How about this one.
The scammers targeted a new employee, let’s call her Sarah, less than two weeks in the company.
They sent them an email, allegedly from the managing director, asking Sarah to buy some John Lewis and Apple gift cards to be used as gifts for valued employees. The email asked her to keep it confidential so as not to spoil the surprise for those employees.
As the employee was so new, she somehow did not question why the MD was speaking to her, rather than literally ANYONE else in the office to do this important task. Despite the email address and language of the emails not being at all what the MD would use, because Sarah was so new, she didn’t realise.
They asked her to buy £2000 of gift cards at £500 each. She, and this is so sad, said that she only had £200 in her account, and apologised to the MD/scammers that she could only buy this much.
Sarah really got into the secretive angle of it all, and said she would buy it from Tesco, so that there was no record on the corporate credit card. Again, as a legitimate business expense, it goes through the accounts either way, and the gift cards state how much they are for, so there is no “hiding” the amount spent on it from accounts in any way.
Another aside – these gift cards, in the real world, are a legitimate tax-free business gift to a maximum of £50 per employee per month. Sarah could not have known this, but you as a business owner need to know about “trivial benefits”, the HMRC term for them.
They agreed that she could just buy £200 worth and then asked her to scratch off the code and send the codes through by email. After doing so, and before she sent the PIN numbers through, something triggered suspicion in Sarah, and she spoke to her team leader, which is when she realised her mistake.
What can you do to make sure than none of your staff are taken for the same ride?
- Speak to your staff! In person. If Sarah had had more interactions with the MD, or the way they communicate, then she would never have.
- Tell your staff that neither you, nor any other member of management/staff, would ever ask staff anyone to make a purchase out of their own account
- You would never ask them to keep it confidential
- If they feel honoured that the MD would ask them (employee way down the pecking order) to do something, that should ring alarm bells.
- Look at the language and see if it makes sense. In one of their email’s they say “happy new month” which is not what a native English speaker, and certainly not this MD, would use.
- Any email looks suspicious, ignore it and report to manager/IT
- Check the email address that it is coming from. It had the MD’s name on it, but the actual email was not a company one, in fact it ended with “mail.ru”.
- If the email address is not visible advise them to hover the cursor over the “from” name to display the email address and language
Luckily in this case the company was able to buy and use the vouchers from her, but that will not always be the case!
Speak to your staff before the scammers do!