Article
Scammers are getting smarter and more personal. One of the costliest types of business fraud is called the CEO scam, also known as "spear phishing." Unlike typical phishing, where scammers send the same message to many people, this scam is targeted. It’s designed to trick an employee into transferring money or revealing financial details by pretending to be a senior executive at your company. Here’s how you can spot it and what to do if it happens to you or your business:
How to spot the CEO scam
Email scams
In a typical CEO scam, the scammer will send a message impersonating a company executive, such as the president or the CFO, to individuals working in the accounting or finance department. The message will look like it comes from the senior executive and attempt to trick the employee into wiring money to a third party, and include language making the request sound urgent and highly confidential.
If the message is sent by email, the address can look authentic too, since scammers register domain names that look very similar to the target domain such as @yourcompany1.com instead of your real company domain of @yourcompany.com. And scammers can look up company executives and use their real names to make the emails even more convincing.
For example, the accounting department might receive an email that looks like it’s from their Chief Financial Officer, Tim Smith - tim.smith@yourcompany1.com - instructing them to wire $55,000 to a specific account and that the request is urgent. The scam email also tells them to communicate only with him and only through email so as not to infringe on “capital markets regulations” or something similar. The scammer will often follow up asking for an update on the transfer and reemphasizing the urgency of the request.
Detecting AI-generated voice and video CEO scams
The use of artificial intelligence (AI) tools can make these scams even more convincing. Scammers could use AI-generated video and audio to impersonate a company executive, even their voice and appearance.
Scammers can collect audio or video posted to the internet and use AI-generation tools to create a deepfake video or voicemail that appears to come from that person.
They then send it in a message or voicemail asking you to transfer funds or share sensitive information.
Signs of AI-generated scams
- The video may look slightly unnatural or have stiff facial movements
- The voice might sound too polished, with awkward pauses
- It may try to rush you into sending money or making a decision, just like traditional scams
How to protect your business
- Train your team - Educate your employees about this scam and tell them to be skeptical of urgent or suspicious requests made by email. Encourage them to communicate with their manager if they feel a request seems unusual
- Always verify requests - If you, or your employees, have any doubts about an email that looks like it is from someone at your company, contact them directly by phone before responding to ensure the request is legitimate
- Use dual approval for transfers - Have policies and controls in place requiring more than one officer to approve fund transfers
- Try to limit what your share online - As a business owner, be careful what you share on social networking sites. Fraudsters can use these sites, and your website, to glean information about you that they can repurpose to target your company
- Be cautious with voicemails and video messages - When it comes to audio and video, watch for abnormal speech patterns. AI-generated speech may sound formal or too precise and there could be long pauses between sentences or in responses
Sign up for the CBA’s Fraud Prevention newsletter to receive regular updates about frauds and scams and how to protect your money.
Download the CBA’s Small Business Cyber Security Toolkit. With checklists and a printable poster for employees on how to spot common scams, the Toolkit can help you protect your small business from cyber threats.
