Avoid falling prey to fraudulent email scams with this checklist
CEO fraud and spoofed emails are rapidly becoming the attack-of-choice for many hackers, making it harder for business owners to distinguish genuine emails from their fraudulent counterparts.
A recent report from the City of London Police’s National Fraud Intelligence Bureau (NFIB) shows that businesses have lost over £32 million as a result of CEO fraud.
How does this scam work?
CEO fraud will typically start with an email being sent from a fraudster pretending to be a company director or CEO to a member of staff in a company’s finance department. The fraudster will ask the finance staff to quickly transfer money to a certain bank account for a specific reason. The member of staff will do as their boss has instructed, only to find that they have sent money to a fraudster’s bank account.
The fraudster will normally redistribute this money into other mule accounts and then close down the bank account to make it untraceable.
Out of the £32 million reported to be lost by businesses to CEO fraud, only £1 million has been able to be recovered by the victims. This is due to businesses taking too long to discover that they have been the victim of fraud and the lost money already being moved by fraudsters into mule accounts. Most businesses reported initially being contacted via emails with gmail.com and yahoo.com suffixes, which in itself should be a huge red flag.
According to Steve Proffitt , deputy head of Action Fraud, awareness is the best ammunition against this type of fraud. “Employees should be encouraged to double check everything they do and never be rushed into transferring large amounts of money even if they do think that it’s an important task given to them by their CEO. An increased awareness of this type of fraud amongst businesses will no doubt make it far harder for fraudsters to succeed.”
An unfortunate example
Action Fraud revealed one particular example where a globally established healthcare business was conned out of £18.5 million. The average amount siphoned by this scam is £35,000 but this can vary.
In July last year a man who purported to be a senior member of staff phoned the company’s financial controller based in one of the company’s Scottish offices and asked her to transfer money to accounts in Hong Kong, China and Tunisia. After a number of calls and emails, the financial controller fell for the con.
The usual target
Limited companies tend to be the most targeted type of company with 52 per cent of reports to Action Fraud coming from this business type. 22 per cent of reports have come from businesses within London suggesting that this problem is particularly affecting the capital.
“CEO fraud is a real and growing threat for businesses of all sizes but there are many ways in which you can lessen the risk of becoming the next victim. The most important thing you can do is educate yourself on what to look out for,” Lee Munson, researcher at Comparitech.com advised.
A checklist: is this fraud? Here are some tell-tale signs that the email you just received is attempting to defraud your company:
|
How you can protect your business
- Ensure all staff, not just finance teams, and know about this fraud.
- Even if you personally know the person who sent the email, always contact them through their known channels in order to identify both their identity and the nature of their request.
- Have a system in place which allows staff to properly verify contact from their CEO or senior members of staff; for example having two points of contact so that the staff can check that the instruction which they have received from their CEO is legitimate.
- Never be rushed into responding to an email that asks for payment of an invoice, the transfer of confidential information, or anything else for that matter.
- Always review financial transactions to check for inconsistencies/errors, such as a misspelt company name.
- Consider what information is publicly available about the business and whether it needs to be public.
- Ensure computer systems are secure and that antivirus software is up to date.
If you’ve been a victim of fraud, get in touch with Action Fraud.