A staffer at YMCA of Austin recently got an email that appeared to be from the CEO and asked for all employees’ W-2s.
Luckily the staffer was able to realize the email was just a scam.
The CEO scam has succeeded in bilking businesses and nonprofits out of more than $1.2 billion dollars since October 2013, according to the FBI.
Here’s how it works:
A staffer receives an email that appears to come from the CEO and urgently asks that either money be wired to an account to complete a highly sensitive transaction or that the staffer send all employee’s W-2s.
Snapchat was the victim to this scam as well after an HR employee had been tricked into handing over payroll information about “some current and former employees.”
Snapchat exposed its employees to potential identity theft and will be paying for two years of credit monitoring for all affected employees.
It’s not just businesses, nonprofits also appear to be on the scammers’ radar.
“The email came into our payroll manager,” said Jim Pacey, VP of operations for YMCA of Austin. “Everything looked like it came from (the CEO) except the email address had one extra letter.”
The email demanded that the W-2s be sent that day. The CEO was out of town. The staffer became suspicious and took the email to Pacey who noticed several red flags.
“It wasn’t well written,” Pacey said. “And (our CEO) would have known that the file would be too large to send electronically, but for a smaller organization they might send that off right away without thinking about it.”
Pacey contacted the CEO by text and confirmed the email was a fake. He then found out another YMCA had also been targeted.
“It’s important that people know about this,” Pacey said. “These types of scams and many others are happening every moment.”
To avoid this type of scam, Better Business Bureau serving Central, Coastal, Southwest Texas and the Permian Basin offers the following the advice:
- Confirm email requests by phone. If an email is requesting wire transfers of company funds or sensitive documents, it’s best to confirm the request by phone. In some cases, victims reported that the CEO’s email account had been hacked and the requests were coming from inside the company’s system.
- Strengthen passwords. At a minimum, passwords should be eight characters long, contain upper and lower case letters, numbers and symbols.
- Develop policies for handling money or sensitive data. Policies should be consistent and up-to-date with the latest advances in technology. Make sure all employees are trained on the policies.
- Keep lines of communication open. This type of scam only works if subordinates don’t feel comfortable questioning the boss or the CEO.
- Inspect the email. Look to see who exactly the email is from as scammers will sometimes use an email address that looks similar to one your company uses. See if there are any attachments or hyperlinks that don’t exactly make sense in relation to the email. Also, check the content of the email. Is the sender asking something that’s out of the ordinary or would have negative consequences?