business Phishing Scams: That Email from Your CEO Could Be Phony July 07, 2016 Have you received an email from a top executive in your business, requesting sensitive information? Think twice before you reply to such an email. The subject line of an email from your CEO reads “URGENT” or “CONFIDENTIAL”. You open the email to find a message: “Hello Tim, kindly send me a spreadsheet of all the 2015 W-2 information for each of our staff members” There is a new and sophisticated phishing scam making its way across email inboxes where an employee receives an email from someone of authority requesting sensitive information. If you are in receipt of an email from a top executive that seems suspicious, also known as a “CEO fraud” or a “BEC (Business Email Compromise) Scam,” you are encouraged to question it and report something right away—before any sensitive information is released. What kind of information is requested? The email from the “top executive” usually contains a request for detailed employee information like: Home addresses Social Security Numbers Dates Of Birth Bank account information, etc. These criminals typically request this information in the form of a spreadsheet or other reports. Who are the typical victims in these scenarios? Attackers usually prey upon human resources and administrative employees in these “CEO frauds” presumably because these employees have the most accessible and up-to-date information on company personnel. How do the criminals pull these schemes off? The fraudsters easily pick up the names of executives from a company’s own website or worse, have gained access to the company’s email server. They then mimic the email address, and use it as bait to obtain the details on company employees. This is often done outside the U.S. by professionals who do this for a living. How do I report a suspicious email? If you receive an email that you are wary of: DO NOT REPLY DO NOT CLICK ON LINKS DO NOT CALL PHONE NUMBERS PROVIDED IN THE MESSAGE The best first step is to report the email to your IT department. If you don’t have an IT department, you can check in with your outside technology company. Once you’ve confirmed that this is a fraud, you can file a complaint with the FTC (Federal Trade Commission) through their Complaint Assistant so that investigators are aware of the scam. Feel free to Contact us for further guidance.