Simple can be the most effective
Despite all of the complicated and devious ways that thieves and hackers can access technology to steal information and funds, it turns out that a fairly simply email scam may be one of the most costly.
In April, the FBI reported that since January 2015 there has been a 270 percent increase in victims and losses from “CEO scams.”
What is the “CEO scam”?
In a CEO scam, an employee receives an email that appears to come from a supervisor or executive of the company, asking for a transfer of funds. The thief either sneaks into an executive’s inbox, or creates a fake domain name that is almost identical to the company’s real domain name. For example, the hacker might replace the letter “l” with the number “1,” so that the reader may very easily overlook the variation.
Often the thief first researches the company, gathering information from public websites, social media, and hacked accounts. For example, a thief might search employees’ inboxes for keywords such as “deposit” and “invoice” to find out which employees are already transferring funds.
Thieves are able to sidestep security precautions simply by tricking an employee into doing the banking for them.
It’s not a very technologically sophisticated scam, but it’s effective.
Big name companies, a lot of cash
In fact, according to the FBI report, companies generally lose an average of $25,000 to $75,000 in such a scam. In total, companies have lost more than $2.3 billion in the past three years to CEO fraud. Other law enforcement agencies around the country have revealed that CEO fraud has occurred in all 50 states and over 79 countries.
In 2015, Mattel lost $3 million in a CEO fraud. Other companies have lost tens of millions.
How to prevent it
In order to avoid CEO fraud, the FBI recommends implementing a two-step authentication process for large transactions. For example, transfers could be verified not only by email, but through a phone call as well. The agency also advises discretion when sharing information about internal company operations on your website or social media, because thieves use this information to their advantage.
For example, a thief might find out that your accountant will be out of the office on vacation and take advantage of their absence.
Since most of the scams simply use look-alike domain names, it would also be advisable to send a memo to your entire staff asking them to double check the domain names and email addresses of all messages containing requests for funds before completing the transaction.