Monday, 16 May 2016
Phishing is an extremely common type of email scam that’s existed for years. Fraudsters set up mock websites that look almost identical to those of the companies they’re posing as. They then send out
Image source: Action Fraud
Phishing is an extremely common type of email scam that’s existed for years. Usually taking advantage of peoples’ trust in large organisations – whether it’s their bank, a large online retailer or credit card company.
The way it normally works is by fraudsters setting up mock websites that look almost identical to those of the companies they’re posing as. They then send out emails en masse in order to try and capture sensitive data, such as peoples’ online banking details. It’s fairly standard stuff and thankfully spam filters catch most of these emails…but not all!
This type of phishing is most commonly aimed at regular internet users but there’s a growing number of scammers who are now actively targeting businesses. This type of business email phishing is often known as ‘CEO fraud’.
What is CEO fraud?
CEO fraud, also sometimes called the ‘bogus boss’ email scam is a type of email phishing that’s specifically targeted at businesses. It’s a particularly malicious form of email phishing and when successful, which it has been numerous times, it can cost companies thousands or even millions.
As the name might suggest, CEO fraud is a type of scam where one or sometimes multiple people will target a particular business and try to arrange for large amounts of money to be transferred. They’ll usually target medium to large businesses who own a lot of assets.
What makes CEO fraud so unnerving is that there’s a good chance it will be successful if your business is not prepared for it. Unlike more traditional mass phishing scams, CEO fraud is often carried out with a lot more forethought and planning so it’s easy for companies to be caught out if they’re not aware the scam exists and they don’t have measures in place to prevent it.
Signs to look out for
• Use of urgent language – This is a very common tactic used in email phishing and certainly with CEO fraud. The senders of the email(s) will do their best to put the receiver in a panicked state and will often even use threats in order to create greater urgency. The reason this tactic is used is because it doesn’t give the person at the company they’re targeting time to think and question what they’re being told.
• Unusual questions – Another common sign of CEO fraud is when the sender asks unusual questions that you wouldn’t expect if the email were genuine. For example, they might ask what details you require in order to make a payment.
• Incorrect email address of sender – Those who commit CEO fraud often pose as senior person within a company and will use an email address that’s close to that of the person they’re posing as. Often the email address will contain a slight difference from the genuine one. For example, it might have a dash or full stop separating the name; or the domain extension might be .co rather than .com.
• Unusual wording or language – Because the fraudsters are usually posing as a CEO or other senior, it will sometimes be obvious that they’re not genuine simply because of the language they use or the way they word their email.
Here is an example of an HM Revenue & Customs phishing email:
Source: ICPA
And here is an example of some CEO fraud red flags to look out for:
Source: knowbe4
Avoiding CEO fraud
Since CEO fraud is so potentially devastating, it’s something that businesses are now taking strong steps to try and prevent. Some of the most famous cases of CEO fraud have involved phone calls as well as emails, so the usual precautions might not be enough to prevent it. It can even be the product of weeks or months of research and preparation to make the ultimate request appear real, plausible and necessary to act upon. With this in mind, below are some of the best ways to make sure your business doesn’t fall victim to CEO fraud.
• Educate your staff – Educating your staff is one of the best steps you can take in order to avoid the risk of CEO fraud. Making your employees (especially those in finance) aware of its existence and training them on what to do if they suspect an email or phone call might be from a scammer are invaluable steps to take.
• Set up a strict internal process for authorising payments – The reason that CEO fraud is often successful is because those perpetrating it are taking advantage of the fact that there is no standardised internal system in place when it comes to authorising large or small payments. This means that if a member of admin staff is caught off guard by a request, they won’t know who to call or what checks to make. Putting a proper system in place that includes security checks for payments over a certain amount is vital for this reason.
• Make security a priority in your business – Like most other types of scammers, those who perpetrate CEO fraud are looking for easy targets. If your business is lax when it comes to security, then you’re going to be at much more risk, not only of CEO fraud but of other types of scams as well.
For the latest scams to look out for, according to Action Fraud, click here.
If you think the security of your business could be improved then be sure to download our FREE 15 Point Security Checklist.
