The holidays are upon us, which means that organizations are probably being hit with email scams, variously called (“phishing,” “spear-fishing,” or “whaling” depending on the targeted individuals and purpose). One of the more recent ones involves your “boss” emailing you asking if you have time to help with a “REQUEST.” When you respond, the “boss” asks you to go buy gift cards for other employees, but to keep it quiet because it’s a “surprise.”
The “surprise,” of course, is that the emails aren’t from your boss at all. If you hover over the “from” field, you’ll find the email came from a random address that isn’t your boss’s address. We haven’t followed through to the end of this story ourselves, but no doubt the scammer’s next move, should you take the bait and purchase the gift cards, would be to obtain the code on the back of the cards from you. And voila! Scam complete.
Yup, we got one of these here at CIRSA, and it hit a little too close to home, as I was the purported sender asking a staff member to fulfill a “REQUEST.” Fortunately, the staffer came to me and asked what I needed help with. We looked at the suspicious email in question, and noted that it came from a random Yahoo addy, not a CIRSA addy. SCAM!
CIRSA members have been hit by these scams, too. In one case, someone in the finance department was asked by someone posing as the city manager to make wire transfers in payment of a nonexistent contract obligation of the city. The scam was discovered only after a significant sum of money was transferred. In another case, a CIRSA member received an email notification that CIRSA was purportedly sending money to the member via PayPal (we weren’t, and if we were, it would not have been via PayPal).
So protect yourself! If you get any kind of email request asking you to fulfill a non-routine financial transaction, or asking for sensitive information, be suspicious! Hover over and check the “from” field, as that may be your first clue: the email address most likely won’t actually be your organization’s. And then do what our staffer did. Go see the sender, or give the sender a quick call, to ascertain whether the sender actually made the request. Don’t be fooled by the apparent urgency of the request, the seeming “authority” of the sender, or the purported need for secrecy! These scams rely on some pretty rudimentary “social engineering” tactics that are easily defeated with some quick face time or phone time.