You get an email from your boss’s boss requesting that you make a wire transfer to a new vendor. The email is marked urgent, so you ignore the 20 others that need your attention to take care of it. You handle wire transfers all the time, and you’ll definitely score points for responding so quickly, right? Maybe not.
In a recent scheme, sometimes called “masquerading,” a hacker poses as a senior executive and asks an employee to complete a financial transaction, like a confidential business investment or a payment to a vendor. Once money is wired to a bogus account, it can be nearly impossible to recover.
In fact, the scheme often goes undetected until the company’s fraud department raises an alarm, or company executives talk to each other about the “transfer” request. According to a recent bulletin from the Internet Crime Complaint Center (IC3), the average loss is $55,000, but some losses have exceeded $800,000.
In some cases, the emails are spoofed by making subtle changes, so it’s difficult to distinguish a fake address from a legitimate one. For example, "john@example.com" looks a lot like "john@exanple.com". In other cases, the hackers break into an organization’s email system and send urgent requests from legitimate accounts.
Scammers like to mix it up. They may pose as vendors who have existing relationships with the company and send emails to “update” their account information. Some masqueraders try to commit this fraud on the phone, posing as the CFO, comptroller or CEO to intimidate an employee.
Want to make sure your company doesn’t fall victim to a masquerade scam?
- Establish a multi-person approval process for transactions above a certain dollar threshold.
- Implement a system that requires a valid purchase-order, along with approvals from a manager and finance officer, to spend money.
- Circulate this blog post by email or in a staff meeting. It’s great with coffee and donuts.
In addition, share these tips with your colleagues:
- Confirm that any request to initiate a wire transfer is from an authorized source within the company.
- Double- and triple-check email addresses.
- Slow down. Fraudsters pressure you to take action quickly so you don’t have time to think it through. Take time to verify any request — even an urgent one.
- Be suspicious of requests for secrecy. Speak to the executive on the phone or in person. If you still have doubts, speak to another senior executive.
If you think you may have encountered a masquerade scam, please report your experience at www.ic3.gov and ftc.gov/complaint.
Has your company developed other strategies for combatting these scams? Use the comment section to tell us about it.