We were recently made aware of a new twist on a common scam and want to be sure our readers are aware of it.
For the past several years business email compromise scams have been on the rise. These scams involve a scammer using research and social engineering, and often spoofed email addresses (where they look like they're sending from a different email address), to convince an employee of a company to initiate a wire transfer to the scammer. In many cases the scammers will try to impersonate the CEO or another authority in the business. They will then try to create a sense of urgency in the victim to hopefully make them act quickly without thinking too much. The FBI has been warning about the rise of these scams for some time.
A scary new tool has emerged in the scammer’s toolkit. Using machine learning technology similar to that used to create so called "deepfake" videos, a scammer is suspected of having used technology to fake the voice and speech pattern of a CEO to make a phone call to an employee of a German company who was fooled into wiring approximately $243,000 to a scammer before the plot was uncovered.
Fake phone calls from CEO's to lower level employees is not a new technique in these scams, though they were harder to successfully pull off. In the past these sorts of calls often relied on an actor trying to imitate the voice of a CEO, or simply operated on the assumption that a lower level employee might not know what the CEO sounds like. But using technology to imitate the voice of a CEO makes these phone calls much more likely to work. Even those who know a requester well might not be able to tell that it isn’t their voice on the other end of the phone.
How can you protect your company from these kinds of scams (whether they use phone calls or email)?
First, make sure your employees are aware of these kinds of scams and tell them to be on their guard for these kinds of requests; if anything seems out of the ordinary check it out before sending the money!
Second, set up standard procedures for how requests for these kinds of transfers will be handled, and then make sure everyone follows these procedures. These procedures should involve some kind of confirmation and could involve a passphrase or some other method of assuring that the request is real.
Third, make sure employees know to independently confirm any request for a wire transfer with the person making the request. If possible, an in-person confirmation is best, but an independent phone call made by the employee to a known phone number for the requester (not using any phone numbers provided in the email or supposed phone call!) can also work. No wire transfers or other payments should be made without this independent confirmation! If the CEO is really calling you, then they can confirm the request when you call them back on their cell phone or office phone. If they didn't make the call, they will be happy that you confirmed with them before sending money to a scammer!
Unfortunately, the emergence of this new technology means we can't even be sure that recognizing someone's voice on the phone means it’s really them. Make sure any requests for money transfers are confirmed as authentic before taking any action.
We hope all of our readers and clients remain safe from these and other kinds of scams. If you suspect you may be victim of a scam, or if you're worried that you may be targeted in the future, call Smith Brandon International today. We can help you investigate potential scams and scammers and provide consulting to help you put in place procedures to protect your company from future scams.