If you get an email marked "urgent" from your boss that asks you to send money to a vendor, you might want to slow down, at least a bit. That email could be the setup for a new version of a scam that the Federal Trade Commission has warned about.
In the scam, the "boss" is actually a hacker posing as a company executive -- a crime also known as masquerading. The hacker makes a request to direct a wire transfer to a new vendor. For those who routinely make such transfers, it might not seem out of the norm, according to the FTC.
But the agency reports that the FBI's Internet Crime Complaint Center (IC3) has recorded an average loss to this scam at $55,000. Some companies have reported losing $800,000 or more. IC3 reported that the scam has been going on for more than a year in various forms, but the hacked email variation is a new twist. Scamsters are also using spoofed emails that are similar to official addresses.
Other versions involve phone calls supposedly to update vendor files or from someone posing as a top company executive demanding account information.
The FTC noted that because the money is sent by wire, it's virtually impossible to recover any of the funds. Often, the scam isn't even noticed until someone in finance, or other company officials, notice the transfer.
Here's some advice from the FTC about how to protect against the scam:
- Create an approval process for transactions above a certain amount that involves multiple people.
- Use a system involving a purchase order and approval from both a manager and the finance department before disbursing money.
- Send out a notification explaining the scam.
- Pause before making a financial transaction. The key to many scams to is force a quick move before you've had a chance to think things through or detect something is amiss.
- Be wary if you're asked to keep the transaction secret. When in doubt, contact the executive or other company officials on your own to double-check.
If you think you've been targeted in a masquerade scam, IC3 asks you to report the incident.