Victoria Police investigators are warning the public of a “sophisticated” scam after fraudsters pretended to be a CEO of a company to steal money from a new staff member.
The fake CEO victimized the new staff member in an “internal email” cybercrime that involved impersonation, phishing and gift cards.
According to VicPD, the victim told officers that she had received a phishing email from an internal email address that very closely resembled that of the organization’s CEO. Because of this, the victim responded right away
In this sophisticated scam, the “CEO” directed the staff member to run a “high-priority” errand. Pretending to be the CEO, the fraudster told the victim that they were in an urgent meeting and could only communicate by email. The fraudster then directed the staff member to purchase ten gift cards of $100 each.
When the employee asked to use the CEO’s credit card for the purchase, the fraudster increased the sense of urgency, indicating that this was an immediate need. The “CEO” assured the victim that she would be refunded if they used her own credit card.
Convinced by the sophistication of the scam, the staff member bought the gift cards and shared the numbers from the back of the gift cards with the fraudster after she was directed to do so.
The employee realized she had been the victim of a scam when she brought the gift cards directly to the real CEO.
This is not the first time this particular organization had been targeted by phishing attacks, but the employee had not yet received training created to avoid these sophisticated frauds, as she was a new member.
VicPD says officers are investigating but that it is unlikely the employee’s funds will be recovered.
How to protect yourself
VicPD says phishing “internal email” scams rely on an employee’s dedicated sense of service, impersonation, high-pressure circumstances, a sense of urgency, and technology to be successful.
If someone emails you claiming to be your boss and directs you to make an immediate purchase, be suspicious, says police.
Instead of replying to that email, create a new email back to your boss to confirm the purchase request. As another layer of protection, use another form of communication such as text, a phone call, or an internal messaging service to confirm the details.
What employers can do
VicPD says there are steps employers can take to protect themselves and their team.
Companies and organizations can create and implement purchasing policies that include required phone calls or in-person verification for purchase requests.
In this recent fraud case, the organization had created effective internal training to help protect against phishing frauds, but the employee had not yet received it.
VicPD says you can best protect your employees by making anti-fraud training a priority for new employees, particularly those who report directly to decision-makers with purchasing authority.
Police say cybercriminals often trade in fraudulently purchased gift cards. If your organization regularly gives out these cards, it’s best to purchase a small number of them and to keep them secured. This can eliminate the risk of fraudsters using this key method of exploitation.
Creating time pressure and a sense of urgency is a key social engineering tactic that cybercriminals use to execute frauds.
“If someone claiming to be your boss contacts you by email and applies an immediate sense of urgency to make a gift card purchase, be wary. It’s most likely a fraud,” said the VicPD.
Learn More
You can learn more about how to protect yourself, your family and your organization from fraud by visiting the fraud page on the VicPD website.
If you have fallen victim to fraud, police say to stop payment immediately, contact your financial institution and call the VicPD Report Desk at (250) 995-7654 extension 1.
If you think you or someone you know has been a victim of attempted fraud, you are asked to contact the Canadian Anti-Fraud Centre at 1-888-495-8501 or report online at http://www.antifraudcentre-
Rebecca Lawrence
