If your business regularly makes wire transfer payments, it could be the next target of a fast-growing scam in which cybercriminals trick employees into transferring large sums of money to them by impersonating CEOs and other company executives in spoofed emails.
According to the FBI, the scheme has caused $2.3 billion in losses to 17,642 business and non-profit organizations in the U.S. and other countries since October 2013, with the number of victims nearly tripling since January 2015.
How does it work? The schemers first study their intended victims. Social media websites, a company’s own website, and news reports can give employees’ names, job titles, email addresses, and telephone numbers, as well as information about the company’s business dealings. Fraudsters also pose as third parties – perhaps the company’s bank, a vendor, or someone legitimately seeking information – in phishing emails and pretexting calls designed to trick employees into disclosing confidential information.
With a company’s information, scammers can spoof, or fake, an email to an employee who they know can transfer money or pay invoices for the company, making the email look like it’s coming from an executive officer, regular vendor or other trusted source. In some cases, hackers break into a company’s email system and send urgent requests for money transfers. Once the money is wired, it can be nearly impossible to recover.
These tips can help you guard your company against CEO imposter scams:
- Establish a multi-person approval process for transactions above a certain amount.
- Set up a system that requires a valid purchase order and approvals from a manager and a finance officer to spend money.
- Verify by phone any changes in vendor payment information and fund transfer requests.
- Remember – email never is a secure way to send financial information. Don’t transmit account information by email and question any emailed payment requests that include account information.
- Slow down. Take time to verify any request, even an urgent one. And be suspicious of any request for secrecy.