In September 2022, the Serum Institute of India made headlines when one of its directors, Satish Deshpande, was scammed of Rs 1.01 crore by someone pretending to be CEO Adar Poonawala. The news had brought to light that scammers were using the names and profiles of CEOs of companies and contacting company staff asking for monetary help or favours, with a promise of a reimbursement later.
Months later in April 2023, the "CEO scam" found mention on Twitter again when Shikhar Saxena, an employee of Meesho, shared his experience. Saxena shared a screenshot of a WhatsApp message where someone pretending to be Meesho CEO, Vidit Aatrey, asked if Saxena would be able to make a purchase for him through Paytm. "Latest scam in the startup world - message from the CEO (sic)," the tweet said.
The message, was, of course, an attempt to scam Saxena of his money.
What is the "CEO scam"? Is It a new fraud?
Cyber expert Ritesh Bhatia told BOOM that the above case was an example of a "CEO scam" via WhatsApp using online impersonation. According to Bhatia scammers pretend to be someone from the top management of a company and they reach out to junior employees on e-mail or messages, asking for money, data, password, and other sensitive information.
"This type of scam has been happening for a long time but initially it was happening in the form of emails wherein the CEO would be writing to a CFO, asking them to transfer to send a certain amount," said Bhatia. He further explained, "Once this scam came to light, CEOs put a lot of tools in their organisation and had the processes in place, which were able to detect fraudulent emails. As the scammers started to lose out on business, they came up with Whatsapp, as a medium by using the profile picture of the CEO."
Soon after Saxena shared the CEO fraud incident on Twitter, multiple users replied to the tweet, saying that they have had similar experiences. "Happened to me as with @1kunalbahl's name as well (sic)," Dheeraj Kumar Sidana replied.
BOOM reached out to people who have received similar messages via WhatsApp and email, to understand how this fraud works. Here's what we found:
What happens in the 'CEO scam'?
Sidana received a message earlier this month on April 1, from someone pretending to be the CEO of Snapdeal, Kunal Bahl. "I am not associated with Snapdeal, nor have I ever worked with them. I have had an interaction with Kunal, so when the scammer took my name, I kept replying to them because I had spoken to Kunal a month back and assumed that he wanted to follow up on our previous conversation," Sidana told BOOM.
The scammer asked Sidana to make a purchase from Amazon and promised to reimburse the amount later. "I told them that I ain't familiar with Amazon online purchases. They then tried to teach me. That's when I knew this was fake as Kunal knows that I would be familiar with how to make purchases via Amazon."
To ensure this was indeed a scam, Sidana told the scammer that he had made the payment and asked for reimbursement. "After this, he pinged me from another number, saying that his previous number got disconnected. I was then certain that this is a fraud." Once Sidana realised that this was a fake message, he took screenshots of the conversation and immediately blocked the number. Bhatia said that it was important to save the chat before blocking and reporting the scammer's contact as reporting a number on WhatsApp leads to the deletion of the chat, leaving behind no evidence.
Not confined to only startups
While conducting awareness sessions on cybersecurity, Bhatia found that the scam was not confined to the world of start-ups. Top-ranking officials from the police and government organisations were also being impersonated in a similar fashion frequently. "One doesn't need that kind of intelligence to track the details of people in the government and police departments as all the information related to them is easily available on the official websites. Also, the chances of a person having the number of these high-rank officials/people are less, unless one knows them personally. So they become an easy target sometimes," Bhatia said.
While WhatsApp is a more recent and easier way of implementing the "CEO scam", scammers haven't stopped using the email medium yet.
Aswin P, a freelance content marketer said that he has received multiple fraudulent requests from different "CEOs" of the client companies that he has worked with. In one such mail, the scammer had asked Aswin to send Rs 24,700 to a vendor that will be reimbursed later.
"In the last six months, I have received three emails with a similar request from the 'CEO', after working for a month with each client. I don't know how they are tracking my working profile," said Aswin.
"I didn't ask them where to make the payment, once I realised that it is a scam. I reported it to the respective HR team, who made sure everyone was aware of it in the organisation. Some of my friends have also received these messages," he added.
How does the 'CEO scam' work?
Bhatia, who is also tracing cases related to the CEO scam said that data breaches are making it easier for scammers to access other people's data. "It is easy for me also, as an open source intelligence expert, to find out who is the boss of whom, how many people are working and what are their email ids, and phone numbers. Once the scammers have the details, all they need is the CEO's image. By connecting the dots, through open-source intelligence they are able to find out who the people working in the company and then they start sending out these messages."
In each of the above-mentioned cases, the scammers create a situation of urgency to make people believe the CEO is reaching out to them, to make it look less suspicious. Ardhendu Sekhar Mahapatra, a cyber security content analyst told BOOM, "For example, the scammer or the 'fake CEO' may say that they are traveling, don't have certain documents, or need some data urgently. In such cases, the employee often feels an obligation to react since it is the CEO."
The urgency of the request may also prompt people to take swift action during which they could miss tell-tale signs that its a scam.
Some of the numbers the scammers use have foreign country codes. Bhatia said that while most of them are operating abroad, some may also be in India. "In two of the cases that I traced, the scammer turned out to be from Nigeria. It is a hub of cybercrime in the world. Sometimes, scammers from India even go to these places to learn advanced social engineering techniques," said Bhatia.
According to Mahapatra, as scammers become more advanced, it will become even easier to get one's personal information and use that to draft an email or text that will appear very convincing. He said,"If your employee ID is mentioned anywhere or even if you are wearing your identity card in a picture, the scammer could use zoom in the image, get specific information and use it to craft a convincing email."
How to stay safe against CEO scams?
As scammers and impersonators employ more novel techniques, safeguarding against such scams is bound to become more difficult.
Bhatia said, "Whatever crimes are happening, new modus operandi will keep coming up. Hence the best thing is to practice the pause. Do not react or take any action immediately. In cyberspace, you should work with the concept of zero trust. While it is not always possible to verify everything, it is essential to verify everything before sharing any sensitive information, personal data, whistleblowing, giving user name passwords etc."
Speaking on ways to verify if the person texting is actually impersonating someone or not, Bhatia said, "Once you receive any such message, call the person as they will probably disconnect the call in case of a scam. Ask the sender certain questions, that only the respective person could answer. If they text you in English, start chatting with them in some Hindi, or ask them to send voice notes."
On ways to identify such scams on mail, Mahapatra said, "Scammers often make extremely minor changes in the domain name which are hard to identify, this is known as a domain spoofing. On receiving an email, one should check the domain name thoroughly, to ensure that it is authentic." He further added that certain email services also have a way of prior detection to identify that the email has been sent by an external sender and not someone from the company, which can prove useful in the CEO scam. "Employees of an organisation should be made aware of the ongoing frauds and scams through proper cyber training, where loopholes in such scams are explained to them," he added.
In case financial fraud occurs through the CEO scam, it is essential to inform cyber crime police by dialling the cyber crime helpline number 1930. "Even if you have not faced any loss, but receive a message from a fake phone number or email id, report it on cybercrime.gov.in so that the government can come up with the statistics and create awareness," Bhatia added.