Overview | Guidelines | Frequently Asked Questions | PDF Version
CEO’s and Executives continue to be a target for email spoofing. Spoofing is the creation of email messages with a forged or fake senders address, making it appear as if it is coming from a company executive, to mislead recipients in hopes you will follow their request. This is easy for hackers to do because the main protocol used in sending email does not include any mechanism for authenticating the sender. Unfortunately, some Cardinal clients have already been a victim of spoofing and we don’t want it to happen to you. Employee awareness is the key to prevention.
Sample Email Spoof from a CEO
Email spoofing can be accomplished from inside the company or from an external source using Trojans or malicious programs. This technique is known as “masquerading” and “executive impersonation” but in simple terms, its fraud.
The sender can make the message appear to be from anyone, anywhere. The scammers take control of an executive’s email address like C-level Executives such as CEO, COO, CFO, company vendors, or other company officers to con you into making fraudulent transactions such as Wire or ACH (Automated Clearing House) transfers. Requests from company executives are less likely to be questioned and harder to verify.
What would you do with a wire transfer request received via email from your company executive? Would you feel pressured to comply with the request? Would you verify the email since it came from your CEO? The email may also seem urgent or request highly confidential information, asking you to speak to no one, hoping you will not perform any due diligence in verifying the information for an executive request. The imposter may request a Wire or ACH transfer payment for an overdue fake invoice or request confidential company information knowing you would not want to disappoint or delay a company executive request.
The FBI estimates that fraud losses linked to business email compromise scams totaled more than $2.3 billion from October 2013 through February 2016. However, some financial fraud experts say the losses could be even higher because the incidents often are not reported. Do not fall prey to emails requesting you to ACH or Wire money to access unclaimed money in a frozen bank account, fake lotteries or distant relatives in need of emergency money.
Education is the best resource to stop executive impersonation. The best defense isn't technology, it’s you.
Guidelines to Stay One Step Ahead of Spoofed Emails
Always confirm wire requests or ACH payments by contacting the requestor via your system records. Never verify information via email.
Incorporate dual control and separation of duties so two employees are cross checking and independently verifying data before requesting ACH or Wire transactions. Follow procedures and never cut corners.
Only open attachments you are expecting and always mouse over or hover on any website links to verify the actual website. These emails may also contain malicious attachments and links.
Closely watch the sender’s email address. It may be a slight variation from a legitimate address with a cleverly disguised symbol or misspelling. For example, email@example.com or firstname.lastname@example.org.
Follow your instincts. Impersonation can also happen via phone. Always perform due diligence to verify the authenticity of the request.
Keep a clean computer. Keep your anti-virus, anti-spyware and anti-malware software up to date.
Manage your passwords. Use a passphrase instead of a password with a recommended 12 character minimum, including upper and lower characters, numbers, spaces, and special characters. Longer passwords are better. Change passwords frequently and remember not to use the same password for all accounts.
Frequently Asked Questions
My executive may have been impersonated in email, now what?
If you have IT staff onsite, they should examine the email header to verify the sender to validate spoofing has occurred and put safeguards in place to stop future spoofing attempts. In addition, run a virus scan on the computer and/or network. Change all passwords. Report fraud promptly to your local law enforcement and to the bank or agency you used to send the money. Contact the Internet Crime Complaint Center via www.ic3.gov.
How can I try to avoid this happening to me?
Do your research. If you think a wire transfer or ACH payment request is legitimate, search online for the company or product name along with “Review”, “Scam” or” Fraud”.