Sorry for the text. I’m in a meeting and in a bit of a bind. Really need you to do me a favour.
At least one North Vancouver employee who recently received a message like that purporting to be from her boss soon discovered it wasn’t her supervisor who needed the favour.
Instead, it was a scam artist.
Unfortunately, by the time the woman realized she’d been scammed she was out $1,500 in Apple gift cards.
More recently, the North Vancouver RCMP said one of their own civilian employees was targeted in a ruse that they’re describing as the “boss scam.”
In that case the employee was asked in an email to buy Amazon gift cards and supply them with the PIN numbers. Fortunately that employee knew something was fishy and didn’t go ahead with the request.
Const. Mansoor Sahak, spokesman for the North Vancouver RCMP, said the “boss scam” is more sophisticated than it appears, which is why people fall for it.
Here’s how it works:
- First the scammer scours the Internet for names and emails of a company’s high-ranking supervisors. They’ll also search for job titles, telephone numbers and other important information about the company, to help disguise their request.
- Next, the scammer hacks into the supervisor’s business account or spoofs a similar email domain that’s hard to notice (for example [email protected] becomes [email protected]). Or, they might create a fake email account through Gmail, Yahoo or another service, and make an excuse for sending something from their personal email. Or they could spoof a phone number from your area code and send a text message instead.
Sahak said criminals love gift cards, because there’s nothing traceable. No legitimate business or government agency will ever insist that you pay with a gift card, he added.
How to avoid a fake boss scam:
- Pause and verify. Scammers create a sense of urgency to prey on your emotions – especially when a boss is involved. Police advise you not to reply directly to the text or email. Instead confirm a suspicious request through a different email or phone number you trust.
- Spoof-proof your company’s email. Work with your IT department to set up security and spam filters on your company email. Bosses should set up an external email warning that will add a warning message to the top of any emails that come from someone outside of your organization.
- Have a robust phishing training program. Police also urge supervisors to provide phishing awareness programs to employees.