The CEO Fraud scam is much more well thought out and efficient than some of the more obvious scams that have gotten around over the years, such as the above mentioned Nigerian spam emails. They were essentially mass email outs, with results based on volume. The fraudsters literally sent millions of emails, generally to random email addresses that they managed to gain access to, either by hacking address books or getting access to a mailing list. It was very hit and miss, but if they received 1% or even 0.5% response, they did very nicely out of it.
But the CEO Fraud scam is much smarter than that and if you receive the email, you can be assured they have specifically targeted you or your firm. This scam is anything but random, and that is the scary thing!
It basically works like this:
- A phone call or email is initiated by somebody posing as the personal accountant of a senior level manager in your company or a person equally as believable. This manager is generally out of the office on leave or otherwise uncontactable for some reason. The fraudsters will actually know this by following social media accounts of the particular manager, or by receiving an auto-responder/Out Of Office message. Basically social engineering.
The call or email will advise that you will shortly receive an email from the Manager with a request to transfer money to an external account. Generally this is again well targeted and will be something plausible and believable, perhaps the acquisition of a new company or purchasing of some equipment...both reasons will have a plausible relevance to your company.
- You will then receive a follow up email, that appears to be from your boss directly, confirming the transfer and providing details. Again, this is very targeted and the fraudsters will even go as far to duplicate you managers email signature and writing style when responding. Weeks can be spent by the fraudsters collecting information from your website blog or social media accounts. Small touches such as questions about your kids, pets or recent holidays can be added to further disarm you. This is social engineering at its best...or worst, depending on how you look at it.
The BBC Recently reported on a case involving a french company, called Etna Industrie, in which 4 bank transfers totaling nearly $750,000 AUD were made to the scammers. Luckily, the bank woke up to the scam and blocked 3 of the transfers...but one did get past and cost Etna $150,000 AUD and most likely an employee their job. Ouch!
There isn't a great deal that can be done to stop these sort of Social Engineering attacks, besides being very alert and aware when moving funds around.
Vigilance and being sure emails are 100% from who they say is probably the most effective method. Its better to call your boss and ask them to confirm the payment...yes, they may get frustrated at the confirmation phone call, but when compared to you transferring tens of thousands of dollars out of company accounts, its going to be a very minor frustration, and you will still have your job!
There are also some server level fixes that can be applied, such as SPF checking. Not all hosts will allow this facility, but it is included as an option on all Hosting Australia Web Hosting Packages, just contact the HA support team to have it enabled. SPF has been much maligned by some hosts and administrators...because of the overheads it can create, but for this type of scam, its an effective method to validate that an email is actually coming from the location it claims to be.
Additional spam, virus, phishing and malware scanning services, such as SPAMProtect can also assist you in preventing these sort of scams from ever reaching you or your employees.
With the importance of email and risks associated with these type of scams, a weekly investment that costs less than the price of a latte, is a good one. SPAMProtect also follows Email Best Practice guidelines.