It used to be that an email scam came in two forms - a prince in some distant land wanted you to send them money so they could send you even greater piles of money. Or a distant relative needed money for...well, something. It was always a little unclear.
We've been conditioned to see these now and laugh them off. Unfortunately, there is a new form of eFraud that is quickly becoming THE choice for scammers targeting businesses - CEO Fraud.
The Bottom Line on CEO Fraud
Since 2013, CEO Fraud has cost U.S. Companies $740 Million, and that's just hard costs. That doesn't even take into account the costs to a companies' reputation and the costs of "clean up" for the fraudulent act.
Clean up includes taking a number of post-incident steps including bringing in an IT support company to enhance your internal business computer services and strengthen network security. As with anything in business, the "clean up" is always more expensive than the initial investment for prevention would have been.
Scammers are Getting Smarter
In those email scams of the past, there was a type of innocence. Sure they were from people who were trying to steal from you, but with their terribly broken grammar and the preposterous scenarios they described, they presented an almost Dickensian attempt at fraud.
This new wave of scammers has learned from this and isn't making those same mistakes. In fact, they're using your companies' information against it.
There are two popular CEO Fraud attempts.
- Scammers prey on the CEO to make a mistake and install some version of a malicious software on their computer. With that in place, the scammer can take control of the CEO's computer and use it to access sensitive (i.e. financial) information, or request it via email from others in the company.
- Scammers set up a shadow domain that is very close to the actual company domain, generally only differing by a letter or two. From this domain, emails will be sent to company employees. Emails that look, at first glance, like they have been sent straight from the CEO.
Anything You Say
What makes that second type so dangerous is our innate human desire to please. Particularly in the workplace. We have long been conditioned to respond in the affirmative when the boss has a request.
This is where the scammers do their homework. They are spending an inordinate amount of time getting to know your company.
They learn about clients, best business practices, roles, and even study terminology. This is so, when they send their emails, they can seem as authentic as possible.
Here's What We Want
Scammers are looking for two things - money and things they can sell for money.
Getting money directly is their ideal outcome because it's quick and immediate. To do this they will ask their victims to wire transfer a certain amount in the name of a client.
Conversely, they will ask the victim to provide things like employee records, pay stubs, health records, and even W2's. These are items that can be turned around and sold on the dark web to identity thieves.
Pretty grim right? Well, the good news is that there are options. You just don't want to wait to get them into place.
It's OK to Ask For Help
If you have an internal IT staff chances are they're setting up systems, keeping drives clean, and chasing down passwords. They may need an IT support staff of their own to bolster security and combat fraud attempts.
There are a number of managed IT solutions companies that specialize in prevention. They can come in, assess your security systems, offer advice on how to eliminate potential areas where CEO Fraud may occur, and even help to see security protocols implemented.
To ensure things are done right, you've got to make sure to ask the right people.
Ask for Confirmation
If you get a request that is somewhat out of the ordinary, don't just take it at face value. Ask for confirmation.
Of course, your first stop should be the CEO (or another C-level executive) from whom the email appears to be coming from. Don't just reply to the email in question either. If it is a fake email you don't want to initiate a discussion through it that the scammers will only use to try and convince you of their validity.
Instead, open up a separate email and state your concern while you ask for confirmation. This is definitely a case of "better to be safe than sorry." (As an extra bonus: a good manager will applaud you for taking this initiative.)
If you're not comfortable asking the CEO if they meant to send you what they sent you, look toward a manager to help you sort through everything.
Trust your instincts.
If a request feels suspicious to you, there's a good chance there is something about it that's off.
As you review the request ask yourself:
- Is the request reasonable?
- Is it timely? Does it concern a current or recent client?
- Does it follow a normal pattern of business?
- Is it asking you to take part in a "secret" or "special" project?
- Do you routinely get emails from the person who is allegedly sending this one?
The Tip of the Scam-Filled Iceberg
CEO fraud is just one component of a series of Business Email Compromise (BEC) Scams. This would encompass things like ransomware and malware attacks. A recent report puts the cost (over 3 years) to companies of BEC Scams at $5 Billion.
CEO Fraud Has no Boundaries
CEO Fraud is not a "their business" problem, it's a problem for all companies, no matter their size. Companies like Pegasus Technologies recognize this and have developed solutions and services to help prevent CEO Fraud and other BEC Scams.
Pegasus is a managed IT services provider that can match our specialists with your particular needs so that you have the knowledge you need to strengthen your infrastructure.
CEO fraud is a very real concern for businesses of all sizes. Thankfully with diligence, and the right help, you can avoid becoming a fraud statistic.