Cyber Risks Laid Bare after Barclays CEO Fooled by Prankster Email

It doesn’t get much more embarrassing for a CEO than this.

Barclays chief Jes Staley has fallen hook, line and sinker for a fake email scam involving messages purporting to be from the bank’s chairman, John McFarlane. The exchange was subsequently sent by the prankster—a Barclay’s customer with a gripe—to the Financial Times newspaper, which published all the gory details in full.

Staley already is under fire for admitting he tried to identify a whistleblower at the bank despite being advised his actions were inappropriate. Following a tough shareholder meeting on Wednesday he received a message in his inbox with the rather telling subject line: “The fool doth think he is wise”.

The message was sent by the prankster using the Google email address: john.mcfarlane.barclays@gmail.com.

In it, the fake McFarlane comes to Staley’s aid, suggesting that a shareholder at the meeting calling on him to resign was “as brusque as he was ill-informed”.

“PWC recommends against hitting “reply” when responding to senior executives and instead responding in a fresh email.”

McFarlane, a previous chairman of Australia & New Zealand Banking Group, is nicknamed “Mack the Knife” for his tendency to oust CEOs. Staley fell for the ruse, responding to his apparent support glowingly.

“You came to my defense today with a courage not seen in many people,” the Financial Times quoted him as writing. “How do I thank you?”

Staley continued: “You have a sense of what is right, and you have a sense of theater. You mix humor with grit. Thank you John. Never underestimate my recognition of your support. And my respect for your guile.”

Staley then went on to praise McFarlane for his renowned guitar skills. “And some day I want to see an ad lib guitar run. You have all the fearlessness of Clapton,” he wrote.

While only designed to humiliate, the email exchange raises some serious questions about cybersecurity risks.

PwC said recently that it has witnessed a significant increase in the number of fraudsters impersonating senior executives on email with the intention of stealing money from companies. And if someone like Staley can be fooled, how about rank-and-file employees?

Typical individual losses for such scams, the consultancy said, tend to exceed $650,000.

The fraud typically involves a staff member receiving an email from an address that resembles that of a senior executive, much like Staley did. The fraudster will then make a phone call requesting a transfer of funds and follow up with a confirmation email.

To get around the problem, PwC recommends staff be trained to hover their mouse over the senders’ email address to ensure it’s genuinely an internal email.

It also recommends against hitting “reply” when responding to senior executives and instead responding in a fresh email.

If only, poor Staley must be thinking.