It doesn’t matter where you work, chances are you have a boss; maybe even more than you can count. To stay employed, it’s typically a good rule of thumb to do what the boss says – especially if it comes from the top and they put you on an urgent task.
Yeah, there’s no question if they give you those instructions in person; get on it. But if you get an urgent request through an email, it’s going to be worth your time to make sure it really is your CEO who sent it before you just snap to it.
Why? Scammers love to impersonate other people through phishing emails, even your bosses, to trick you into a wide variety of things. You just need to know how to figure out what’s real and how to spot a fake.
Big business of business phishing scams
Email phishing scams have been around for ages, and even those pretending to be your boss aren’t exactly new. Scammers have been posing as company executives to manipulate employees into turning over credentials, money or gift cards for some time now, but they continue to up their game and rake in billions.
Just like any phishing attempts of the past, it used to be fairly easy to figure out someone was trying to scam you. Things like misspellings, bad grammar and strange choices of words were the dead giveaways. Now it’s different.
Phishing scams are much more sophisticated, and these criminals have done their homework. They spoof email domains, use the right company logos and even address you by name.
They not only know where you work but also what you do there. They might even have some of your other personal details that manage to keep your guard down … and that’s when they know they have you.
The CEO has an urgent request for you
The big scam you need to be aware of is the Business Email Compromise, or BEC. Their method of choice is usually pretending to be the CEO and contacting employees with access to the company coffers. They’ll send an email requesting a money transfer for a client or other company, and that it has to happen as soon as possible.
You might quickly look up at the email address before carrying out the instructions, but there’s a good chance it’ll look real. The account where you’re supposed to send the money might even look familiar, but with a couple of character changes that will send the money to the crooks’ account.
And these guys probably even have a good idea how much money is okay to request without raising any major red flags. Besides, you’re not really worried because you’re just doing what the boss told you.
Others to watch out for are direct deposit scams, where they pretend to be HR staffers and tell you to “update” your direct deposit information. Read more about that here.
Then there’s another popular one where your boss wants you to quickly go out and buy hundreds or even thousands of dollars worth of gift cards (with your own money, of course), under the guise that they’re last-minute gifts for clients. Check out a recent report about that here.
Sometimes it’s as simple as an “urgent task,” where they only request something easy like your phone number. Like this phishing email I received pretending to be from Barry Young, CEO of our company, WestStar MultiMedia Entertainment, Inc. As you can see below, our email host even flagged it as spam.
Of course, I didn’t reply but I imagine this bad actor was probably looking for more information, maybe even some gift cards. I guess I’ll never know.
Spotting phishing emails at work
Because their tactics vary, there’s no single detail to spot a fake. There are actually a few things you can look for.
- Check incoming email addresses carefully, especially when they demand financial transactions. Even a single missing character could be the difference between a real email and a fake one.
- Look for recurring subject lines like “Request,” “Follow-up,” “Urgent/Important,” “Are you available?/Are you at your desk?” and others.
- Verify messages from your boss requesting money transfers, gift card purchases and any request involving sensitive company information. Go see them in-person, or give them a call.
- Don’t click on web links or attachments in any suspicious emails. They could redirect you to a malicious site, or install malware onto your computer.
For the IT side of these issues, it all starts with making sure your employees are aware of these types of attacks to begin with. A lot of the problem involves the lack of cybersecurity training.
- Create a training program to teach employees ways to spot phishing emails.
- Consider two-factor authentication on your business email accounts, using phone numbers for verification.
- Look at email protection systems that will flag potential phishing or fraud attempts. Some can immediately spot domains similar to the company’s, but not quite right.
If you realize after the fact you’ve been duped, you need to address it quickly. Call the police, along with the FBI to report the financial crime immediately. File a complaint with the FBI’s Internet Crime Complaint Center (IC3.gov). If you act fast enough, the funds could be frozen before a transfer is finalized.
And if your boss is demanding you go out and buy iTunes gift cards at different places around town, inform them they need to tell you in-person. Say it nicely, though, just in case.