Simple steps can help prevent real pain from fake CEO phishing emails

“CEO fraud”, “fake president fraud”, “social engineering”, “business email crime” – It’s got lots of names, but essentially it’s always the same story: The fraudster imitates someone in the company and persuades an employee to do something they shouldn’t – such as transfer money to the criminal’s account.

Those getting scammed are in good company: Michelin, KPMG, Nestle – they’ve all been caught out, and the list grows longer by the day. The FBI estimates that losses and attempted frauds using the method increased 2,370% between January 2015 and December 2016. When it’s successful losses can be catastrophic – $47 million in one case that cost the (real) CEO his job. And, increasingly, insurers are excluding it from cover.

Social engineering in action

The best way to avoid joining the list of victims is to promote awareness among staff. Here’s how it tends to happen…

First, someone does their homework and identifies the chief executive and whom they needed to contact to get around payment process controls or access to data they want. Then they email that person, pretending to be the CEO or someone else who has authority. They don’t need to actually access the company’s email system; they can simply make the email look like it is from the chief executive.

Then they simply ask the person to process a payment (to the fraudster’s account), for example. If they do so it can be difficult or impossible to recover the money.

How to avoid become a fake CEO victim

Staff need to remember the scammers can pretend to be anyone – whether the CEO, finance officer, a colleague, client or contractor. So…

  • Be alert! Your country needs lerts. Email fraud is no different than any other type; it could just as easily be a phone call or a man at the door with a fake Electricity Board card.
  • Be sceptical. If there’s any doubt at all, or even if there’s not and it’s a significant sum of money involved, check with the person sending the email by phone or in person.
  • Be vigilant, even – or especially – if you’ve been caught out before; like thieves, email fraudsters can return.

Staff need to be encouraged to stop and think: Does it sound right? Is the request normal, and would it usually come to them from this person? If there’s any doubt, they need to test it: pick up the phone or wait until they’ve had confirmation through a channel other than email. And, if you’re a client with us, report it via the helpdesk, or here if you’re unsure of the details.

Identifying a fake email

Even if there’s nothing to arouse suspicion, it is always worth double-checking an email is genuine – especially where money or sensitive data is involved.

The surest way to do so is to phone the person, but it’s also worth checking the email address at the outset. In Outlook or a similar email client, the address will usually appear right after the name (which is easy to fake) in the “To” box when you draft a reply. Check the address (not the name) and make sure it’s right. Failing that, type the correct address manually yourself (and don’t let “autofill” complete it for you.)

Finally, if anyone does receive a suspicious email, whether targetted or just from a mailing list, be careful. In particularly, everyone needs to know not to open attachements and, if asked to “Download Content”, remember, agreeing will allow the sender to see whether you opened the email and even where from and when. It’s always best to follow the golden rule: Just say no.