In December last year, Christine Campbell, who managed one of John Kahlbetzer, an Australian millionaire's accounts, received an e-mail from him asking her to transfer $1 million from his account to one David Aldridge, a British citizen. Kahlbetzer was on Forbes' list of Australia's 50 richest people and boasted a net worth of $950 million.
Campbell, who regularly received such e-mails from Kahlbetzer, complied. However, it later turned out that the sender of the e-mail wasn't Kahlbetzer himself but an impersonator who made the e-mail look like it came from him.
According to Bloomberg, the e-mail address used by the impersonator was 'one character different' from Kahlbetzer's own e-mail address but it was made to appear exactly like his e-mail address on the screen. After the funds were deposited in his account, Aldridge transferred $82,600 to one of his bank accounts and transferred the rest of the money to accounts located in the UK, Nigeria, the United States, Hong Kong, the U.A.E., and Ghana.
The incident was just an example of how easy it is for scamsters to steal money from vulnerable netizens by impersonating people and using identical e-mail addresses to get funds transferred to their own accounts.
Impersonation fraud rose by 58 percent since 2017
A recent survey of around 1,500 SME workers by Lloyds Bank and Get Safe Online recently highlighted how effective cyber criminals have been in duping employees at small and medium enterprises to share corporate secrets or to transfer money to their accounts by impersonating top company executives.
According to Lloyds Bank, the number of reported impersonation fraud cases rose by 58 percent since 2017, costing UK-based SMEs an average of £27,000 and impacting nearly half a million of them. In terms of industries, law firms bore the brunt of impersonation fraud scams, suffering 19 percent of all attacks, followed by HR professionals, IT workers and finance companies.
In the survey carried out by Lloyds and Get Safe Online, while over half of SME workers said they received fraudulent emails from people impersonating their company CEOs, 52 percent also said they received fraudulent emails and invoices from people posing as their suppliers.
Impersonation fraud has also left a mark on employees who were duped by scamsters. While one in twenty victims said they hid their mistake from their teams as they were ashamed, 15 percent felt angry, and 8 percent said they could not trust their co-workers anymore.
"The rise of impersonation fraud is a very concerning issue for small and medium-sized businesses. We know that falling victim to these types of scams can be serious as the impact extends beyond just the financial implications. This is why we’ve teamed up with Get Safe Online - to help educate business owners and employees on how to recognise these scams and take the right precautions to protect themselves," said Gareth Oakley, managing director of business banking at Lloyds Bank.
Employee training a must
Steven Malone, Director of Security Product Management at Mimecast, said that many small and medium enterprises naively believe they’re too small to be targeted by cyber criminals, and this is a major reason why email impersonation fraud and ransomware attacks are now the easiest way for criminals to get their hands on valuable data and money.
"Our Email Security Risk Assessment showed just how many of these malicious emails are appearing in business inboxes. In the last quarter alone, there has been an 80% increase in impersonation or business email compromise – or BEC – attacks. With the number of victims ever growing, it is time for SMEs to realise that their size is irrelevant to hackers, and a breach can have a great impact on their business.
"Hackers rely on human error here, so training employees to recognise the fraudsters is the first part of the puzzle. To combat these threats, organisations must adopt a cyber-resilience strategy that tackles all organisational weak links from the bottom up. This means adopting a layered security approach, including dedicated protection from impersonation attacks and secured email systems, along with proactive measures such as simulations and employee awareness training," he added.