Director Scam emails targeting SME’s are on the increase in the UK and becoming increasingly sophisticated.

Sometimes known as ‘Whaling’ emails, Director scam emails are a type of phishing scam – but targeting the bigger ‘phish’.

In this type of attack, cyber criminals impersonate a senior member of the victims own company to trick them into transferring money.

Financial Fraud Action UK warns that con men have started carefully targeting individuals by sending them emails which appear to be from their senior colleagues such as the finance director or chief executive.

Criminals use publicly available information – such as Facebook, Twitter and Companies House – to gain knowledge of target companies, such as the names of senior staff.

Software is then utilised which means that the email, including the sender's address, looks completely genuine at first glance. The fraudulent email appears in the recipient’s inbox in the same way as a regular email from the same contact.

The email requests that an urgent payment is made outside of normal procedures, often giving a pressing reason for needing the money, such as the need to secure an important contract.

Targeting out of the office executives

With Director scam emails criminals will also utilise social engineering to lend credibility to their requests. Using social media to view the movements of the senior staff means that requests can seem even more realistic. The emails can be sent when executives are known to be away on business, or even on annual leave. The senior staff member being away from the office can also make it more difficult to corroborate the request.

However, when a payment is made the account is controlled by the criminals. Upon receipt of the funds, the money is quickly withdrawn. The victim is unlikely to ever see their money again.

Fraudsters have also been known to hack the genuine email accounts of senior staff before sending the fraudulent emails. This means that they can respond to emails sent to the senior staff members inbox. If suspicious always take the conversation offline.

The scam works on urgency. Whilst an urgent request from the boss might naturally prompt a swift response, it should, in fact, be a warning sign of a potential scam. That’s why it’s vital that finance teams carefully check any unusual demands for payment through an alternative method, such as over the phone or face to face, before making the payment.

Example of a Director Scam Emails
The attacker can register similar domains to trick staff. Here a double ‘s’ has been added which could easily be missed.

How to avoid being caught out by Director Scam Emails

It can be difficult for spam filters to pick up these types of emails so it is down to staff training and awareness alongside robust processes to mitigate the risk.

Here are our top tips:

  1. Put together a documented internal process for requesting and authorising payments. Make sure this is communicated to all staff with access to the businesses bank accounts and credit cards.
  2. Train staff to be suspicious of any request to make a payment outside of the company’s standard process.
  3. Always check any unusual payment requests directly, ideally in person or by telephone, to confirm the instruction is genuine. Avoid using any contact details contained in the email.
  4. Be cautious about any unexpected emails which request urgent bank transfers, even if the message appears to have originated from someone within the organisation.
  5. When replying to an e-mail try to get into the habit of pressing forward and typing in the e-mail address, NOT pressing reply. This way you are not communicating with the scammer.
  6. The e-mail address that the scam e-mail comes from looks like one from your company. You can check this by hovering over the e-mail address. This will quite often highlight who you are really replying to. This is not foolproof, however, whereas pressing forward and typing the address in is.
  7. Consider whether the email contains unusual language or is written in a different style to other emails from the sender. Spelling mistakes are a dead giveaway but it’s amazing how often these types of emails contain them.
  8. Ensure email passwords are robust. Consider whether it may be time to use password manager software.