CEO Sends You a Text Message: Fake or Real? Here’s how to avoid being scammed
Imagine you’re walking down Hardware Lane at lunch and suddenly receive a text from your CEO asking for help. The text says they are doing customer visits in Northcote and discover a colleague hadn’t provided the promised gift cards.
As they are standing there with the customer, embarrassed, they ask you to pop into Woolies, purchase six $200 gift cards, and text the details immediately. They promise to reimburse you the cost when they return to the office later that day. The CEO needs the gift card details urgently before stepping into a meeting for the next few hours.
While you are surprised to receive the text, you vaguely remember something about them doing customer visits in northern Melbourne.
So would this random text force you to stop and consider if it’s legitimate? Or would you do as asked, find the nearest Woolies and purchase the gift cards?
Unfortunately, surprisingly many employees have fallen for this gift card scam and its variations. For example, your boss is stranded in Geelong without petrol or another dire but credible situation that only you can help.
This scam can come either by text message or email. And then, the unsuspecting employee immediately acts, buying the gift cards and texting the details back. It’s only much later they find out it wasn’t the real company CEO who contacted them. No, it was a phishing scammer.
From July 2022, the Australian Communication and Media Authority (ACMA) instructed all telecommunication providers to identify, trace and block SMS scams. And in the following six months, a massive 90 million text messages have been successfully blocked.
ACMA introduced the rules to reduce well-known scams where hackers pretend to be legitimate companies such as banks, Australia Post or Linkt.
But even with ACMA’s intervention, research has found that 32.4% of employees are still likely to fall for phishing scams without proper training.
Why do employees continue to fall victim to phishing scams?
Hackers use social engineering tactics to manipulate emotions, so the employee executes the request. Even when the circumstances or details seem unusual, using these tactics helps the hacker get the employee to take action.
Some of these social engineering tactics illicit can include the following:
- The employee is fearful of not doing what is asked by a senior leader
- The employee sees it as an opportunity “to save the day.”
- The employee doesn’t want to let their employer down
- The employee may feel they will improve their career prospects by helping
The scam’s message is written to get the employee to act without thinking or checking. And in most cases, it will include a sense of urgency which negates the fact the employee should check with the real CEO or their assistant to verify the legitimacy of the text message.
Fake CEO email scams American worker over $USD 6,000
As mentioned, variations of this scam are prevalent and can cause your business significant financial losses. But, importantly, you should know that your business isn’t responsible should an employee falls for a scam and decide to purchase gift cards with their own money.
In one example, a woman from Illinois in the United States lost over $6,000 after receiving an email from who she thought was her company’s CEO. The email outlined that her line manager wanted to send gift cards to some team members that had gone above and beyond. As her manager was well known for being a great leader, it didn’t seem out of the question that he would be looking to reward and recognise his team. So he ended his email with, “can you help me purchase some gift cards today?”
Acting on the email, the woman went to Target and Best Buy to purchase the gift cards. Soon after, she received another email asking her to send a photo of the cards. Again, the wording in the message was very credible and non-threatening. It simply stated, “Can you take a picture? I’m putting this all on a Google sheet.”
The woman purchased over $6,500 in gift cards that the scammer stole. When she saw her manager later that day, she was horrified to learn he knew nothing about the gift card request. It was only then she recognised she had become the latest phishing victim.
3 must-know tips to avoid costly phishing scams
1. Always check with the person making the unusual request
Regardless of the text message that might say they are unavailable, it would be best to check in person or by phone. If you receive any unusual or unexpected requests, especially money-related messages, take the time to verify the request is legitimate.
2. Pause and don’t immediately react
The success of a phishing scam relies on urgency and your acting immediately. Instead, when you receive a message out of the blue or that appears strange, take a few moments to pause and assess the message objectively. This is often all that’s needed to realise it’s a scam. Don’t react emotionally. Instead, ask yourself if the message appears legitimate or out of the ordinary.
3. Seek a second opinion
Ask a colleague or contact your company’s IT managed service provider to review the message. Seeking a second opinion will stop you from reacting immediately. And can save you from making a costly judgment error.
When was the last time your employees had phishing training?
Even with ACMA cracking down on the telecos, your business still needs to offer regular employee training. As you know, phishing keeps getting more sophisticated all the time. So let us help ensure your employee awareness training is up to date.
About the author
Yener is the founder and Managing Director of Intuitive IT. Prior to running his own business Yener worked for a number of corporate organisations where he gained invaluable experience and skills, as well as an understanding of how IT can complement and improve business outcomes.