Would you
ignore an email from your boss or CEO?
A staff
member at Dietsch Brothers Fine Chocolates & Ice Cream in Ohio recently
received an email from who he thought was one of the owners of the company
requesting he purchase five $200 Best Buy gift cards to reward some of the
team. This particular co-owner had just celebrated their retirement, so the
request didn’t seem unreasonable. However, after further communication, the
Dietsch staffer realized the email was not coming from the owner at all and was
actually a sophisticated email scam.
As it turns
out this is a real-life example of a growing financial fraud known
as Business Email Compromise (BEC) or “CEO Fraud.” BEC is an email
phishing scam using fake email addresses that look like they’re coming from the
CEO or leadership of the organization. As stated by the FBI, BEC scams
are “more sophisticated than any similar scam the FBI has seen before and
one—in its various forms—that has resulted in actual and attempted losses of
more than a billion dollars to businesses worldwide.”
CEO fraud
specifically resulted in $2.3 billion in losses to U.S. businesses between
October 2013 and February 2016, according to a 2016 report from the
FBI. This type of fraud has tripled in the last three years and
jumped another 50% in the first three months of 2019.
Common
tactics may involve a scammer impersonating the CEO or someone in another
leadership role requesting a wire transfer, gift cards or employee tax
information. These types of email scams are effective because they rely on
“fear the boss” thinking; all employees want to do their job and what is asked
of them. Therefore, a request from their CEO or highest leader in the company
is something they likely won’t decline. “[Scammers] know how to perpetuate the
scam without raising suspicions,” FBI Special Agent Maxwell Marker said. “They
have excellent tradecraft, and they do their homework. They use language
specific to the company they are targeting, along with dollar amounts that lend
legitimacy to the fraud. The days of these emails having horrible grammar and
being easily identified are largely behind us.”
How to Spot a CEO Email
Scam
Thankfully,
for Dietsch Brothers, the target of this scam recognized a red flag that
ultimately saved the family-owned business $2,000. Protect your business by
educating your staff on how to identify this type of email fraud. Below are
common trademarks of a CEO fraud email scam, identified by Fraud Watch
International:
- Spoofing
legitimate email addresses, using a domain similar to that of the targeted
business.
- Using an urgent
tone, commanding request is done “ASAP”.
- Stating the CEO or
CFO cannot be disturbed during a meeting or may be busy and unable to
respond during the email exchange.
- Implying the
sender is using a mobile device to write the email, by including the
phrase “Sent from my iPad”, in lieu of the corporate email signature.
- Note: This trick
is particularly effective, because implying that the email is sent from a
mobile device excuses poor English, misspelling, or lack of a legitimate
email signature, which are usually triggers to recognize phishing emails.
It also helps strengthen the sense of urgency: if it wasn’t pressing, the
sender would have waited until they were back at their desk. Hackers
might also do their homework to find out when the executives are
travelling for business, making their scam even more credible to their
victim.
- Cyber criminals do
the research to know what type of request is most legitimate-looking to
avoid raising suspicion.
Train Your Team
Create
awareness of potential scams that may pose a threat to your business. Share the
Better Business Bureau’s Scam Studies with your team. Click here to download.
- Create a clear policy for your team regarding how money and sensitive information is shared. Always require a check-in with leadership before steps are taken.
- Train staff to double-check email addresses, not just the sender’s name. Look for email addresses that are close, but not exact — For instance, a phishing address may come from an email with @gmail.com at the end or ".co" rather than the expected ".com" or ".ca"
- Encourage staff to always question emails requesting fast actions, whether they seem unusual or not. The Better Business Bureau suggests most fraud cases could have been avoided with a phone call to the individual believed to be sending the email.
- Keep computers updated with antivirus software and consider investing in anti-phishing software to help protect your network and email systems.
With
businesses of all sizes being targeted, and this type of fraud activity
continuing to grow, your business can never be too prepared. Educate your staff
today by sharing this blog post. For more information read our sources:
Crave
more? If you like what you read here, look for the "Subscribe
now" box on the right to enter your email address and start
receiving weekly tips, like this, delivered straight to your email inbox. RCI's
Tip of the Week blog is just one of the many resources we offer to help candy
makers refine their craft and build upon their business and marketing
practices.