If you’re like most of our clients, you have to be on constant lookout for scams, malware, and fraud. As cyber security and public knowledge continue to develop, so, too, have fraudsters become evermore sophisticated in their tactics. At this point, most of us know to be wary of suspicious pleas from Nigerian princes and random .exe files sent from unknown addresses. In fact, most modern spam filters prevent such obvious scams from reaching our inboxes in the first place. We have all also spent the last several years getting used to identifying “phishing” scams, wherein a fraudster poses as a legitimate entity (e.g. your bank) to entice you to click a misleading link or call a fake phone number. However, executive impersonation, the new frontier of fraud, is much more insidious, can be difficult to detect until it’s too late, and could lose your organization thousands upon thousands of dollars.
It Could Happen to You
Imagine you’re the CEO of a sizable organization, and you’ve just returned to the office after spending a week on vacation. As you’re going about your day, your Controller approaches you to ask about a request you made that morning to wire several thousand dollars to an external account. This sounds awfully strange, as you made no such request. Upon further investigation, you and the Controller discover that the request came from someone impersonating you. As if that weren’t alarming enough, you both discover that two transfers totaling nearly $30,000 were already completed the previous week while you were on vacation, completely unbeknownst to you. You call the police to investigate and scramble to recover the funds, but alas, the fraudsters have already moved on and your money is gone forever. Such is the horror that recently befell one of our clients.
Earlier models of email fraud (phishing, Nigerian princes, etc.) were fairly impersonal and could be blasted out to millions of people with roughly the same effect. Executive impersonation, however, is much more frightening, as it requires the fraudster to specifically target your company, do their homework, and successfully impersonate your executives in such a way that it can be difficult to notice that fraud occurred until the money has already disappeared. In our client’s example, the perpetrator created an email account that was nearly identical to the CEO’s address and could easily be mistaken for it at first glance. Then they researched the CEO to determine when he would be on vacation, as well as who in the organization had the power to transfer funds (the Accountant). Over the course of a week, the fraudster reached out to the Accountant with two “urgent requests” from the CEO to transfer funds to an external account, encouraging the Accountant to “just get this done and we will figure out the source of funds later”. While these requests were unusual, they appeared to come directly from the CEO, and the Accountant requested and received approval from the Controller. It wasn’t until the Accountant received a third request the following week that the CEO was spoken to directly about the transfers and the fraud was discovered.
A Large and Growing Problem
This was not an isolated incident. The FBI’s Internet Crime Complaint Center issued no fewer than three public service announcements last year on the subject, noting that U.S. companies lost $179 million to this type of fraud in 2014 alone. It’s a frightening kind of attack, and the bigger your company is, the bigger a target you might be for sophisticated fraudsters.
You are not, however, powerless! Education is the first step in recognizing and preventing scam artists from stealing from you. In this blog series, we’ll dig deeper into:
- the rise of impersonation scams and the major types of fraud you may encounter
- strategies for coping if you find yourself a victim
- ways you can prepare your organization to recognize and prevent threats
Keep an eye out for future posts on this subject, and please don’t hesitate to contact me with questions or comments in the meantime.
{{cta(‘e8bf33d1-e128-413c-8809-ed0941466d7f’)}}