Hackers send emails from bosses' accounts in 'CEO scam'
iTunes gift cards are seen in this undated file photo. (CTV)
Published Tuesday, October 9, 2018 12:29PM PDT
Mounties are warning the public to be wary of emails sent from their boss asking for gift cards or cash.
In a scheme officials have nicknamed the "CEO scam," hackers are gaining access to the email accounts of supervisors and executives, then sending realistic looking emails to employees. The emails demand employees send urgent wire transfers or purchase gift cards for reasons that appear legitimate, the North Vancouver RCMP said.
Reasons range from business to personal, and include "securing an important contract," and "a confidential transaction," Mounties said in a statement Tuesday.
Emails are often sent to employees while their bosses are travelling and using public Wi-Fi, or are otherwise difficult to reach.
In one example, a clerical worker of a government agency in North Vancouver received a request from her boss last month to buy $500 worth of iTunes gift cards. The email that appeared to be from her supervisor claimed he was in a long meeting and too busy to pick up the cards himself. He asked her to then email him the card details.
She became suspicious only when she'd sent the email back and was asked for another $500 in cards. The email sender told her it was urgent.
Police said often those who fall victim to the scam don't realize what happened until the boss returns, or through later correspondence.
Losses from this type of scam range from hundreds to tens of thousands of dollars, and the CEO scam is believed to be a growing threat to businesses of all sizes.CTV
Mounties offer the following tips to protect yourself and your business:
- Ensure computer systems are secure and antivirus software is up to date.
- Encourage employees to use strong passwords.
- Look closely at a sender's email address, as often they are similar but one or two letters have been changed.
- Double-check with executives about money transfers, even when they look legitimate.
- Establish a standard process for money transfers that requires multiple approvals
- Limit the amount of employee information available online and on social media, where fraudsters might find potential victims.