Skip to main content

Real-Life Stories of Cyber Crime: Executive Email – Podcast 2


Published April 7, 2020 • 4 Min Read

This article originally appeared on RBC Cyber Security Resource Centre on April 7, 2020.

It’s no big surprise that senior executives are often targets of business fraud given their authority within the companies that they work. Among small and medium-sized businesses, two of the most common types of scams are business email compromise and spear phishing. In these attacks, criminals impersonate an executive in the hopes of tricking employees into transferring money or data to a fraudulent account.

Scammers can craft convincing, credible-looking emails that don’t raise red flags for the recipient by using information openly available online such as a person’s position, their team members and even their hobbies. So when an employee receives an email asking for money be transferred to a new account, for a large payment be made to a new vendor or for access codes to be changed, the employee has little reason to question the request.

Protecting your business from these types of attacks requires education and cooperation across all levels in your organization, particularly with those who have access to money and data. In the second episode of our podcast series: Real-Life Cyber Crime Stories, RBC Director of Awareness and Education Denise Pratt sits down with Detective Alpha Chan from the Toronto Police Services Cyber Crime Unit.

Listen to the podcast for Detective Chan’s stories, warnings and prevention tactics that can help protect your business from these sneaky scams.

Detective Chan explains that scammers have become savvy and creative in their tactics to dupe employees and impersonate senior executives. But with the right preparation, information and a healthy dose of suspicion they can be stopped.

Here are four ways you and your employees can protect your business from Business Email Compromise and Spear Phishing scams.

1. Understand and/or limit your online exposure

Cyber criminals can gather robust background information on individuals using details that are publicly available online through social networks like LinkedIn and Facebook. This helps them become convincing impersonators. As Detective Chan explains, “If you’re known as a controller or a treasurer… you have to understand the exposure that you have and [recognize that] you’re a high value target to scammers.”

Understanding that many individuals likely won’t stop posting profiles and updates on social platforms anytime soon, Detective Chan simply asks for awareness. “Be aware of your exposure and take certain precautions when dealing with emails,” he advises.

2. Pay attention to details

One of the main ways fraudsters impersonate executives is by spoofing their email addresses. Unfortunately, criminals can easily create email addresses that appear to be very similar to the email of the person they are trying to impersonate. Consider an email coming from someone at – but instead of an “o” they use the symbol “0.” Paying close attention to details can end up saving your company from significant losses.

3. Don’t rush

Many fraudsters succeed at scamming an individual because they don’t give them time to think. They often send an email requesting an ‘urgent’ transfer of funds, with serious consequences should the employee not act immediately. But as Detective Chan explains, “there is really no rush. You can take a pause. If something doesn’t seem right, just take a moment and look at what you’re doing before pressing send.”

He further encourages employees to trust their instincts. If something doesn’t look right, it probably isn’t.

4. Have processes in place

Finally, the best way to guard against these types of scams is to have standardized processes in place – where even if an employee gets tricked, the business won’t suffer a loss.

This is particularly vital for busy teams and companies. “If you are fortunate to have a very busy and fruitful business, you’re going to have a lot of emails transferring money out… So all it takes is just one slip to lose money,” says Detective Chan.

Proven processes include:

  • Dual controls for payments. This process ensures that at least two people must approve a transaction before it goes through. Having two sets of eyes on a transaction increases the chances that something suspicious will be caught.

  • Face-to-face verification. In some cases, especially if your office is small, implementing a step where all fund transfers must be verified face-to-face can avoid falling victim to a scam.

  • Non-email validation. If a request for funds is made via email, validating the request by a phone call can also stop the scam from being successful.

    The Little Book of Big Scams free e-book

    A guide to fraud prevention for small to medium-sized businesses

    More Cyber Security Essentials

This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.

Share This Article


Cyber Tips Entrepreneur