Invoicing

When your boss sends a suspicious email, what do you do? Impersonation fraudster exposed

Just as we get our heads around phishing tactics, the scammers change the game. When our editorial director sent us an urgent morning email, something didnt seem right.

When International Fraud Week begins on November 11 2018, governments and organisations will be promoting anti-fraud education and awareness around the world. But aren’t we savvy enough ourselves these days to recognise a scam when we see one?

Whether it’s an obscure foreign royal seeking access to your bank account or a dubious email from HMRC or Apple, people are becoming better at identifying phishing emails. With our awareness growing, fraudsters are looking at other ways to draw money out of a business. One tactic growing at a worrying pace is impersonation fraud.

Impersonation fraud occurs when a scammer uses the information and personal data of suppliers, bosses or business contacts and impersonates them in an attempt to defraud a company out of money.

Research from Lloyds? Bank recently revealed that there has been a 58% increase in impersonation fraud this year, with the average scam costing small business owners 27, 000.

One in 12 small business owners have been targeted by an imposter, but only 20% of victims admit to thinking twice when receiving a request from a boss, supplier or contact at work. Meanwhile, over a third of employees don’t know what to look out for or don’t have any security precautions in place, leaving them vulnerable.

The financial impact of impersonation fraud has even seen 6% of victims make employees redundant.

We know impersonation fraud is on the rise, but are small businesses really prepared for a well-executed scam? When we received a suspicious email this morning, we wanted to see how far we could take the scam.

What do they know about us?

Clearly, the fraudster was aware of our team’s structure and individual contact details. The email carried the name of our editorial director, but crucially, came from an inappropriate and unknown address. Unfortunately, it’s not always clear to everyone. Before we recognised the scam, one colleague responded earnestly.

Alarm bell #1: Email address

The scammer was unable to impersonate our company’s email client, so we instantly identified the email as fraudulent. Nonetheless, we wanted to continue the conversationto provide fellow SMEs with a look at the inside workings of scammers in 2018.

Alarm bell #2: No phone call

To maintain their cover, the scammerwanted to keep the conversation to email. Impersonation fraud via telephone is considerably more difficult.

We keep the game going.

Alarm bell #3: Irrelevant request

It transpires that the errand has nothing to do with our business. Some businesses will receive more believable requests to sign off goods and supplies typically used by their company.

We keep up the facade.

Alarm bell #4:

According to the impersonator, a client of our business has requested 10 quantities of the online gaming voucher worth 100 each. We’re not sure about other SMEs, but at Caspian Media we’d be unlikely to sign off a last-minute 1, 000 request without a face-to-face conversation.

How smart is our fraudster? We grabbed the first Steam Wallet Card from Google Images and continued to play along.

The imposterthinks they’re getting somewhere, so we call their bluff. How far is the fraudster willing to take this?