The scam, also known as CEO Fraud or Executive Impersonation Fraud, as well as the Big Boss Scam.
As a business owner or shareholder information about you is publicly available. From annual returns, online on platforms, and information you give to Companies House such as such as the Confirmation Statement (CS01 form) which you have to submit annually. Using this publicly available information fraudsters get the names of business owners or people in senior positions.
Did you know 23% of people that receive phishing mails will open them.
How does the phishing scam work?
Fraudsters send phishing emails which appear to have originated from business owners or individuals holding senior positions. These fraud emails are convincing and many people have fallen for them in the past.
- A member of staff normally the finance director or finance department receives fraud emails which appear to have originated from a senior executive within their own organisation or from their personal email address or fraudsters use tools to try and hack into email addresses with weak passwords.
- The fraud emails ask the recipient to make an urgent payment, bypassing normal procedures if necessary. Often the email suggests the funds are needed to secure a lucrative contract/ a new supplier/ or client.
- In reality, the fraudster has spoofed the email address of the executive. If the request is not independently verified, then the company risks paying funds directly in to the fraudsters bank account.
Some variations of the scam
There are many variations:
- Some fraud emails are sent from the business owner asking the recipient what details are needed to make a CHAPS payment, and the latest time that a CHAPS instruction can be submitted.
- The recipient responds with the requested information, and the fraud emails continue. The fraudster eventually discloses the sort code and account number that the funds should be sent to.
- Fraudsters typically stress the urgency of the transaction in the email exchanges, putting pressure on the recipient to release the payment straightaway.
- Lastly they ask for confirmation that the money has been sent.
6 tips to protect your business from the Big Boss Impersonation scam
- Help your staff by creating rules in Outlook/Office 365 for your finance team that alerts them if fraud emails are sent from free email addresses. Anyone can create a Gmail, Hotmail, iCloud email address under the business owners name.
- Encourage staff to exercise caution and be suspicious if they receive an email requesting an urgent transfer, even if looks like it is from someone in the business.
- Review your email passwords and ensure that they are strong. Take a look at our guide on making complex email passwords.
- Office 365 users, Hero IT Support can implement a system where fraudsters are unable to spoof your businesses email address. This will mean that they cannot send fraud emails which look like it comes from within your organisation’s domain. Example Name@insertyourcompanynamehere.com
- Implement and put in place a policy or an internal process for requesting and authorising payments. If your business doesn’t have one take a look at our one here Contact the person who allegedly requested a new payment for verification, ideally in person or by telephone number.
- Tell your staff and ensure that all members of staff are made aware of this scam. Show them this article or our video
Glossary of terms
Phishing emails is the act of sending an emails or any form of communication to someone falsely claiming to be from someone or somewhere other than the originator. They are designed with the purpose of tricking people into opening or downloading malicious attachments, clicking on links that take them to fraudulent websites with the intention of stealing detail such as usernames, passwords as well as other information.
Fraudsters will send emails to thousands, if not millions of email addresses. By spamming in such large quantities the fraudster (phisher) calculates the email being read by a percentage of people who either have an account with who they pretend to be or replies to the emails request believing it to be genuine.
The term Phishing is a variation on ‘fishing’, the concept is that the bait (the email) is thrown out with the hopes that while most will ignore the bait, some will be tricked into biting.
What is the Confirmation Statement?
Confirmation Statement also known as the CS01 is a form from Companies House which you use to verify your company’s data. You receive this when you start a company for the first time, and you must submit one on an annual basis. Once your data has been confirmed this information will be displayed on the public register. This contains information about the makeup of the company and its directors.
Email spoofing is when a sender’s email address has been forged to appear as if it was sent from someone, or somewhere other than the actual source.
Example: Emails can be spoofed to appear that it is from a colleague in your business, a friend, a known company or even your bank.
Verizon. (2015). Data Breach Investigations Report . Verizon .