The Diary Of A New Start: The CEO fraud scam

Business owners love a new start. It can mean that the right person has been found to fulfil a position that may have been open for some time and may even be essential to take the company forward. New staff can also add great value to a company by bringing in new ideas, fresh opportunities, and additional skills.

When a new start accepts a position and a start date is agreed, you will most likely go through a standard induction process to ensure your new staff member is equipped to hit the ground running. When they finally join your company, there will be plenty for them to take in and do in their first week.

Week 1 for the New Start

Day 1

My first day at the new company is a daunting experience – new office to navigate, new names and faces to remember, new procedures to follow, and a lot of information to take in during my orientation and onboarding meetings.

The person from finance has just done their bit on expense claims, the HSEQ induction covered reverse parking and lids on cups, and my department head just finished waxing lyrical about Margarita Friday being an excellent “motivational” tool.
After a busy morning, I finally have some time to myself for a break over lunchtime. I have just grabbed a seat, and with my sandwich in one hand and my mobile in the other, I am going to take time out to check the news, read some sports headlines, and then update my social media with the good news about my new position!

Days 2 and 3

It’s been an intense, but very enjoyable couple of days in my new place of work. I’ve met lots of new people, and I’ve just booked in meetings to get the briefs and information that I need to start working on my first few projects.

Day 4

Today has started well. I have just received an email from the CEO asking me to help with a favour. She wants to reward some of the staff with gift cards, but she needs to jump into an all-day client meeting, so she has asked if I can help with this. Being fresh in the door, I am eager to please, so I have said: “of course, not a problem”. Excellent is the response.

All that I need to do for her is go to a local shop and purchase £500 worth of vouchers for an online service, and then send her the codes so she can distribute them to my valued colleagues. That’s pretty easy for me to do, and once the CEO has the codes, I will have gained early brownie points. Not a bad return for week one in the company!

The CEO has asked me to put them on my card, then to expense them, as nobody can know – maybe the finance person is due to get one and it would spoil the surprise? I’ll head out at lunch to get these.
Task completed, and I have just emailed the codes to the CEO. I am waiting for a response but nothing has come back from her. Maybe she is stuck in her meeting? I’ll check again tomorrow.

Day 5

I had expected to hear back on the voucher codes when I got into work today, but I had nothing in my inbox from the CEO.
I then went to get a coffee, and when I saw the CEO in the office, I approached her and sheepishly asked about the task and how to claim the money back. She had no idea what I was on about. OH NO!!!

Your new staff member has just fallen for a Business Email Compromise scam, also known as CEO Fraud.

The Business Email Compromise Scam

Sent from a bad actor, usually using a mail account from a free provider and with a high-up member of staff’s name as the display name, the bad actor preys on the newness of a person to trick them into doing something they usually wouldn’t do.

Unfortunately, this isn’t a hypothetical scenario; this does happen, and it can put your new staff member under emotional and financial stress, as well as a feeling of shame and embarrassment, which is not ideal when they’ve just started a new job.

In the first week of joining a new company, a new staff member may not be fully aware of the procedures around purchases or releasing money, or that the CEO would never request this kind of task by email. It is also common for staff to have been told in a recent company update to be aware of such cyber scams, so it is assumed that this cyber scam will be avoided. However, a new start will not have been privy to any past communications like this with being so new in the door.

Whilst you will have invested in anti-malware, email filters, firewalls, and other cybersecurity products to protect your staff, data, and network, these attacks can sometimes still get through.

 In this cyber scam scenario, there was no malicious payload, no attack on the network, and no obvious indicators that the message was not genuine – after all, it was sent from a free email service, so it would have passed all the usual email authentication checks. The only thing that may catch this kind of cyber scam is impersonation protection, which is usually part of your email filtering product, but even this can sometimes miss these emails.

So, what can you do to help new staff when they are faced with this kind of cyber threat?

There are a few things you can do in addition to relying on your wider cybersecurity product suite to keep your staff, data, and network safe:

  • As part of your new start onboarding process, include a short cybersecurity awareness course as part of the induction process. Not everyone comes armed with the skills to spot a malicious email or phone call.
  • Introduce the new start to your IT team or Managed Service Provider, so they know who to turn to and the best ways to contact them.
  • Reassure your new start that it’s ok to make a mistake, so long as they report it immediately to the relevant people, such as line managers and IT. A quick report of an incident can have a positive effect on containing the threat and limiting the damage.

If this sounds like something that you think you should be doing, but you are not sure where to start, then get in touch. Nimbus Blue are here to help you get the right cyber awareness training in place for your staff and guide you on what to focus on when including cyber as part of your staff onboarding process.