The scam email is a familiar feature on the business landscape. But just as business changes, innovates and evolves, so does its enemies. Now there is a genuine, and growing, threat from scammers that involves them impersonating senior executives within an organisation.
The hacker or scammer sends an email to an employee purporting to be from one of the senior executives in the same company. In it, the fake executive asks the employee to complete a confidential business investment, or transfer a payment to a client.
The object is to get the executives to transfer the funds into the scammer’s own account. The email will look convincing. This is cyber-crime operating at a sophisticated level. There are several ways for fraudsters to obtain the necessary information in order for an executive impersonation to appear genuine.
“Scammers can use publicly available company information”, Malcolm Cooke, Managing Director of C&C Insurance Brokers in Stockport, explains. “Often this can give them names of senior staff. Alternatively, they may actually hack into a company’s email accounts to obtain this kind of information, particularly through web-based email services”.
This sort of fraudulent payment request will usually ask the target employee to make an urgent transfer with some reason for exceptional circumstances applying. Once the money is transferred to the bogus client account, the scammer will quickly withdraw it.
Having the Right Cover
“Companies need to be very careful with their insurance cover when it comes to this kind of scam,” Malcolm explains. “Typical electronic funds transfer cover won’t include this kind of activity, because it doesn’t involve the scammers accessing your accounts and doing the transfer themselves. Instead, a member of your own staff has become an unwitting accomplice.”
Insurers will be working to extend their services to include this kind of cover, under ‘social engineering crime’. There are, however, measures companies can take to protect themselves from executive impersonation scams.
“Take particular care over any emails asking for urgent bank transfers”, advises Malcolm. “Always check unusual payment requests with the supposed sender, preferably in person or over the phone, so that you can talk to them direct. Look out for unusual wording, bad spelling or grammatical errors”.
“It is imperative that internal email passwords are really strong”, Malcom concludes, “and, of course, that your authorisation procedures for payments and transfers procedures are as watertight as you can make them”.
Business Aspects Magazine would like to thank Malcolm Cooke for his contribution.
If you would like to ensure that your business has the right level of protection, please call C&C on 0161 406 4800 or visit their website.