Kiwi CEO loses $28,000 by sending the wrong email.
Earlier this year, the CEO of a medium-sized construction company based in New Zealand was planning to purchase a new company vehicle for himself. He mentioned it to the management team via email and even had his PA research different types of vehicles for him.
A month later, the CEO left on a business trip overseas. While on this business trip he seemed to have been inspired and made up his mind on which vehicle he’d like to purchase.
He sent an email from his work email address, instructing the Chief Financial Officer (CFO) to pay a $28,000 deposit for the new car and providing a bank account number to pay the deposit.
Naturally, the CFO complied, as this was an email from the boss.
Two weeks later, after returning from his recent business trip, the CEO decided he’d like to go ahead and purchase that new vehicle. He asks the CFO to please pay the deposit for his new car.
The CFO looks shocked, his eyes widen and his mouth drops ever so slightly in disbelief. He replies “But I already paid that deposit two weeks ago when you emailed me and asked me to”.
Both staring wide eyed at each other, it was at this point they realised they had fallen victim to a scam and were now $28,000 out of pocket.
Both were left wondering how they were going to explain this to the board, while also vowing to never let this happen again.
The scam.
The scammers in this instance sent an official-looking email to the CEO, asking him to log in to his Office 365 account. The fake login pages can be quite deceptive if you’re not paying attention. Here’s an example of a similar one - note the only giveaway is the URL.
In this particular scenario, the CEO logged in using his personal details, which then sent the details to the scammers.
Once the scammers had the login details through the fake page, they went through the CEO’s emails to find anything useful which could be exploited to get money out of the company.
In most cases, this actually happens without anyone knowing someone has breached your system. Which means online scammers can monitor your account for days, weeks or months before making their move, unless you have the latest monitoring software installed.
By reading the CEO’s emails, the scammers were able to identify the CEO was looking for a new car and also that he was heading away on a business trip soon.
As the intruder had access to the CEO’s login details, he was also able to send/receive emails as though he was the CEO. This is how the scammer was able to send an email to the CFO without the CFO realising anything was amiss. I mean, how often do you question an email that comes directly from the CEO’s email address?
The damage.
Aside from hurt pride and the awkwardness in having to front up to the board, the company lost $28,000 for the car deposit.
The solution.
As soon as Swerve got the call from the CEO, we immediately insisted everyone in the company create new login details and passwords and installed Multi-Factor Authentication (MFA). MFA requires multiple forms of authentication in order to log on, such as a unique verification code sent via text message.
This means that unless a scammer or hacker physically has the employee’s phone, they'll be unable to access the system, even if they’ve somehow managed to obtain their password.
To set up Multi-Factor Authentication for Office 365 users, click here for instructions.
To set up Multi-Factor Authentication for Google users, click here for instructions.
Next, we made sure all staff were signed up to Swerve’s Cyber Security Awareness Training.
This programme results in staff becoming fully aware of possible scams, suspicious emails and links. This allows staff to work with greater confidence online and helps to protect the company, as their team are much more conscious of what they’re clicking on.
If you'd like to know if your business has been secretly hacked in a similar way, we can take a quick look to check you’re all safe. Contact us to organise a free, no obligation chat.
Protecting yourself and your business.
You can easily find out if your business is vulnerable to these types of scams or attacks. Take this short, simple test to check whether you and your business are protected - just click the button to get started.
Many Kiwi businesses are unprepared when it comes to securing themselves from online theft. Most companies believe that having a dedicated IT consultant, or having their online systems set up professionally, means they're automatically safe. Unfortunately, this isn’t the case.
At Swerve, we hate seeing New Zealand businesses getting scammed and that's why we've set up user-friendly, easy to implement processes, which help to secure and protect your livelihood and business.
Our systems help to reduce the chance of human error when operating online. Whether it’s safeguarding your accounts team, setting up simple security systems, or familiarising your team with correct online policies and training.
Do you want to safeguard your business and reduce the risk caused by online thieves, scammers and hackers?
Book your free business security audit with us today by clicking the button below.
