Imagine you’re going about your day when suddenly you receive a text from the CEO. The head of the company is asking for your help. They’re out visiting customers or networking with potential clients and someone else dropped the ball in providing gift cards. The CEO needs you to buy six $200 gift cards and text the information right away.
The message sender promises to reimburse you before the end of the day. Oh, and by the way, you won’t be able to reach them by phone for the next two hours because they’ll be in meetings. One last thing, this is a high priority. They need those gift cards urgently.
Would this kind of request make you pause and wonder?
Or, would you quickly pull out your credit card to do as the message asked? A surprising number of employees fall for this gift card scam.
Without proper training, 32% of employees are prone to fall for a phishing scam.
This scam can come by text message or via email. What happens is that the unsuspecting employee buys the gift cards. They then send the numbers back. They find out later that the real company CEO wasn’t the one that contacted them. It was a phishing scammer.
The employee is out the cash.
Example: Employee Loses $6,500 Due to Fake Email
In one example, a woman from Palos Hills, Illinois lost over six thousand dollars. This was after getting an email request from who she thought was her company’s CEO.
The employee received an email purporting to be from her boss and company CEO. It stated that her boss wanted to send gift cards to some selected staff that had gone above and beyond.
The email ended with “Can you help me purchase some gift cards today?” The boss had a reputation for being great to employees, so the email did not seem out of character.
The woman bought the requested gift cards from Target and Best Buy. Then she got another request asking to send a photo of the cards. Again, the wording in the message was very believable and non-threatening. It simply stated, “Can you take a picture, I’m putting this all on a spreadsheet.”
The woman ended up purchasing over $6,500 in gift cards that the scammer then stole. When she saw her boss a little while later, her boss knew nothing about the gift card request. The woman realized she was the victim of a scam.
Variations of this scam are prevalent and can lead to significant financial losses. A company isn’t responsible if an employee falls for a scam and purchases gift cards with their own money.
Why Do Employees Fall for CEO Phishing Scams?
- They are afraid of not doing as asked by a superior
- They jump at the chance to save the day
- They don’t want to let their company down
- They may feel they can advance in their career by helping
Tips for Avoiding Costly CEO Phishing Scams
1. Independently Verify Money-Related Requests
Always Double Check Unusual Requests.
Despite what a message might say about being unreachable, check in person or by phone anyhow. If you receive any unusual requests or one relating to money, verify it. Contact the person through other means to make sure it’s legitimate.
2.Don’t React Emotionally – Ask “Is this real?”
Scammers often try to get victims to act before they have time to think. Just a few minutes of sitting back and looking at a message objectively is often all that’s needed to realize it’s a scam. Don’t react emotionally, instead ask if this seems real or is it out of the ordinary.
3. Get a second opinion
Ask a colleague, or better yet, your company’s IT service provider, to take look at the message. Getting a second opinion keeps you from reacting right away. It can save you from making a costly judgment error.
Does Your Organization Have Phishing Scam Protections?
Phishing keeps getting more sophisticated all the time. This situation warrants investing in cyber security protections that mitigate the risks of getting scammed. Also, employees should receive periodic ransomware/phishing awareness training – to help them recognize scams before they become victims.
Professional IT Security Services Can Help
If you are not sure about the level of IT protections and/or cyber training in your organization, it makes sense to consult an industry-recognized IT Security professional services company that can help to evaluate your level of security and recommend ways to improve.