When an employee saw an “urgent” email from her boss
By Stephen Trout, , HIPAA Blog

When marketing professional Kari Hornfeldt saw an “urgent” email from her boss, requesting that she purchase $1,000 worth of Google Play gift cards to give to company clients, she wasted no time. “In hindsight, I should have been like, ‘This is weird,’ but your boss asks you to do something and you do it,” Hornfeldt said.

When the company credit card didn’t process, Kari purchased the cards using her own debit card, trusting the company would reimburse her. Turns out, the company knew nothing about it. 

Kari and her company soon discovered they’d been scammed, by an increasingly common (and surprisingly effective) phishing email known as a CEO scam, or Business Email Compromise (BEC). But not before Kari followed additional instructions to “scratch off the back code and email a clear picture of all the codes.”

“I basically used up all of the money in my checking account to buy these cards,” she said. It was only when she was instructed in a follow-up email to buy more cards – which she attempted to do at a local Best Buy – that an employee at the store questioned the purchase and warned her about the scam.

Why the Scam Works

The email certainly looked legit, appearing to have originated in the CEO’s office. But that was only because it had been expertly doctored to look official. And because there was urgency involved (“I need this in 30 minutes”), Kari responded in a hurry – as any conscientious employee might – using less caution than usual in verifying the request.

So what makes the BEC so effective?

  • It appears to come from a usually trustworthy figure, with the authority to make such requests.
  • It uses emotionally-charged key words, like Urgent, or Billing, or even Taxes. (Some scams might appear more legitimate around tax season, especially when your own CEO seems to be asking for W-2 information). Playing on our emotions in this way – called social engineering – can cause us to respond in haste – which is exactly what the scammers are hoping to achieve.
  • It targets those most likely to respond, including nonprofits, healthcare, and schools. Payroll and HR departments are also frequent recipients.

What to do?

  • First, do a “gut check.” If it seems unusual or odd, there’s probably something to it. It never hurts to take a moment to verify.
  • Train employees to be on the look-out for various kinds of phishing emails, including the BEC.
  • Use two-factor authentication (2FA, aka, “two-step verification”) for your email, when possible. 2FA is a login process which requires you to not only use a password, but an additional step of verification. This can be a physical security key (USB stick on your key ring); a biometric scan such as a fingerprint; or a time-based, one-time password algorithm. That way, even if a password is hacked once, they can’t keep logging into your email account, since they won’t have the second step. (We like the Google Authenticator app, since it sends a code to your app over a secure (HTTPS) connection).

Organizations that receive W-2 scam emails can forward them to phishing@irs.gov, with the subject line: “W-2 Scam”.

By the way, you’ll be happy to know that Kari’s company was kind enough to reimburse her for her losses!

(This article was first reported on by NBC, Chicago 5).