Tuesday, November 12, 2019

Tip #320: Protect Your Business from Email Scams


Would you ignore an email from your boss or CEO?

A staff member at Dietsch Brothers Fine Chocolates & Ice Cream in Ohio recently received an email from who he thought was one of the owners of the company requesting he purchase five $200 Best Buy gift cards to reward some of the team. This particular co-owner had just celebrated their retirement, so the request didn’t seem unreasonable. However, after further communication, the Dietsch staffer realized the email was not coming from the owner at all and was actually a sophisticated email scam.

As it turns out this is a real-life example of a growing financial fraud known as Business Email Compromise (BEC) or “CEO Fraud.” BEC is an email phishing scam using fake email addresses that look like they’re coming from the CEO or leadership of the organization. As stated by the FBI, BEC scams are “more sophisticated than any similar scam the FBI has seen before and one—in its various forms—that has resulted in actual and attempted losses of more than a billion dollars to businesses worldwide.”

CEO fraud specifically resulted in $2.3 billion in losses to U.S. businesses between October 2013 and February 2016, according to a 2016 report from the FBI. This type of fraud has tripled in the last three years and jumped another 50% in the first three months of 2019.

Common tactics may involve a scammer impersonating the CEO or someone in another leadership role requesting a wire transfer, gift cards or employee tax information. These types of email scams are effective because they rely on “fear the boss” thinking; all employees want to do their job and what is asked of them. Therefore, a request from their CEO or highest leader in the company is something they likely won’t decline. “[Scammers] know how to perpetuate the scam without raising suspicions,” FBI Special Agent Maxwell Marker said. “They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these emails having horrible grammar and being easily identified are largely behind us.” 

How to Spot a CEO Email Scam
Thankfully, for Dietsch Brothers, the target of this scam recognized a red flag that ultimately saved the family-owned business $2,000. Protect your business by educating your staff on how to identify this type of email fraud. Below are common trademarks of a CEO fraud email scam, identified by Fraud Watch International:
  • Spoofing legitimate email addresses, using a domain similar to that of the targeted business.
  • Using an urgent tone, commanding request is done “ASAP”.
  • Stating the CEO or CFO cannot be disturbed during a meeting or may be busy and unable to respond during the email exchange.
  • Implying the sender is using a mobile device to write the email, by including the phrase “Sent from my iPad”, in lieu of the corporate email signature.
    • Note: This trick is particularly effective, because implying that the email is sent from a mobile device excuses poor English, misspelling, or lack of a legitimate email signature, which are usually triggers to recognize phishing emails. It also helps strengthen the sense of urgency: if it wasn’t pressing, the sender would have waited until they were back at their desk. Hackers might also do their homework to find out when the executives are travelling for business, making their scam even more credible to their victim.
  • Cyber criminals do the research to know what type of request is most legitimate-looking to avoid raising suspicion.
Train Your Team
Create awareness of potential scams that may pose a threat to your business. Share the Better Business Bureau’s Scam Studies with your team. Click here to download.
  • Create a clear policy for your team regarding how money and sensitive information is shared. Always require a check-in with leadership before steps are taken.
  • Train staff to double-check email addresses, not just the sender’s name. Look for email addresses that are close, but not exact — For instance, a phishing address may come from an email with @gmail.com at the end or ".co" rather than the expected ".com" or ".ca"
  • Encourage staff to always question emails requesting fast actions, whether they seem unusual or not. The Better Business Bureau suggests most fraud cases could have been avoided with a phone call to the individual believed to be sending the email.
  • Keep computers updated with antivirus software and consider investing in anti-phishing software to help protect your network and email systems. 

With businesses of all sizes being targeted, and this type of fraud activity continuing to grow, your business can never be too prepared. Educate your staff today by sharing this blog post. For more information read our sources:
Crave more? If you like what you read here, look for the "Subscribe now" box on the right to enter your email address and start receiving weekly tips, like this, delivered straight to your email inbox. RCI's Tip of the Week blog is just one of the many resources we offer to help candy makers refine their craft and build upon their business and marketing practices.