It seems that our inboxes are always full of poorly crafted emails with questionable attachments from unknown senders, trying to gain access to our information or our computers. Email scammers are ubiquitous, and often a pesky but easily avoidable hazard in our digital -- and our real -- lives.
However, we recently heard from a client of ours who shared the alarming story of their business being scammed by an insidious and highly creative scam, which leveraged not only particular circumstances but also specific working relationships in order to be successful. We wanted to share the story with you in order to raise awareness for businesses, their owners and their staff and employees, as to some new and sophisticated tactics being used to defraud money. Afterwards, we have some ideas and tools for both bosses and reports to protect against this kind of personalized scam.
A few weeks ago, a client of ours (who is based on the West Coast) took a business trip to Boston, leaving on a Friday and returning the following Tuesday. Their executive assistant had plans to work remotely, with a work flow that included several tasks for the business that required them to be out and about, rather than sitting at their computer. On Monday morning the executive assistant checked their phone and saw an email from their boss instructing them to purchase $1500 worth of Amazon gift cards, then to send the redemption codes to their boss as soon as possible. Knowing that their boss was meeting with potential customers and was scheduled in back-to-back meetings over the course of the day, the executive assistant assumed that these cards were going to serve as some kind of gift, but that their boss was running from place to place and had to send the request via email. Based on the urgent tone of the email, the assistant prioritized the task, using the company credit card to purchase $1500 worth of Amazon cards, then replying to the email with the requested information. They received a quick email in reply, thanking them. The assistant then continued about their day, taking care of the rest of their to-do list.
The following morning, the executive assistant received another email from their boss on their phone, asking for an additional $2000 worth of Google Play cards. This struck the assistant as slightly odd, but the tone again seemed urgent and the email clearly had the boss’s name on it. As there was another long to-do list that day, the assistant hurried out and took care of the request, again sending the information as quickly as possible. They received another reply email to their phone, thanking them for facilitating the purchases and asking them what else they were working on that day. The assistant responded, asking some clarifying questions about particular projects. They received another reply email that affirmed their proposed work flow, and that included some seemingly legitimate answers to their questions.
At this point, you no doubt can guess where this is going.
About two hours later, a third request came in for another gift card purchase. The assistant was walking into a meeting with a colleague, so replied to the email with an approximate timeline of when they could address the request, then went into the meeting. As they took their seats, the assistant began to share the circumstances with their colleague. As they heard themselves relate the details, and watched their colleagues face fall, the assistant realized something was very wrong. They immediately called their boss, who revealed they knew nothing about the cards or the requests; the assistant had been duped by someone posing as their boss. For the first time, the assistant opened the emails on a computer and found that the email address was not their boss’s, but had been assigned their boss’s name. Thus, on their phone, with the curtailed amount of details shown, there was no visual cue that this was an imposter. What is particularly frustrating about these events is that, because the employee made and approved the actual purchases themselves, the bank will not dispute the charges on the company card.
The reason that we chose to share this particular incident is that the scam proved successful because it was creative and personalized. It was also timed impeccably. The assistant said to us, “This could literally not have happened at any other time. For this to work, my boss had to be out of town. They had to have a full schedule of meetings, and those meetings had to be with people that I could viably believe my boss would want to offer some kind of gift or thank you. Also, I had to be away from my computer for an extended period of time. If I had opened this email on a laptop or desktop, I would have seen the suspicious email address right away and not moved forward… or at least called or texted my boss for confirmation. What is most unsettling is that we don’t know if they were just exceptionally lucky in their timing, or if they really infiltrated and read my work email and my correspondence with my boss, enabling them to know the right time to strike. All that being said, I still feel incredibly foolish! It seems so obvious in retrospect what was happening.”
The assistant now encourages other employees and staff to hit a proverbial “pause” button when an uncommon request comes in from their boss via digital communication. The valuable qualities of efficiency, trust and effectiveness can actually be vulnerabilities to scammers looking to exploit an employee’s best instincts for their own financial gain. No matter how urgent a request, it is incumbent upon an employee to take a moment to ensure that a unique or uncommon request is authentic and legitimate, whether through verifying the email address, sending a text or making a phone call to their boss or supervisor to confirm. This is especially true when it comes to spending company’s money.
Leadership can also play a role in protecting against this kind of theft. Business owners and CEO’s might consider setting and articulating clear parameters for the kinds of requests they will make of their reports, and under what circumstances employees should expect the requests to be made in person or via verbal communication.
Our client said to us that they believe executive assistants to be especially vulnerable to this kind of scam. Executive assistants often end up responsible for a wide range of tasks and duties, some of which can be unique, surprising and often urgent. For some, requested tasks might also exist in the gray area between work and personal life: arranging personal travel, making dinner reservations or gift purchases for their boss’s spouse, calendaring events regarding the boss’s children, etc. The more wide-ranging the scope of work, the vaguer the boundaries, the more vulnerable the relationship will be to manipulation from outside.
Though the bank could not recover the funds, our client informed us that both Amazon and Google are doing an investigation into the events and that there is a possibility of getting some of the money back. Additionally, they have had a fruitful conversation with their assistant regarding expectations, practices and processes around future purchases and requests that will better protect both the assistant and the business. Our client declared “I deeply value my assistant. I can see that, while it was quite an unfortunate and expensive mistake, the ethic and effort they showed throughout the scam is a demonstration of important and worthwhile qualities and skills to have in an employee. And the incident has given us the opportunity to more clearly define our relationship and my expectations, as well as empowering my assistant to be responsible for checking in if they have any questions or concerns.”