Imagine getting a call or message from your immediate senior — or maybe even the head honcho of the whole company. They warn you about a nasty situation brewing. It spells fines or some other financial woes for the company, big trouble for your department, and possible dismissal for you personally! Cold sweat trickles down your spine, but there’s still a chance to save the day! You’ll have to hustle and do a few things you don’t usually do, but everything should be alright…
First – hold your horses and take a few deep breaths. There’s a 99% chance this whole “emergency” is completely made up and the person on the line is a scammer. But how do you recognize such an attack and protect yourself?
Table of Contents
Anatomy of the attack
These schemes come in dozens of flavors. Scammers may describe various issues faced by your company depending on the particular country, cite involvement of regulators, police, or major business partners, and then suggest all manner of ways to “solve the problem” with your help. Yet there are a number of key points — crucial psychological footholds — without which the attack is next to impossible to carry out. These can be used to recognize the attack for what it is.
- The superior’s authority, or simple trust in someone you know. Most people by now have developed a resistance to odd requests from strangers — be it a police officer who’s decided to reach out through instant messaging, or a bank employee personally concerned about your wellbeing. This scheme is different: the person approaching the victim appears to be someone you know to some extent — and a fairly important person at that. Scammers often choose a C-level manager’s profile as bait. First, they have authority; second, chances are the victim knows the person, but not well enough to spot the inevitable differences in speech or writing style. However, there are variations on this scheme where the scammers impersonate a coworker from a relevant department (such as accounting or legal) whom you may not know personally.
- Redirection to an external party. In the most primitive cases, the “coworker” or “manager” who reaches out to you is also the person you get a request about money from. Most often though, after the initial contact, the “boss” suggests you discuss the details of the matter with an external contractor who’s about to reach out. Depending on the scheme’s specifics, this “assigned person” may be introduced as a law enforcement or tax officer, bank employee, auditor or similar; i.e., not someone the victim knows. The “boss” will ask you to provide the “designated person” with all the assistance they’ll need and without delay. That said, the most elaborate schemes, such as the one with $25 million stolen following a deepfake video conference, may have the scammers pose as company employees throughout.
- A request has to be urgent, so as not to give the victim time to stop and analyze the situation. “The audit is tomorrow”, “the partner’s just arrived”, “the amount gets charged this afternoon”… long story short, you have to act right now. Scammers will often conduct this part of the conversation by phone, telling the victim not to hang up until the money is transferred.
- Absolute secrecy. To prevent anyone from interfering with the fraud, the “boss” early on warns the victim that discussing the incident with anyone is strictly forbidden as disclosure would lead to disastrous consequences. The fraudster might say that they’ve no one else to trust, or that some of the other employees are criminals or disloyal to the company. They will generally try to keep the victim from talking to anyone until their demands are met.
Objectives of the attack
Depending on the victim’s position and level of income, an attack may pursue different goals. If the victim is authorized by the company to execute financial transactions, the scammers will try to talk them into making an urgent secret payment to a vendor such as a law firm for assistance in solving problems — or just transferring the company’s money to a “safe” account.
Employees who don’t deal with the company’s money can be targeted by attacks that seek to obtain company data such as passwords to internal systems, or their own funds. Scammers may come up with dozens of backstories, ranging from an accounting data leak that jeopardizes the victim’s account, to a need to keep the company’s cash gap closed until an audit is done. In the latter case, the victim is asked to use their own money in some way: transfer it to another account, pay for gift cards or vouchers, or withdraw it and give it to a “trusted person”. For greater persuasiveness, the scammers may promise the victim generous compensation for their expenses and effort — only later.
Convincing level of detail
Social media posts and numerous data leaks have made it much easier for fraudsters to launch carefully prepared, personalized attacks. They can: find the full names of the victim, their immediate senior, the CEO, and employees in the relevant departments (such as accounting), along with the exact department names; and find pictures of these individuals to create convincing instant messaging profiles and, if needed, even voice samples to create audio deepfakes. If there’s big money at stake, the scammers may invest significant time in making the charade as convincing as can be. In some previous cases, attackers even knew the locations of company departments inside buildings and the positions of individual employees’ desks.
Technical side of the attack
Sophisticated schemes like this nearly always include a phone call from the scammers; however, the initial “call from the boss” may also come in the form of an email or instant message. In simpler versions of the attack, the scammers just create a new instant messaging or email account with the manager’s name, while in more sophisticated cases they hack their corporate email or personal accounts. This is called a BEC (business email compromise) attack.
As for phone calls, scammers often use number spoofing services or obtain an illegal copy of the SIM card — the victim’s caller ID then displays the company’s general phone number or even their boss’s own.
Malicious actors may use deepfake voice generators, so a familiar voice on the other end of the line can’t guarantee the caller’s authenticity. Schemes like these may even use video calling where the caller’s face is also a deepfake.
Protecting yourself against scammers
First and foremost, attentiveness and courage to verify the information despite the scammers’ threats are two things that can protect you against this kind of attack.
Take it slow, and don’t panic. The scammers aim to knock you off balance. Keep calm and double-check all the facts. Even if the other party insists you don’t hang up the phone, you can always pretend that the call dropped. This will buy you some time to do more fact-checking.
Pay attention to the sender’s address, phone, and user name. If you’re used to corresponding with your boss by email, but then you suddenly get an instant message in their name from an unfamiliar number, it’s time to prick up your ears. If you’ve always talked on an instant messaging app and you get a new message but there’s no history, this means someone’s using a newly created account, which is a major red flag. Unfortunately, cybercriminals sometimes use fake email addresses that are hard to tell from the real ones, or hacked email or instant messaging accounts. All of this makes detecting forgery much more difficult.
Pay attention to small details. If a person you know approaches you with an odd request, is there anything about the situation that tells you that the person may be an impostor? Do their emails look slightly unusual? Are they using uncharacteristic figures of speech? Do you usually address each other by first names, but they’re using a formal form of address? Try asking them something only the real person could know.
Raise a red flag if you get an unusual request. If your boss or coworker is urgently asking you to do something unusual — and to keep it a secret to boot — this is nearly always a sign of a scam. Therefore, it’s critical that you verify the information you get and confirm the other party’s identity. The least you can do is contact that person using a different channel of communication. Talking in person is best, but if this isn’t a possibility, call their office or home number that you’ve got down in your phone book, or punch in that number manually; don’t just dial the last incoming number — to avoid circling back to the scammers. Use any other channels of communication available. The cell number that called you — even if it’s your boss or coworker’s real number you’ve gotten saved in your phone book — might have been compromised through SIM swapping or simple phone theft.
Check with your coworkers. Despite being asked to “keep it all confidential”, depending on the nature of the request, it doesn’t hurt to verify the information with your coworkers. If you get what appears to be a message from someone in accounting, contact other people in the same department.
Warn your coworkers and law enforcement. If you receive such a message, it means scammers are targeting your organization and coworkers. If their tricks don’t work on you, they’ll try the next department. Warn your coworkers, warn security, and report the attempted scam to the police.
Leave a Reply