Companies industry-wide are being targeted by fraudsters purporting to be employees - often in senior roles – and requesting that payments are made to a named beneficiary.
EXECUTIVE IMPERSONATION FRAUD
A member of staff receives a fraudulent email which appears to have originated from within their own organisation, and often sent by a known, senior individual, such as the Finance Director or CEO.
The email instructs the recipient to make a payment, sometimes urgently, to a specified beneficiary which may be outside of the normal procedures for payment instructions. The email appears to be genuine as the details in the ‘From’ box may reflect the genuine address of the impersonated individual.
Believing the email to be real, the member of staff processes the payment, which arrives in the fraudster’s account. The monies are then usually quickly withdrawn.
WHAT DOES IT LOOK LIKE?
- A fraudulent email will usually be sent from a mobile device such as an iPhone/iPad
- The sender’s email address may be slightly different from your company’s real address i.e. ending with ‘.org’ instead of ‘.com’
- The first email may request confirmation of the details that are required to make a payment
- There may be a number of emails in the message requesting the payment, with the sender often saying they are unavailable
- The payment request will usually be urgent
- The words used and style of communication may differ from that of the employee they are purporting to be.
HOW DOES THIS HAPPEN?
There are two known methods being used:
Email spoofing – a fraudster constructs a fake email that appears to have come from a genuine source but hides its true origination. The ‘From’ field of the email may show the correct sender’s email address, or a variant of the genuine address.
Email account hacking – a fraudster will hack into a genuine email account and issue fraudulent emails. These types of attacks are typically associated with email services such as Gmail, Hotmail and Yahoo, and the details in the ‘From’ box may reflect the genuine address of the sender.
HOW TO PROTECT YOURSELF
- Ask staff to operate high levels of vigilance, especially those entrusted with access to your online payment systems. Administrators should review users and their access rights on a regular basis to ensure they remain appropriate.
- Unexpected emails that request urgent payments should be treated with caution, even if the message appears to have originated from within your own organisation.
- Contact the person directly to confirm that they did send the instruction. Never use the contact details provided by the individual requesting the payment or change.
- Independently verify the sender’s email address and respond in a new email to the address you know to be correct. Similarly, do not use any telephone numbers or other contact details quoted on the email itself – refer instead to alternative sources such as your organisation’s internal telephone directory.
- Ensure you have a robust process in place through which you will verbally confirm a new payment or amendment to a recipient’s bank details before this is actioned. Any requests outside of the process should be regarded as suspicious and should be independently verified.
- Note: Just because an email appears to come from a known source and has a known contact in the ‘From’ field, there is no guarantee that the email is genuine. This is a method that fraudsters are using to facilitate payments from unwitting individuals.
- Install anti-virus/firewall software on your devices and regularly update it.
- Never reveal your card or online banking PIN. Ever. To anyone.
- Choose strong passwords and do not use the same PIN and password for everything
- Keep your bank updated with new contact details
- Check your statements and report anything you do not recognise.
- Securely store financial and other valuable documents such as your passport.
- Ensure you dispose of documents diligently (for example, use a cross cut shredder to destroy statements when no longer required).
- Where you suspect suspicious activity on your email account, change your password immediately and contact your provider to protect the account from further unauthorised usage
Provides fraud prevention services to individuals and organisations using the latest technology
Offers free, impartial and independent advice relating to fraud and other topics.
Financial Services Register
A public record of all firms, individuals and other bodies that are regulated by the Financial Conduct Authority.
Financial Conduct Authority
The FCA regulates the financial industry in the UK.