We may be more aware of potential scams than ever, but so too are the scammers themselves. Which means their methods inevitably get more sophisticated and harder to spot — the latest example of which is an email scam pretending to be your boss.
The scam is known as a business email compromise (BEC) and has criminals forwarding an email chain to a specific person, seemingly coming from the victim’s boss. That chain then features instructions to send money somewhere.
The thread is designed to make everything look legitimate, and often emphasizes the fact the payment needs to happen quickly and quietly. But in reality it’s all a ploy to get employees to authorize money transfers to scammers.
According to cybersecurity researchers at Abnormal Security (via ZDNET (opens in new tab)), these scammers generally target people working in a company’s finance department. That way they’re more likely to be able to authorize money transfers, and the scammers get to walk away with some cash.
It’s also incredibly simple, and surprisingly effective. The FBI claims (opens in new tab) BEC attacks cost businesses up to $43 billion between June 2016 and December 2021. All scammers need is an internet connection, email account and a little bit of background research.
This time it's personal...and urgent
But while BEC attacks have been going on for quite some time, the thread-forwarding method is quite new. Scammers are also taking to personalizing emails and spoofing email addresses to impersonate both company executives and vendors.
The whole thing is part of a more sophisticated lure, designed to make it look like your boss is actually asking you to transfer the money. The sense of urgency is also exploited to try and dupe employees into sending the money without questioning the email or double checking the request is actually legitimate.
Plus, as Abnormal Research notes, many people don’t expect these sorts of emails to bypass businesses’ more secure email protections. But because there’s no malware or malicious code in the emails themselves, they don’t get flagged by antivirus software. That also makes them particularly hard to defend against, and relies on employees being able to spot the scam before transferring any money.
How to protect yourself
The only defense is to make sure that people are aware that these sorts of scams are out there. They should be on the lookout for scams like this, and automatically be suspicious of any communique that asks for money.
If they do arrive, be sure to verify its legitimacy through some other form of communication. Be it a phone call, instant message or asking in person. Don’t reply to the email, because your message will only go back to criminals on the other end.