Benjamin Franklin famously said that the two certainties were death and taxes. Perhaps if he lived today, he’d include fraudulent attempt to steal money that a company has worked hard for in that list.
A scheme that we have been seeing lately involves seemingly legitimate requests from an executive of the company to the CFO, controller or accounting clerk. These requests ask for highly sensitive information (like W-2s) or seek funds to be wired for a described purpose, like an impatient vendor.
The scam often starts via email. If the CEO of a company has an email address of John.Doe@abccompany.com, a fraudster may find the CEO’s email address and create a similar looking email address, for instance, John.Doe@abcccompany.com. The extra “c” in the email address will often be overlooked by the recipient.
Once the recipient responds to the email with sensitive data, the fraudster has accomplished his goal and now has information that he will use for illegitimate purposes. If the criminal asked for W-2s, he now has all of the wages, addresses and Social Security numbers of all of the employees in the company. The perpetrator can then attempt to open a number of fraudulent credit cards, or (as mentioned in a previous blog post) file deceitful tax returns in order to dishonestly receive refunds.
This scheme does not have a great success rate, but when it does hit, it can be damaging to a company and its employees. There are a number of things that can be done to avoid falling victim to this type of scheme.
- If you receive an unusual request from a superior within the company, seek verbal assurance from that executive before fulfilling the request. Any delay in response will be worth keeping the company safe. If your first thought is that a request seems unusual, it will be worth it to trust your instinct and get to the bottom of the request.
- Educate those answering the phones about what is appropriate information to disclose to callers. Many times, the frauds described above start with a phishing expedition by the fraudster calling the company and asking for the CEO. If the receptionist mentions that the CEO is out of the office (either vacation or business travel) for an extended period of time, the fraudster knows that he or she can send a fake email under the CEO’s name without fear of the email recipient walking down the hall to confirm the content of the request.
- Keep executives’ (CFO, CEO) names and emails off of the company website. This will make it harder for a potential fraudster to attempt wrongful communication. These criminals often look for the path of least resistance, so any difficulty they have in achieving their goal will likely result in searching for another victim.
- Do not accept LinkedIn or other invitations from anyone that you do not know. Although social media is a great way to expand a circle of influence, it can also be a tool for people to get information about you that you may not want them to have. Whether it is LinkedIn or another social media enterprise, make sure security settings are strong enough to disallow strangers from determining your position and company.
As Benjamin Franklin also suggested many years ago, “An ounce of prevention is worth a pound of cure.”
By Dan Massey, CPA, Manager