Chef scam costs millions: E-mail fraudsters pretend to be superiors

Using stolen data to ask employees to send a customer list or to make a larger payment directly - these are some of the tricks used by fraudsters who want to steal information and money from companies. In addition to phishing and Trojan emails that are directed at private users, the so-called “boss scam” is particularly aimed at non-critical employees of companies who do not check the authenticity of the emails received. Why even if they are not trained and quick answers are important? Here are a few tips, tricks, and sources against costly mistakes when editing an email.

Got a strange email from the boss? Or does the boss instruct an unusual transfer? This could be the infamous CEO scam, a scam that targets corporate information and money!

Got a strange email from the boss? Or does the boss instruct an unusual transfer? This could be the infamous CEO scam, a scam that targets corporate information and money!

Stealing internals and money from companies via boss scams

The scam, also known as “CEO fraud”, which is part of the so-called Business E-Mail Compromise (BEC), involves people pretending to be the boss of a company and requesting internal information or money by email. "Send me the customer list for the last 12 months as soon as possible," it could say, for example. In the context of corporate espionage z. For example, other companies can also access internal competition data in this way. 

"Transfer EUR 1,5 million to account XYZ as quickly as possible to process the ABC contract quickly," could be another request. Again, the urgency conveyed should be noticed, which is intended to curb queries or the general questioning of the message. If the boss thinks that something is urgent, then it is better to do it without additional effort. However, this can backfire. How heise online in a comprehensive Articles shows on the topic, no spam filters help against the scam.

Also question e-mails from suppliers, customers and partners

Of course, a general distrust of email contact with bosses, suppliers, customers and other contacts is of no use. That only inhibits day-to-day business. However, with captured data, such as lists requested as shown above, further e-mails can be generated. The fraudsters can also request changes to the payment data from suppliers and other partner companies that make payments to the deceived company and thus channel payments to their own account.

It is therefore important to use tricks to practice and a critical eye to check every email for authenticity, at least briefly. Checking the sender address in addition to the name in the email header is the first step. Are greetings, salutations, personal and company information and other key points of the mail the same as before? Are there perhaps strange formulations or demands that are incompatible with company policy? These questions and their answers are also important.

How do I protect my company from email fraud?

As just mentioned, a quick, critical look should always be part of the email review. Another check is recommended, especially if the message requires internal information or unusual payments. Moreover, when urgency is insisted, it never hurts to be on the safe side. So here are a few tips and tricks:

  • Always, or at least in case of suspicion, check the sender and their email address
  • Examine the content for strange formulations, missing information or unusual requests
  • If you are requested to release internal information or transfer an amount, please contact the apparent sender (in person or by phone)
  • E-mails in English or another language - if this is not part of company policy - should generally ensure caution
  • Example Amazon: Detect and report phishing or spoofing
  • Google Phishing Quiz: Anti-fraud training
  • Are any agreed formulas or code words included / not included?

The last point fits an example of internal protection against fraud cases by email, which is mentioned in the heise article linked above. We are talking about a code word that must appear internally in every e-mail addressed to the accounting department:

... Sonja Catani, managing director of the Swedish pet supplies supplier Hugo & Celine AB, chose a different approach: At the beginning of each month, she orally agrees a code word from the area of ​​nutrition such as "chocolate spinach" with the employees in controlling. The money will only go out if this code word is found in a transfer request sent to the accounting department by email.

Conclusion on the topic

Of course, you don't have to and shouldn't suspect every email that reaches you as an employee of a company. However, one must not blindly trust every message and postpone the review of suspicious content because of the urgency required in the mail. With a few tricks and a practiced eye or with appropriate protective measures, however, the risk of boss scams or CEO fraud can be minimized. Do you still have any tips or are there other simple instructions in your company that should help effectively against fraud? Feel free to leave a comment on the topic!


Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership or at Patreon would support.

Leave a Comment

Your e-mail address will not be published.