Let’s say that you’re walking down the hallway of your office when you bypass a team member from accounting. They tell you that the wire transfer you requested has been completed successfully, but you don’t remember ever asking for such a thing. You take a look through your books and see that a ton of money was sent to some random stranger who took on your identity.
You may have heard about CEO fraud, which is commonly referred to as “whaling.” It’s like a phishing scheme, but on a much more intricate scale. Instead of faking the identity of another employee, or someone from a financial institution or government agency, the hacker will try to use the identity of a business owner or CEO instead. The idea is to use an employee’s fear of confrontation and eagerness to comply with requests to the hacker’s advantage--and you’d be surprised by how often it works.
In particular, wire transfers are proving to be a lucrative option for hackers who manage to trick users. As reported by ITProPortal: “Individuals create bogus messages seemingly from a senior leader, for example the CEO, which ask employees to wire funds across to them. The messages ultimately trick employees into transferring large amounts of cash electronically.” The average fraudulent wire transfer is valued at approximately $67,000, with some going well above. Plus, according to the FBI, over the past three years CEO fraud has cost businesses over $3 billion.
In most cases, wire transfers are difficult, if not impossible, to challenge, so your best chance at recovering from one is to not experience it in the first place. They are simply much too fast and are often finite in nature. Therefore, the most pressing matter is to address how your business can handle this shocking amount of growth in CEO fraud. You need to start by addressing how your staff handles unsolicited requests via email, telephone, or otherwise. Here are a few tips to consider for your business.
- Implement hands-on phishing scam training: There’s no better teacher than hands-on training. Implement a training procedure where you purposely expose your employees to messages similar to phishing scams. See how they react to them, and if it’s not favorably, go through the proper protocol that they should keep in mind.
- Always check in person before sending credentials, or anything else: In general, emails requesting suspicious or sensitive information should be cross-checked by either in-person communication, or by checking the email address and domain from which the message originated. However, some hackers have the ability to spoof email addresses, so it’s usually best to check with whoever supposedly sent the message.
- Educate employees on best practices: This goes back to hands-on phishing scam training. It’s important to remind your team of security best practices, and regularly quiz them on how to avoid phishing and CEO fraud.
To learn more about CEO fraud and other types of security red flags, reach out to Think Tank NTG at 800-501-DATA.