What is CEO fraud and what can we do to avoid it?
CEO fraud reputedly cost companies a whopping $1.1bn in 2018 and has been increasing steadily ever since. Impacting any size of company from micro to enterprise it is essential to understand how the scam works to protect your company and employees from it.
Firstly, what is it?
CEO fraud is when scammers impersonate a company executive making urgent and sometimes confidential requests of a member of staff within the company. Their motivation is usually financial, but we have seen rare instances where confidential data has been requested.
What is the usual ‘modus operandi’?
- Picking the target executive: Company websites, Companies House and a multitude of other sites can provide information on executive’s names, positions and responsibilities. While the scam is called CEO fraud, we have also seen CFO’s, FD’s and company secretaries targeted.
- Research: Once the person they plan to impersonate is identified, the scammers research the company for recent news, visits or trips to find anything that will give credibility to the impersonation.
- Engagement: The initial email is sent to one or multiple employees within the organisation. The emails are usually short, sometimes terse and stressing an urgency or confidentiality. At this stage, they may well not ask for anything directly but encourage a response and seek to engage the employee. If the recipient is using a mobile device it isn’t always obvious that the email isn’t coming from the executive’s email address, but a Gmail, Hotmail or other address.
- Engineering: Here is where the manipulation really starts. Once communication is established and trust gained the criminals rely on the urgent or confidential nature of the request, bullying tone and the employees desire to please (or fear) to be unquestioning. Now is where the demand will usually come, and most of the time it will involve a request of a transfer of monies to an account.
How to avoid CEO fraud
You would have thought that kind of fraud would be obvious to spot, and often it is picked up and queried long before it gets near a danger point. There is however a significant minority who are gullible enough for this to work. Clearly, if it wasn’t worth the effort the scam wouldn’t exist. Education and process is the key. The advice from UK’s Action Fraud is
- Ensure all staff, not just finance teams, know about this fraud and what to look for.
- Have a system in place which allows staff to properly verify contact from their CEO or senior members of staff; for example, having two points of contact so that the staff can check that the instruction which they have received from their CEO is legitimate.
- Always review financial transactions to check for inconsistencies/errors, such as a misspelt company name.
- Consider what information is publicly available about the business and whether it needs to be public.
- Check the email address behind the name. On mobiles especially this can be masked
Ready to talk IT?