Just as we get our heads around phishing tactics, the scammers change the game. When our editorial director sent us an urgent morning email, something didn’t seem right.
When International Fraud Week begins on November 11 2018, governments and organisations will be promoting anti-fraud education and awareness around the world. But aren’t we savvy enough ourselves these days to recognise a scam when we see one?
Whether it’s an obscure foreign royal seeking access to your bank account or a dubious email from HMRC or Apple, people are becoming better at identifying phishing emails. With our awareness growing, fraudsters are looking at other ways to draw money out of a business. One tactic growing at a worrying pace is impersonation fraud.
Impersonation fraud occurs when a scammer uses the information and personal data of suppliers, bosses or business contacts and impersonates them in an attempt to defraud a company out of money.
Research from Lloyds’ Bank recently revealed that there has been a 58% increase in impersonation fraud this year, with the average scam costing small business owners £27,000.
One in 12 small business owners have been targeted by an imposter, but only 20% of victims admit to thinking twice when receiving a request from a boss, supplier or contact at work. Meanwhile, over a third of employees don’t know what to look out for or don’t have any security precautions in place, leaving them vulnerable.
The financial impact of impersonation fraud has even seen 6% of victims make employees redundant.
We know impersonation fraud is on the rise, but are small businesses really prepared for a well-executed scam? When we received a suspicious email this morning, we wanted to see how far we could take the scam.
What do they know about us?
Clearly, the fraudster was aware of our team’s structure and individual contact details. The email carried the name of our editorial director, but crucially, came from an inappropriate and unknown address. Unfortunately, it’s not always clear to everyone. Before we recognised the scam, one colleague responded earnestly.
🚨 Alarm bell #1: Email address
The scammer was unable to impersonate our company’s email client, so we instantly identified the email as fraudulent. Nonetheless, we wanted to continue the conversation to provide fellow SMEs with a look at the inside workings of scammers in 2018.
🚨 Alarm bell #2: No phone call
To maintain their cover, the scammer wanted to keep the conversation to email. Impersonation fraud via telephone is considerably more difficult.
We keep the game going.
🚨 Alarm bell #3: Irrelevant request
It transpires that the errand has nothing to do with our business. Some businesses will receive more believable requests to sign off goods and supplies typically used by their company.
We keep up the facade.
🚨 Alarm bell #4: £££
According to the impersonator, a client of our business has requested 10 quantities of the online gaming voucher worth £100 each. We’re not sure about other SMEs, but at Caspian Media we’d be unlikely to sign off a last-minute £1,000 request without a face-to-face conversation.
How smart is our fraudster? We grabbed the first Steam Wallet Card from Google Images and continued to play along.
The imposter thinks they’re getting somewhere, so we call their bluff. How far is the fraudster willing to take this?
Somehow, they’re still invested in the scam.
🚨 Alarm bell #5: Can they explain the request?
We finally probe the impersonator, but fail to get a response.
How to protect your company from impersonation fraud
To help small companies protect themselves against imposters, Business Advice asked Dr Markus Jakobsson, chief scientist at cyber security firm Agari, what three warning signs owners should look out for.
Consider the sender
“First of all, is this an email from somebody in power? And does it ask for help with something? Is it addressed only to you, or to the entire company? Scammers like to single out their victims. If they sent a scam email to everybody on your floor, somebody would say ‘hey, this is no good’, and you would all put the email in the spam folder.
“If the email asks for a wire transfer, or for help paying an overdue invoice, it is probably bad. After all, does your CEO normally send such requests? Well, scammers do. Or, if you are in HR, maybe the email asks for employee data. Very fishy.”
Look at the email address
“Not the name in front of it, but the email. Is that your boss’ normal email address? Or is it a Gmail address, an address from ‘ceo123.com’, or just something you have not seen before?
“Some 94 per cent of all CEO scams involve a deceptive display name – that’s the part of the email that says the sender’s name, which is displayed to you before you even open the email – and an email address that does not match what you normally see from this person.”
“If you are not sure, don’t be embarrassed to ask. Send a copy to your admin. Walk over to your boss and ask – did you just ask me to pay a late invoice? Four eyes are better than two.”
Perhaps it was legitimate, after all.
Sign up to our newsletter to get the latest from Business Advice.