The
holiday season may be “the most wonderful time of the year,” but it is also a
time when scammers are especially active. Make sure you and your team can spot
an email scam to save your money, personal information and holiday cheer.
When an
employee of a candy-maker member company received an email from who he thought
was the owner of the company requesting he purchase five $200 Best Buy gift
cards to reward members of their team, this type of request
didn’t seem unreasonable. However, after further communication, the staffer
realized the email was not coming from the owner at all and was actually a
sophisticated email scam.
As it
turns out this is a real-life example of a growing financial fraud known
as Business Email Compromise (BEC) or “CEO Fraud.” BEC is an email
phishing scam using fake email addresses that look like they’re coming from the
CEO or leadership of the organization. As stated by the
FBI, BEC scams are “more sophisticated than any similar scam the FBI
has seen before and one—in its various forms—that has resulted in actual and
attempted losses of more than a billion dollars to businesses worldwide.”
CEO fraud
specifically resulted in $3 billion in losses to U.S. businesses and an attempted
$23 billion since 2016, according to a report from the FBI. This type of fraud has
tripled in the last three years and continues to grow.
Common
tactics may involve a scammer impersonating the CEO or someone in another
leadership role requesting a wire transfer, gift cards or employee tax
information. These types of email scams are effective because they rely on
“fear the boss” thinking; all employees want to do their job and what is asked
of them. Therefore, a request from their CEO or highest leader in the company
is something they likely won’t decline. “[Scammers] know how to perpetuate the
scam without raising suspicions,” FBI Special Agent Maxwell Marker said. “They
have excellent tradecraft, and they do their homework. They use language
specific to the company they are targeting, along with dollar amounts that lend
legitimacy to the fraud. The days of these emails having horrible grammar and
being easily identified are largely behind us.”
How to Spot a CEO Email Scam
Thankfully, for this member
company, the target of this scam recognized a red flag that ultimately saved
the family-owned business $2,000. Protect your business by
educating your staff on how to identify this type of email fraud. Below are
common trademarks of a CEO fraud email scam, identified by Fraud Watch
International:
- Spoofing legitimate email addresses, using a
domain similar to that of the targeted business.
- Using an urgent tone, commanding request is
done “ASAP”.
- Stating the CEO or CFO cannot be disturbed
during a meeting or may be busy and unable to respond during the email exchange.
- Implying the sender is using a mobile device
to write the email, by including the phrase “Sent from my iPad”, in lieu of the
corporate email signature.
- Note: This
trick is particularly effective, because implying that the email is sent from a
mobile device excuses poor English, misspelling, or lack of a legitimate email
signature, which are usually triggers to recognize phishing emails. It also
helps strengthen the sense of urgency: if it wasn’t pressing, the sender would
have waited until they were back at their desk. Hackers might also do their
homework to find out when the executives are travelling for business, making
their scam even more credible to their victim.
- Cyber criminals do the research to know what
type of request is most legitimate-looking to avoid raising suspicion.
Train Your Team
Create
awareness of potential scams that may pose a threat to your business. Share the
Better Business Bureau’s Scam
Studies with your team.
- Create a clear policy for your team regarding
how money and sensitive information is shared. Always require a check-in with
leadership before steps are taken.
- Train staff to double-check email addresses,
not just the sender’s name. Look for email addresses that are close, but not
exact — For instance, a phishing address may come from an email with @gmail.com
at the end or ".co" rather than the expected ".com" or
".ca"
- Encourage staff to always question emails
requesting fast actions, whether they seem unusual or not. The Better Business
Bureau suggests most fraud cases could have been avoided with a phone call to
the individual believed to be sending the email.
- Keep computers updated with antivirus
software and consider investing in anti-phishing software to help protect your
network and email systems.
With
businesses of all sizes being targeted, and this type of fraud activity
continuing to grow, your business can never be too prepared, especially during
the busy holiday season.
Crave more? Click here to
subscribe and start receiving weekly tips, like this, delivered straight
to your email inbox. RCI's blog is just one of the many resources we offer
to help candy makers refine their craft and build upon their business and
marketing practices. Follow us on Facebook for
even more sweet inspiration.
Not a member? Click here to learn how RCI can help
you build your sweet business.
