This is the third installment in the Antidote to the Wire Fraud Epidemic series. The first two segments covered what is happening with wire fraud and how these attacks happen. In this segment, we will take a look at the reason why this scam has proven to be very successful. Scammers are using social engineering and relying on:

  • Employee’s eagerness to please a boss
  • Employee’s reluctance to question a boss or client’s wishes
  • Person’s desire to get out of the office on a Friday afternoon or late in the day, and
  • Employee’s inability to reach an executive who is out of town and can’t be easily reached for verification.

I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.

 

Social Engineering

To understand why this scam works, it is important to know what is going on behind the scenes. Scammers are using social engineering to generate responses from employees. They are banking on several human tendencies. They are relying on an employee’s eagerness to please a boss. They’re relying on the person’s reluctance to question a boss or client’s wishes. They are relying on the person’s desire to get out of the office on a Friday afternoon or late in the day. And they’re relying on the employee’s inability to reach an executive who is out of town and can’t be easily reached for verification.

Social Engineering on scam
Fig. 1 – Scammers use Social Engineering

People perpetrating these frauds are frequently researching the employee’s responsibilities on social media like LinkedIn so that they know who to target. The scammers search publicly available data for this information. They often gather information to try to make the wire transfer request as believable as possible.

For example, they may research an executive’s schedule using public information on the web, or recent announcements about trade shows or conferences or they’re making inquiries with the executive’s assistant.

Maybe they’re calling and saying, “Hi, I’d like to set this appointment,” and the assistant doesn’t think anything of it and shares that the CEO will be travelling. So the scammers are trying to send the fraudulent emails when the executive is out of town and can’t easily be reached.

Although some of the fraudulent requests are for millions of dollars, they are likely to be for smaller dollar amounts because many companies have stricter controls like dual approvals for the higher the amounts. Often these scammers are looking at lower dollars around $50,000 to $70,000 to see how successful they get. They will continue with these requests until they’ve been discovered.

So again, these scams are made possible through data mining from socially available information and playing with your emotions especially the employee wants to please a boss. So if this happens to you, and I hope it never gets to this, there are some steps you should immediately take.

First of all, contact your local FBI or law enforcement immediately. Tell them it’s a business email compromised scheme. This has happened so often that the FBI now has a name for this… business email compromise. The next step is to contact your bank and request that they stop the wire or unwind the transfer request.

Steps to make immediately when you are scammed
Fig. 2 – steps you should immediately take when you are scammed

If you discover this fraud within the first 24 hours, the banks may be able to stop the transfer. The third thing is contacting legal counsel for advice about your legal obligations, maybe you can get protection and in some cases, insurance coverage depending on the circumstances. Finally, change your internal controls to minimize the risk of it happening again.
Summary

To recap, scammers are using social engineering and relying on:

  • Employee’s eagerness to please a boss
  • Employee’s reluctance to question a boss or client’s wishes
  • Person’s desire to get out of the office on a Friday afternoon or late in the day, and
  • Employee’s inability to reach an executive who is out of town and can’t be easily reached for verification.

On the next installments, we discuss in detail the procedures you could put in place for entity level, AP, treasury, and IT controls. So stay tuned!

 

If you found this post helpful and
want to receive the next segment
sign up for blog