A recent epidemic in the world of phishing is the bogus boss email.
The email looks something like this:
TO: Finance Manager
FROM: CEO
Hey <NAME OF FINANCE MANAGER>
I’m going to need to make a transfer ASAP. Can you facilitate this?
Email me back, cell phone signal is bad.
<NAME OF CEO>
As far as the finance person is concerned, this is an email from the CEO of the company.
Once the finance person replies to the email, a flurry of instructions is sent to them. Often times, they are told that they should expect a call from a stranger who will direct them to transfer money from the company account. As suggested, the call comes almost immediately and seems to confirm that the email is genuine.
Of course, this is all a fraud and the CEO has not requested any kind of transfer. Several high-profile CEO cases have been reported in the press in recent months and this author has seen three examples of this kind of fraud, in Ireland, in the last 3 months. The first questions that people ask are, “Where did this email come from? How do they know about me and the CEO?”
All of the information that the fraudsters have on both the finance person and CEO are generally publicly available on websites like LinkedIn and Facebook. It’s important to realize that you cannot easily stop someone getting hold of this information if they try to.
Some of the other similar scams that are discussed by the BBC are:
- Someone poses as a boss of a company instructing staff to make a wire transfer into the fraudster’s account.
- Fraudsters pose as the IT services department of a bank saying they want to make a test transfer – but it’s not a test.
- Fraudsters claim to be a supplier and ask for outstanding invoices to be paid into a new bank account.
- Employees click on links within phishing emails containing malware which authorizes many small payments to the fraudster’s account.
So how do you prevent this from happening to you?
There are a number of good articles that describe what you should do technically to help to prevent this kind of fraud. However, technical fixes do not completely solve the problem.
For those people who get caught by these kinds of scams the problem is obviously one of communication between the finance department and the CEO. On nearly every occasion where a company has been duped, if the finance person simply picked up the phone and called the CEO to ask them about the transfer then the fraud would be stopped in it’s tracks. In fact we’ll never know how many companies have actually blocked these frauds by doing just that. Increasing the communication between both sides of the spending fence (finance and everyone else) provides a process and a mechanism to prevent this fraud from happening.
Consider the humble Purchase Order (PO) as this mechanism. POs have been a financial and accounting procedure for a millennia, however those people who get caught by this scam must either not be using POs or using them incorrectly.
Setting up a proper PO process provides the following
- Makes sure that staff sticks to a PO regime.
- Staff members are bound by the rules of the PO system.
- The PO requestor should never be able to approve their own PO.
If a proper PO system is set up then bogus emails don’t matter. If it’s not in the PO system then it doesn’t get paid, period! Any emails requesting payment or money transfers should be specifically related to a purchase order, this way the fraudsters have to get through another layer of security to be able to defraud the company.
Any good PO system, such as Procurementexpress.com, will be able to fix the CEO fraud problem instantly.
