Chef scam costs millions: E-mail fraudsters pretend to be superiors

Using stolen data to ask employees to send a customer list or make a large payment directly - these are some of the tricks used by fraudsters who want to steal information and money from companies. In addition to phishing and Trojan emails that are aimed at private users, the so-called “boss scam” is particularly aimed at uncritical employees of companies who do not check the authenticity of the emails they receive. Why should they if they are not trained for it and quick answers are important? Below are a few tips, tricks and resources to avoid costly mistakes when editing an email.

Got a strange email from the boss? Or does the boss instruct an unusual transfer? This could be the infamous CEO scam, a scam that targets corporate information and money!
Got a strange email from the boss? Or does the boss instruct an unusual transfer? This could be the infamous CEO scam, a scam that targets corporate information and money!

Stealing internals and money from companies via boss scams

The scam, also known as “CEO fraud”, which is part of the so-called Business E-Mail Compromise (BEC), involves people pretending to be the boss of a company and requesting internal information or money by email. "Send me the customer list for the last 12 months as soon as possible," it could say, for example. In the context of corporate espionage z. For example, other companies can also access internal competition data in this way. 

"Transfer EUR 1,5 million to account XYZ as quickly as possible to process the ABC contract quickly," could be another request. Again, the urgency conveyed should be noticed, which is intended to curb queries or the general questioning of the message. If the boss thinks that something is urgent, then it is better to do it without additional effort. However, this can backfire. How heise online in a comprehensive Article shows on the topic, no spam filters help against the scam.

Also question e-mails from suppliers, customers and partners

Of course, a general distrust of email contact with bosses, suppliers, customers and other contacts is of no use. That only inhibits day-to-day business. However, with captured data, such as lists requested as shown above, further e-mails can be generated. The fraudsters can also request changes to the payment data from suppliers and other partner companies that make payments to the deceived company and thus channel payments to their own account.

It is therefore important to use tricks to practice and a critical eye to check every email for authenticity, at least briefly. Checking the sender address in addition to the name in the email header is the first step. Are greetings, salutations, personal and company information and other key points of the mail the same as before? Are there perhaps strange formulations or demands that are incompatible with company policy? These questions and their answers are also important.

How do I protect my company from email fraud?

As just mentioned, a quick, critical look should always be part of the email review. Another check is recommended, especially if the message requires internal information or unusual payments. Moreover, when urgency is insisted, it never hurts to be on the safe side. So here are a few tips and tricks:

  • Always, or at least in case of suspicion, check the sender and their email address
  • Examine the content for strange formulations, missing information or unusual requests
  • If you are requested to release internal information or transfer an amount, please contact the apparent sender (in person or by phone)
  • E-mails in English or another language - if this is not part of company policy - should generally ensure caution
  • Example Amazon: Detect and report phishing or spoofing
  • Google Phishing Quiz: Anti-fraud training
  • Are any agreed formulas or code words included / not included?

The last point fits an example of internal protection against fraud cases by email, which is mentioned in the heise article linked above. We are talking about a code word that must appear internally in every e-mail addressed to the accounting department:

... Sonja Catani, managing director of the Swedish pet supplies supplier Hugo & Celine AB, chose a different approach: At the beginning of each month, she orally agrees a code word from the area of ​​nutrition such as "chocolate spinach" with the employees in controlling. The money will only go out if this code word is found in a transfer request sent to the accounting department by email.

Conclusion on the topic

Of course, you don't have to and shouldn't suspect every email that reaches you as an employee of a company. However, one must not blindly trust every message and postpone the review of suspicious content because of the urgency required in the mail. With a few tricks and a practiced eye or with appropriate protective measures, however, the risk of boss scams or CEO fraud can be minimized. Do you still have any tips or are there other simple instructions in your company that should help effectively against fraud? Feel free to leave a comment on the topic!

Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership would support.

Post a comment

Your e-mail address will not be published. Required fields are marked with * marked

In the Sir Apfelot Blog you will find advice, instructions and reviews on Apple products such as the iPhone, iPad, Apple Watch, AirPods, iMac, Mac Pro, Mac Mini and Mac Studio.