Chapter in this post:
Using stolen data to ask employees to send a customer list or to make a larger payment directly - these are some of the tricks used by fraudsters who want to steal information and money from companies. In addition to phishing and Trojan emails that are directed at private users, the so-called “boss scam” is particularly aimed at non-critical employees of companies who do not check the authenticity of the emails received. Why even if they are not trained and quick answers are important? Here are a few tips, tricks, and sources against costly mistakes when editing an email.
The scam, also known as “CEO fraud”, which is part of the so-called Business E-Mail Compromise (BEC), involves people pretending to be the boss of a company and requesting internal information or money by email. "Send me the customer list for the last 12 months as soon as possible," it could say, for example. In the context of corporate espionage z. For example, other companies can also access internal competition data in this way.
"Transfer EUR 1,5 million to account XYZ as quickly as possible to process the ABC contract quickly," could be another request. Again, the urgency conveyed should be noticed, which is intended to curb queries or the general questioning of the message. If the boss thinks that something is urgent, then it is better to do it without additional effort. However, this can backfire. How heise online in a comprehensive Items shows on the topic, no spam filters help against the scam.
Of course, a general distrust of email contact with bosses, suppliers, customers and other contacts is of no use. That only inhibits day-to-day business. However, with captured data, such as lists requested as shown above, further e-mails can be generated. The fraudsters can also request changes to the payment data from suppliers and other partner companies that make payments to the deceived company and thus channel payments to their own account.
It is therefore important to use tricks to practice and a critical eye to check every email for authenticity, at least briefly. Checking the sender address in addition to the name in the email header is the first step. Are greetings, salutations, personal and company information and other key points of the mail the same as before? Are there perhaps strange formulations or demands that are incompatible with company policy? These questions and their answers are also important.
As just mentioned, a quick, critical look should always be part of the email review. Another check is recommended, especially if the message requires internal information or unusual payments. Moreover, when urgency is insisted, it never hurts to be on the safe side. So here are a few tips and tricks:
The last point fits an example of internal protection against fraud cases by email, which is mentioned in the heise article linked above. We are talking about a code word that must appear internally in every e-mail addressed to the accounting department:
... Sonja Catani, managing director of the Swedish pet supplies supplier Hugo & Celine AB, chose a different approach: At the beginning of each month, she orally agrees a code word from the area of nutrition such as "chocolate spinach" with the employees in controlling. The money will only go out if this code word is found in a transfer request sent to the accounting department by email.
Of course, you don't have to and shouldn't suspect every email that reaches you as an employee of a company. However, one must not blindly trust every message and postpone the review of suspicious content because of the urgency required in the mail. With a few tricks and a practiced eye or with appropriate protective measures, however, the risk of boss scams or CEO fraud can be minimized. Do you still have any tips or are there other simple instructions in your company that should help effectively against fraud? Feel free to leave a comment on the topic!
Effectively for free: iPhone 13 Mini and iPhone 13 deals with top conditions at Otelo - Advertisement
Jens has been running the blog since 2012. He appears as Sir Apfelot for his readers and helps them with problems of a technical nature. In his free time he drives electric unicycles, takes photos (preferably with his iPhone, of course), climbs around in the Hessian mountains or hikes with the family. His articles deal with Apple products, news from the world of drones or solutions for current bugs.