IdentityForce LogoIdentityForce Logo
Protect What Matters Most.
keyboard used to commit CEO Fraud
Posted on March 17, 2016 by in Personal, Scam Alerts

Few things will make you perk up more at work than seeing an e-mail from the company’s CEO in your inbox. Naturally, you would be eager to please and quickly complete any task they ask of you. You wouldn’t want to disappoint the big boss, right?

Unfortunately, scam artists have begun preying on this mindset and have been running phishing scams in which they pose as a company’s CEO to obtain sensitive employee information. Rather than spending long hours trying to hack into an organization’s database, cyber criminals have been finding success the old-fashioned way — sending an e-mail and asking for what they want.

Tax Season is Also Phishing Season

CEO fraud has become a big problem for many companies this tax season. Typically reaching out to accounting or human resource departments, the hackers create a fake e-mail for the CEO and request copies of all employee W-2 forms. Often times, within minutes, they receive back everything they need to steal employee identities and file fraudulent tax returns, including full names, addresses, and Social Security numbers.

One company received an e-mail that read:

“I want you to send me the list of W2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and e-mail them to me asap.”

Thankfully, that company’s CFO had just completed security awareness training and felt the e-mail sounded a little too much like a phishing scheme. Not every organization, however, has been quite as observant or lucky. According to CSO, reported victims have included:

  • Snapchat, the popular video messaging app
  • BrightView, a landscaping firm in California
  • Magnolia Health Corporation, a rehabilitation and nursing home healthcare provider
  • Central Concrete Supply Co., a concrete company in the San Francisco Bay area
  • Mercy Housing, Inc., a nonprofit organization that supports affordable housing
  • Polycom, a communications company in Massachusetts
  • Seagate, a global leader in data storage

Each company received an e-mail similar to the one above, an unsuspecting employee complied with the request, and accidentally gave cyber criminals sensitive information on a silver platter. Like most types of phishing scams, the CEO phishing scam finds success in exploiting a person’s trust — in this case, their trust in an authority figure, like their company’s CEO.

How to Avoid Falling for CEO Fraud

CEO fraud and other types of phishing scams are effective, but they are not foolproof. By channeling some classic common sense, and simply being aware, it is possible to keep your company safe and personal employee data out of the hands of identity thieves.

  • Give the CEO’s e-mail address a second look. In phishing scams, cyber criminals may either create an e-mail address that almost looks like your CEO’s e-mail — possibly by changing 1 letter, or adding a period — or that exactly matches the CEO’s e-mail, but acts as a mask for a different address. Click on the e-mail address or hover over it to see if there may be a different e-mail address being used.
  • Pay attention to grammar and tone. Remember the company CFO that figured out the CEO e-mail wasn’t real? One big reason was because the actual content of the e-mail just didn’t sound right — the grammar was “off,” the tone was weird — it almost seemed like English was not the writer’s first language. If you have ever received an e-mail from the CEO in the past, go into your old mail folders to compare the writing style.
  • Get a second (and third) opinion. If you receive an e-mail from the CEO asking for private employee information, fight the urge to act quickly and instead, be smart. Talk to a couple different higher ups (preferably someone in IT) in the company to confirm the validity of the e-mail and whether or not they think you should send the information. You could also pick up the phone and call the CEO directly (use the phone number listed in your company’s directory) — just tell them you are trying to be thorough and to protect sensitive company data.

Your company may never be affected by CEO fraud, but e-mail phishing scams are extremely common and may target you in different forms at work, or even at home. Just be aware, vigilant, and smart, and always question any e-mail that asks for personal information.