According to new figures from Action Fraud (which it turns out is the UK’s national fraud and internet crime reporting agency), a total of 994 cases of so-called ‘Bogus Boss’ fraud were reported to them in the six months from July last year. And given that reporting rates for online scams of this kind are still voluntary, we can be pretty sure that the true rates are very much higher.
In case you haven’t come across them before, Bogus Boss frauds sadly don’t involve someone in a stick on moustache and wig impersonating the CEO at board meetings. Rather they are a sophisticated new variation on those old phishing emails which purported to come from one of your friends who had inexplicably got themselves stuck in downtown Lagos without a cent to their names.
The CEO scammers’ updated MO is to contact a member of the target firm’s accounts team and spin them a line about a secret takeover deal or a rush payment to a consultant, then give instructions that a large sum of money needs to be quickly transferred from the corporate accounts without anyone else knowing about it.
Written down like that it sounds ridiculous. Surely no-one in a position of authority would fall for such a trick without a call to the real CEO to check that all is above board?
Well, you’d be surprised. One un-named global healthcare firm was taken to the tune of a staggering £18.5m by exactly this technique, says Action Fraud, and even the typical sum – more like £35,000 – is not exactly peanuts.
No-one likes to gainsay the boss, it seems, and the devil is in the details – great care is taken by the scammers to make sure that the emails they send really do look like they have come from a very senior figure in the company, and targets are equally carefully chosen to be important enough to sign off on substantial sums, but not so important that they are likely to bump into the purported sender on their next trip to the executive washroom. They are then pressured into acting quickly to stop them getting suspicious until it is too late.
Following a spate of cases in France – almost 500m Euros has been taken from French firms in this way since 2010, including big names like Michelin and Nestle – it seems that the phishers are now trying their luck more often on this side of the channel. Payments taken in this way can sometimes be stopped or clawed back at least partially. But often the money - and the fraudsters - simply vanish without a trace.
So next time you get an unexpected email from the CEO demanding absolute confidentiality, it might just be worth calling their office back to check that they really are who they say they are. Or not - your career, your call...