Here’s how it works: A company recieves an email that look like it’s from the CEO. The email typically instructs someone who manages the company’s money that they need to send a payment to a certain bank account, or provide login information to the company payroll system.
But the email isn’t genuine, and it often comes from a fraudulent domain that looks very similar to the legitimate company website. The bank account that the money is sent to isn’t a legitimate customer, but instead an account owned by scammers. Fraudsters have also made away with payroll information about hundreds of employees using this technique.
The FBI has published a security alert warning businesses in the US about the email scam. It says that police around the world have heard of the scam, and it has been reported in 79 countries. The alert says that between October 2013 and February 2016, the FBI was made aware of $2.3 billion (£1.6 billion) in money lost due to the email scam.
The real cost of the scam is likely to be higher, though, as it’s unlikely that every payment was noticed or reported.
Some big tech companies have been targeted as part of this scam. Snapchat admitted in February that one of its employees had accidentally revealed payroll information after they were tricked by an email claiming to have been sent by CEO Evan Spiegel. Data-storage company Seagate also fell victim to the same scam in March. Fast Company publisher Mansueto Ventures was tricked into handing over data too.
The email scam isn’t limited to the US, either. Business Insider reported in August 2015 that around 10 well-funded London startups had received scam emails impersonating CEOs.
Here’s an example of one of the emails that was sent to a London startup: