How to protect yourself and your business from CEO impersonation scams and phishing attacks

As you finish up a videoconference meeting with the rest of your department, your phone dings and you glance down to see a text from your CEO. You don’t communicate with her often, but she has reached out a few times in the past to verify some specific accounting figures.

Several other texts quickly follow. They explain that she is accompanying the sales team on an important customer visit and the team dropped the the ball in providing gift cards for the client. She would like you to run to the Walgreens across the street from the office and pick up seven Amazon gift cards worth $200 each. She is sorry for the inconvenience, grateful for your help, and will of course reimburse you later in the day once she is back in the office. The last text reads.

“Stepping into meeting with them now. Will be out of touch for next 2 hrs. Please send photos of card numbers before noon. Thx.”

You glance at your phone’s clock – only one hour to fulfill the request.

Would this kind of request make you pause and wonder, or would you be grabbing your coat and heading across the street?

A surprising number of employees fall for such simple scams. Without proper training, 1 in 3 employees are likely to fall for a phishing scam. There are many other variations: a boss stuck without gas, in need of assistance with some last-minute travel needs, or some other dire situation that only you can help with.

These scams come by text message or email, but the result is the same. The unsuspecting employee buys the gift cards and sends the requested information back to the same number. Only later do they find out that the real CEO was not the one that contacted them. It was a phishing scammer.

The employee is then out the cash — and out of luck.

Why Do Employees Fall for Phishing Scams?

Though the circumstances of the gift card scheme may seem odd when viewed from the outside, many employees fall for this scam in the moment. Using social engineering techniques, hackers manipulate the emotions of employees to get them to follow through on the request. These tactics provoke several different types of emotional responses in employees, all of which can prove highly-effective.

• Fear: The employee is afraid to not comply with a superior’s request.
• Heroism: The employee has a chance to save the day.
• Pride: The employee doesn’t want to let the company down.
• Ambition: The employee sees a chance to advance their career by helping the CEO.

The scam’s message is also designed to impart a sense of urgency that provokes the employee to act without thinking or checking. The CEO needs the gift card details right away. Also, the messages note that the CEO will be busy with important matters for the next few hours. This decreases the likelihood that the employee will try to contact the real CEO to check the validity of the text.

Illinois Woman Loses More Than $6,000 from a Fake CEO Email

Variations of this scam are prevalent and can lead to significant financial losses. A company is not legally responsible if an employee falls for a scam and purchases gift cards with their own money – regardless of the employee’s benevolent intentions.

In one example, a woman from Palos Hills, Illinois lost over $6,000 after responding to an email request that claimed to be from her supervisor, the company’s CEO. The message stated that she wanted to send gift cards to some selected staff that had gone above and beyond.

The email ended with “Can you help me purchase some gift cards today?” The boss had a reputation for being generous with employees, so the email did not seem out of character.

The woman had purchased the requested gift cards from Target and Best Buy when she received another email asking her to send a photo of the cards. Again, the wording in the message was very believable and non-threatening. It simply stated, “Can you take a picture, I’m putting this all on a spreadsheet.” 

The woman ended up purchasing over $6,500 in gift cards that the scammer then stole. When the victim saw her boss a little while later, she knew nothing about the gift card request. The woman realized she was the victim of a scam, but it was already too late.

4 Tips for Avoiding Costly Phishing Scams

These example scenarios relate to scammers targeting individuals — with impact on personal bank accounts. As devastating as these attacks may be for the victims, many phishers use similar tactics to target much larger prey. Over the past five years, multiple business clients have sought assistance from NOC Technology following a spear-phishing attack. Though these were much more sophisticated versions of phishing, they nonetheless relied on social engineering tactics to ultimately steal six-figure sums from these businesses.

A few simple practices can help you prevent the loss of hundreds, or even hundreds of thousands, of dollars from personal and business bank accounts.  

1. Always Double Check Unusual Requests

Despite what a message might say about being unreachable, always check in person or by phone with the sender. If you receive any unusual requests or one related to money,  verify it. Contact the person through other means to make sure it's legitimate.

2. Don’t React Impulsively

Scammers often try to get victims to act before they take time to think. Just a few minutes of sitting back and looking at a message objectively is often enough to realize it’s a scam. Don’t react emotionally; instead ask yourself “Does this seem normal, or is it out of the ordinary?”

3. Get a Second Opinion

Ask a colleague, or better yet, your company’s IT service provider, to take look at the message. A second opinion keeps you from reacting right away and can provide a different perspective on the issue — possibly preventing a costly judgment error. Don’t wait until the moment of truth to decide who you should ask. Identify that person now and be ready to reach out when that suspicious text or email inevitably arrives.

4. Implement Employee Phishing Awareness Training

Phishing is becoming increasingly sophisticated — and effective. One of the best ways to avoid tragic missteps is by keeping your employee awareness training is up to date. Recent studies show that after just 90 days of training, the percentage of employees that were prone to click dangerous links dropped from 32.4% to 17.6%. After a year of ongoing awareness training, that number dropped to only 5%. Good training can even provide simulated phishing attacks to monitor your progress and keep employees on their toes.

In addition to our other managed IT services, NOC Technology can facilitate top-notch cybersecurity training for you and your team no matter where you are located — in Missouri or elsewhere! Reach out today to schedule a training session to shore up your team’s defenses.