How this CEO avoided getting conned in a wire transfer scam
Why rob a bank when you can dupe someone into doing it for you?
Lately, crooks have been fooling businesspeople into forking over their corporate funds this way. “CEO fraud” or “business email compromise,” as the scam is known, has become a popular trick: Send an email (from a hacked employee account or spoofed domain) pretending to be an executive, and con the recipient (preferably an unquestioning subordinate) into transferring some amount of money.
In the U.S. alone over the past two years, as much as $750 million has been lost to wire fraudsters, reports the Federal Bureau of Investigation.
Tom Kemp, CEO of computer security firm Centrify, says his company is often targeted with these kinds of attacks. “I now regularly experience various forms of sophisticated attempts to get us to transfer money to crooks,” he writes in a blog post on his company’s website. “We are now getting one of these scam emails per week.”
The first attempt happened in Feb. 2014, he says, when his vice president of finance received a wire transfer request, apparently from the company’s chief financial officer. “Process a wire of $357,493.41 to the attached account information,” read the message, which contained a PDF attachment purporting to contain further instructions. “Let it be coded admin expense. Send me the confirmation when completed.”
“Thanks,” the message continued, ostensibly bearing a sign-off from Centrify CFO Timothy Steinkopf: “Tim.”
Below that, the email contained an apparently forwarded note, what might have seemed like an original request from Kemp. “Per our conversation, attached is the wiring instructions for the wire,” the note, allegedly authored by the CEO, said. “I’ll send the documentation later on. Let me know when done.”
The VP of finance, whose inbox had been targeted, looped in other people at the company for approval. When the request made its way to the real Kemp and Steinkopf, it became obvious that something fishy (well, phishy) was going on. “After squinting our eyes a few times, we immediately deduced that the email was sent from a look-alike domain called ‘centrilfy.com’ which looks a lot like ‘centrify.com,'” Kemp writes. So they called the FBI.
Meanwhile, the imposter became impatient. “Whats happening with the wire? I need to know,” a follow-up email read.
Kemp relished the irony: “It was somewhat amusing to have an attempted crime playing out while we were on hold with the FBI trying to report that crime.”
“That was the first of many attempts to scam us,” Kemp writes before detailing a handful of other examples, all drawn from personal experience this year. Common phrases in the fraudulent emails include “urgent payment,” “needs to go out today,” “need you to take care of,” “process,” “now.” The requests are typically short, informal, and pressing.
Kemp’s tips for avoiding wire traps? He’s got a few: Get approvals, cross check with accounting, use multi-factor authentication (a service his company offers, of course, as do rivals such as Duo, Okta, RSA, and Authy), and take domain names similar to the one used by your organization off the market by snatching them up. For example: the marketing or IT teams at Fortune.com might choose to buy “F0rtune.com,” where the “o” has been replaced by a zero.
By the way, dear reader: Your CFO asked me to tell you to wire money to my personal bank account. No rush, though—whenever you get a chance.
Subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.
For more on email cybersecurity, watch this video.