Here's an unfortunate situation that hopefully none of you ever have to go through:
The accountant for a U.S. company recently received an e-mail from her chief executive, who was on vacation out of the country, requesting a transfer of funds on a time-sensitive acquisition that required completion by the end of the day. The CEO said a lawyer would contact the accountant to provide further details.
“It was not unusual for me to receive e-mails requesting a transfer of funds,” the accountant later wrote, and when she was contacted by the lawyer via e-mail, she noted the appropriate letter of authorization—including her CEO’s signature over the company’s seal—and followed the instructions to wire more than $737,000 to a bank in China.
The next day, when the CEO happened to call regarding another matter, the accountant mentioned that she had completed the wire transfer the day before. The CEO said he had never sent the e-mail and knew nothing about the alleged acquisition.
And you might think, "You have to be pretty stupid to get scammed over email," but the FBI notice says that "Business E-Mail Compromise" frauds have duped more than 7,000 businesses with losses in excess of $740 million over the last couple of years. Crikey, that's a lot. Does gullibility result in that much fraud? If so, yikes.
[A]fter the accountant spoke to her CEO on the phone, she immediately reviewed the e-mail thread. “I noticed the first e-mail I received from the CEO was missing one letter; instead of .com, it read .co.” On closer inspection, the attachment provided by the “lawyer” revealed that the CEO’s signature was forged and the company seal appeared to be cut and pasted from the company’s public website. Further assisting the perpetrators, the website also listed the company’s executive officers and their e-mail addresses and identified specific global media events the CEO would attend during the calendar year.
Yeah, it's a little sloppy that a single email from a CEO along with a lone signature over a company seal would be enough to wire $737k. As Matt Levine writes:
[N]o one ever wants to talk on the phone any more, making it less likely that anyone will ever pick up the phone to verify e-mailed transfer instructions.
That might sound tedious, but it could save you the kind of embarrassment that causes people to lock themselves in a closet for a year. Be careful out there.