Imagine this – it’s a busy day at the office, almost time to go home. Your computer beeps with an email notification.
Jane – do you have a minute? Am tied up in a meeting, need your help. We have a pending invoice from our Vendor. I will highly appreciative if you can handle before close of business. Can’t take calls. Please email.
It’s from your boss, and it’s not like you can ignore him … you reply and ask for the details so you can make the payment. Before you leave the office for the day, you’ve successfully wired the $50,000 payment to the vendor.
The next day your boss calls you into his office to ask you about the payment he just saw go out to an unfamiliar account number. Your heart sinks, and you stammer “But you emailed me, and you asked me to make that payment…” Your boss looks confused, and says “I didn’t email you.”
An email from “your boss” might seem real but … it could be the beginning of a popular phishing email scam making the rounds known as CEO Fraud or Business Email Compromise (BEC). Companies have lost millions of dollars to scams just like this one. Sometimes the scammers request wire transfers; in other cases, they ask for gift cards.
This scam doesn’t just affect you at work – variations on this have been reported from sports/recreation clubs, professional societies and non-profit organizations. Be suspicious of unusual requests for money/gift cards from anyone via email!
Let’s do a post mortem on what happened to our unfortunate friend, Jane.
When the email came in, she was distracted. It was the end of the day, and she wanted to get home. If she hadn’t been distracted, she might have noticed something was a little off with her “boss’s” email address. Scammers will research your company, figure out who’s in charge, and create a fake, but very similar, email address under that person’s name. So if your boss is named James Johnson and his email is firstname.lastname@example.org, it wouldn’t be too hard for a scammer to register an email like email@example.com and you might not even notice the difference if the displayed sender’s name was James Johnson, right? You can register an email address with whatever name you want. Take the time to fully examine the sender’s email address, and if it’s not what you were expecting it’s probably a scam.
Typos or odd grammar are clues that something might be off, though in some cases these phishing emails are so well crafted it can be difficult to tell.
Another thing to consider – is the email expected? If you are in a position to send wire transfers, you would likely have known about the overdue invoice in the first place. Most bosses would not request invoice payment by email. Your workplace should have checks and balances in place to prevent this.
You can also try calling your boss at the verified phone number you have on file to confirm if he or she sent you the email. Do not use any contact information in the suspicious email to try to verify identity, and remember it is always possible their phone number has been compromised as well.
The criminals behind these scams want to throw you off balance and get you to send them the money or gift cards as soon as possible before you stop and think about it. An urgent message at the end of the day hits us when we’re ready to go home and already half-distracted – and when an email is from your boss, scammers know you are not as likely to question the email.
This type of phish is pure social engineering, no malicious links or attachments required. Social engineering is the practice of manipulating people, so they give up confidential or financial information. People have a natural inclination to trust other people and to want to help them – it’s easier to “hack” people than it is to hack into your computer.
According to the FBI’s annual Internet Crime Report (IC3) for 2018, losses from Business Email Compromise phishing scams doubled, going from $675 million in 2017 to $1.2 billion in 2018. There is big money to be had in these scams, and they know it.
Don’t let this happen to you or your coworkers – be aware, take the time to stop and think before you reply to that email. If it feels wrong, it probably is a scam.
Editor’s note: Becky Rutherford works in information technology at Los Alamos National Laboratory.