can do is to avoid receiving fraudulent emails in the first place. Our email protection service will filter out as much of this type of fraudulent communication as possible.
How? mymailsecurity checks for email spoofing and phishing traits, to try and ensure the message never makes it to you and your employees’ mailboxes. This is a really important measure in preventing email scams, because prevention is so much better than cure.
Also, be sure to educate your employees so they know how to identify email cyber attacks. This will help them at home as well as at work. Hyperlink to new email cyber attacks article.
And if you do receive an email that looks a bit off, make a phone call to confirm the request – even if it does mean calling the CEO. The big boss would rather you called them than not.
Finally, consider having a separation between who can initiate bank transfers, and who can approve them.