Tuesday, December 13, 2022

Protect Your Business from Email Scams

 

The holiday season may be “the most wonderful time of the year,” but it is also a time when scammers are especially active. Make sure you and your team can spot an email scam to save your money, personal information and holiday cheer.

When an employee of a candy-maker member company received an email from who he thought was the owner of the company requesting he purchase five $200 Best Buy gift cards to reward members of their team, this type of request didn’t seem unreasonable. However, after further communication, the staffer realized the email was not coming from the owner at all and was actually a sophisticated email scam.

As it turns out this is a real-life example of a growing financial fraud known as Business Email Compromise (BEC) or “CEO Fraud.” BEC is an email phishing scam using fake email addresses that look like they’re coming from the CEO or leadership of the organization. As stated by the FBI, BEC scams are “more sophisticated than any similar scam the FBI has seen before and one—in its various forms—that has resulted in actual and attempted losses of more than a billion dollars to businesses worldwide.”

CEO fraud specifically resulted in $3 billion in losses to U.S. businesses and an attempted $23 billion since 2016, according to a report from the FBI. This type of fraud has tripled in the last three years and continues to grow.

Common tactics may involve a scammer impersonating the CEO or someone in another leadership role requesting a wire transfer, gift cards or employee tax information. These types of email scams are effective because they rely on “fear the boss” thinking; all employees want to do their job and what is asked of them. Therefore, a request from their CEO or highest leader in the company is something they likely won’t decline. “[Scammers] know how to perpetuate the scam without raising suspicions,” FBI Special Agent Maxwell Marker said. “They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these emails having horrible grammar and being easily identified are largely behind us.” 

How to Spot a CEO Email Scam

Thankfully, for this member company, the target of this scam recognized a red flag that ultimately saved the family-owned business $2,000. Protect your business by educating your staff on how to identify this type of email fraud. Below are common trademarks of a CEO fraud email scam, identified by Fraud Watch International:

  • Spoofing legitimate email addresses, using a domain similar to that of the targeted business.
  • Using an urgent tone, commanding request is done “ASAP”.
  • Stating the CEO or CFO cannot be disturbed during a meeting or may be busy and unable to respond during the email exchange.
  • Implying the sender is using a mobile device to write the email, by including the phrase “Sent from my iPad”, in lieu of the corporate email signature.
    • Note: This trick is particularly effective, because implying that the email is sent from a mobile device excuses poor English, misspelling, or lack of a legitimate email signature, which are usually triggers to recognize phishing emails. It also helps strengthen the sense of urgency: if it wasn’t pressing, the sender would have waited until they were back at their desk. Hackers might also do their homework to find out when the executives are travelling for business, making their scam even more credible to their victim.
  • Cyber criminals do the research to know what type of request is most legitimate-looking to avoid raising suspicion.

Train Your Team

Create awareness of potential scams that may pose a threat to your business. Share the Better Business Bureau’s Scam Studies with your team.

  • Create a clear policy for your team regarding how money and sensitive information is shared. Always require a check-in with leadership before steps are taken.
  • Train staff to double-check email addresses, not just the sender’s name. Look for email addresses that are close, but not exact — For instance, a phishing address may come from an email with @gmail.com at the end or ".co" rather than the expected ".com" or ".ca"
  • Encourage staff to always question emails requesting fast actions, whether they seem unusual or not. The Better Business Bureau suggests most fraud cases could have been avoided with a phone call to the individual believed to be sending the email.
  • Keep computers updated with antivirus software and consider investing in anti-phishing software to help protect your network and email systems. 

With businesses of all sizes being targeted, and this type of fraud activity continuing to grow, your business can never be too prepared, especially during the busy holiday season.

Crave more? Click here to subscribe and start receiving weekly tips, like this, delivered straight to your email inbox. RCI's blog is just one of the many resources we offer to help candy makers refine their craft and build upon their business and marketing practices. Follow us on Facebook for even more sweet inspiration.

Not a member? Click here to learn how RCI can help you build your sweet business.