The scam works like this: an email goes to someone in a company’s finance department from the company’s finance director or CEO, demanding that the recipient make an urgent payment. The scammers are using software to make the email appear like it’s from the internal email server, so it looks genuine. The fake email tells the unsuspecting recipient that the unusual payment is needed to secure a new, important contract. When the scam works, the unsuspecting recipient makes the payment outside of normal procedures, directly via wire transfer to an account controlled by the scammers.
This type of scams is called “whaling.” The fraud targets senior executives at companies. And according to experts, the average haul for this type of scam is $5,000 to $10,000.
The fraudsters find contact information form publically available sources, such as company websites, directories or social networking sites, and they’re also hacking into email systems to originate the requests directly from the target’s email server.
If you receive an unusual request via email, confirm the request is genuine by speaking with the requestor. Too often people never verify a request via phone or in-person, and the scammers are counting on this. Email can be compromised, and it’s better to ensure the legitimacy of an unusual request rather than just honoring it. This type of diligence should be encouraged at all levels.
Procedures are in place for a reason, and help prevent fraud. Deviations should cause red flags.
If something looks off, if the language is suspect or the tone is questionable, there may be a legitimate reason, but it may be fraud as well.
Unless it’s an attachment that you’re expecting, it better to verify rather than open a file that can cause greater havoc.
Be cautious about any unexpected emails which request urgent bank transfers, even if the message appears to have originated from someone from your own organization.
Microsoft recommends the following:
Criminals will do everything they can to make these type of whaling scams successful, and they count on people not looking beyond the request. An urgent request from someone’s boss may make these emails look real. Due diligence before a payment is released can help prevent an unrecoverable loss.