Fraud Files: An urgent business request
It’s one thing to hear about common scams — it’s another to recognize it when it happens to you. To help you spot the warning signs of fraud, we share real-life stories of the types of scams we encounter at SCU every day. To protect the identities of those involved, names and details of this story have been changed. As you read the story, try to identify what type of fraud occurred and catch the red flags of the scam.
At 8:30 on a Monday morning, Walker sat in his office, poured a cup of coffee, and started his workday the way he always did — checking emails.
Although Walker had only worked at the up-and-coming law firm for a few months, as an intern he learned very quickly to power through his inbox every morning. It didn’t take him long to notice the unread email marked “high priority.” Especially since the sender was one of the owners of the firm, Douglas Bircham.
When you get an email from someone whose name is on the front door of your office, of course you take it seriously and open it immediately.
Douglas had a brief, but urgent request: He was meeting with a few new high-value clients later that day, and planned to take them out to lunch. Unfortunately, he was out of the office and didn’t have time to grab the company credit card. He needed Walker to buy a few restaurant gift cards, then send him the information so he could use it with the clients. He also asked Walker not to talk to other employees about his request, since these were only prospective clients, and he didn’t want any rumours floating around about who he was meeting with.
Walker had never received a request like this before, but he was still learning the ropes of the law firm. Besides, he reasoned, the business world is all about relationships, right? Why wouldn’t they take clients out to lunch? Coffee forgotten, Walker used the company credit card to buy gift cards online and sent Douglas the information.
Over the next few days, Douglas’ “quick request” turned into a series of gift card sends, all of them top secret: A birthday gift for an employee. A new employee rewards program they were working on rolling out. A few more client lunches. By the time Friday rolled around, Walker was frustrated with all of the requests — but how could an intern say no to the owner of the law firm?
The next week, Walker’s manager stopped by his office with a question: The finance department had noticed a series of unaccounted transactions from the previous week, and Walker’s manager asked if he knew anything about them. Walker was reluctant to share at first, since Douglas had given him strict instructions not to tell anyone else, but he eventually relented. He explained the entire story to his manger, and showed all of Douglas’ emails.
Walker’s manager had bad news — she suspected the emails were fraudulent. She knew Douglas would never make those types of requests, and the emails Walker had received weren’t from Douglas’ usual business email. Walker had unwittingly cost the law firm thousands of dollars.
This type of scam is known as executive or CEO fraud, and it hinges on a tactic called social engineering. Social engineering is a type of manipulative behaviour used to trick you into revealing personal, confidential, or financial information. Social engineering is all about creating a connection with the victim, or uncovering a weakness the scammer can exploit. Here are a few ways fraudsters leverage social engineering in a CEO scam.
1. They choose their victim strategically: Fraudsters look at a variety of factors to help them select an employee they think they can exploit. They may contact someone who’s new to their role, and lacks the experience to recognize an unusual request. Or they find someone who rarely has direct contact with the CEO or executive, and doesn’t know how the person speaks or writes in real life.
Red flag: You receive a request from someone who rarely contacts you, and they make the request through email or direct message rather than in person.
2. They do their homework: It only takes a quick online search for a scammer to find specific information about the employee and their business. They’ll use that information to build credibility and tell a more believable story.
Red flag: The person making the request won’t answer any follow-up questions, or only references general information that’s available online.
3. They create a sense of urgency: Scammers don’t want you to have time to question their request. That way, you’re focused on the urgency, and you ignore red flags like spelling and grammar errors, or an incorrect email source.
Red flag: The person needs you to fulfill the request immediately due to some sort of company emergency or tight deadline.
4. They keep the victim isolated: The scammer will make sure you don’t have the chance to talk to anyone who may question their story, and will come up with reasons why their request needs to stay between you and them. It also means it may be days, or even weeks before anyone else realizes the scam happened, giving the fraudsters plenty of time to cover their tracks.
Red flag: The person claims the request is sensitive, and tells you not to talk with any other employees.
Fraud prevention tips for business owners
Stories like these are preventable, as long as you take the proper steps to be prepared. Here are a few steps you can take to protect your business.
- Don’t assume your business is safe: Many business owners incorrectly assume that their business is too small to be a target for fraud. On the contrary, scammers often focus on small businesses because they may have fewer security protocols in place.
- Set up your employees for success: No matter your business size, it’s a wise idea to make sure all your employees receive some degree of fraud prevention training. This can include training on common scams, online safety, or other topics specific to your business line.
- Invest in extra security measures: You may not expect to be a target of fraud — but if you are, security measures like fraud detection software will more than pay for itself in the long run.
Key takeaway: Don’t assume someone is trustworthy just because they claim to be someone with authority. Go to the source directly or check with your manager to confirm the request is real.
Does this story sound familiar?
If this has happened to you, or someone you know, here’s how you can report it: scu.mb.ca/fraudprevention/reportfraud