This list is relevant to businesses, but the same principles apply to our personal lives. The objective is to not be scammed, obviously. But to do that, we need to identify when we’re the target. This list will help, and is most effective when the key players within your business are aware of their roles, responsibilities and limits.
Let’s start with the list, and further down the page we’ll use an example.
- Scams change over time, so rather than focus on the exact method, focus on the objectives of the scammer. That’s ultimately to get your money. Romance scams, TAX debt scams, business opportunity scams – they all end with the scammer taking your money. When you’re talking/emailing/messaging someone new, consider that “if they were a scammer, what would be their angle”?
- Have checks and balances in place. Ie, the transfers of funds over a set amount requires two people to sign off on the transaction. The idea is to raise the odds of picking up on the scam before it goes too far.
- Validate the person you’re communicating with. Phone numbers, email addresses and (with the advent of AI) voices can seem convincingly legitimate. Do some research.
When you’re talking to someone you haven’t yet verified as legitimate, consider that they could be a scammer, and ensure that any transactions (including the purchase of gift cards) is approved by at least two people in your business.
Here’s an example. It’s a true story.
The CEO announced on LinkedIn that he’d be attending a conference in another country. While at the air port, the CFO (back in the office) received an email appearing to be from the CEO asking for an urgent transfer of funds. The CFO knew the rules and called the CEO to verify the transaction. The CEO had no idea about the request and the scam was thwarted at this point.
The email had come from a gmail account that used the same name as the CEO. At first glance, it looked legitimate. The scary part is that the scammers had done their homework and calculated when the CEO would have to be at the airport (or already flown) to know when to send the email.
Here’s another example. Another true story.
A general staff member (let’s call him Jack) over heard a phone call between the public relations officer (let’s call her Ann) and someone else. Jack heard Ann saying “gift card” and “when do you need them by” and that was enough for Jack to walk over to Ann and ask her to hang up the phone. The scammer was asking Ann to purchase gift cards and then send the scammer the reference numbers.
Here’s yet another example. And yes, it’s a true story.
A man (let’s call him Ben) was using a dating app. He received a request to connect and accepted it. They had been chatting using the app for a few days. The person (let’s call her Sally) asked Ben to switch over to WhatsApp because it’s easier for her to continue the conversation that way. Sally then sent Ben some photos of herself. The photos were nothing bad, just typical photos of someone socialising. Ben decided to Google the photo to see if he could find any information about Sally – call it due diligence. Google has a reverse-image search function that allows someone to upload an image and Google will search based on its contents. Ben found that the photos had been used for multiple LinkedIn accounts and social media accounts. He asked Sally about this and Sally became overly defensive suggesting she’d (or he’d) been caught out, and was trying to make Ben feel guilty. Ben ended the connection at this point.
In each example, the scam failed because:
- A policy was followed despite the CEO putting pressure on the CFO to make a transaction.
- A co-worker noticed something strange. When two co-workers are involved, it’s easier to identify scams.
- A romance scam failed when things didn’t add up. A little research identified the scam.
The next consideration is that the caller is legitimate. The following is an example of a legitimate exchange.
Ben (we’ll call him) received a phone call from someone claiming to be from the TAX office. Ben had the right mindset and considered how he could verify the callers identity. The TAX office worker asked Ben for his full name and date of birth, but Ben refused to give it (sensible). So Ben asked how he could know if the TAX office worker could verify himself to Ben, but the TAX office worker couldn’t. So Ben said he’d check himself to see if there was any outstanding amounts in his online TAX portal. There was an outstanding amount. The TAX office caller could have been a scammer, or could have been legitimate. Regardless, Ben didn’t take the risk and did his own research.
The above dilemma (the caller verifying themselves) is a hard problem to solve. Let’s use the above example for this discussion. The TAX office caller (let’s call him Jim) could verify himself by telling Ben someone like Ben’s address or year of birth, or even his middle name. But doing so would be leaking information to someone Jim hasn’t yet identified. A form of mutual identification is needed, but such a system needs to exist “before” the conversation starts. One way to do this is to send a 4 digit code to Ben’s mobile, but anyone could do that, not just the TAX office. Another way would be for Jim to send a message via the online TAX portal, but Ben may not have access to his portal for any reason. Regardless of the mechanism, unless both parties know the identify of the other, nothing sensitive should be communicated.
The above information is a short introduction into preventing or limiting the damage done by scammers. It’s important to consider that each new contact is a scam, and that scams change and are increasingly innovative.
If you need more information, please contact our team here. We’re experienced and willing to help.