CEO fraud is so called because fraudsters impersonate the Chief Executive Officer, Finance Director or similar senior manager of an organisation, requesting a payment or bank transfer to be made, either by telephone or email. The request is often based on urgency and secrecy and puts pressure on the employee to make the payment as soon as possible.
Instances of CEO fraud are rising significantly across the world, also referred to as a type of Business email compromise (BEC) fraud, the FBI estimates that globally between October 2013 and May 2018, $12billion has been lost to BEC fraud.
Figures for 2018 released by UK Finance show there were 519 cases of CEO fraud in the UK resulting in a loss of £13.8 million by UK businesses.
According to a research commissioned by Lloyds Bank and Get safe online, impersonation fraud costs on average £27,000 per victim with the number of attacks rising by 58% in 2018.
How does CEO fraud work?
An instruction for payment is made to someone in the accounts department, either via telephone or email. The email will appear to have come from the CEO or Finance Director or other senior manager, requesting an urgent payment or bank transfer in relation to a business opportunity or ongoing deal. There is usually an element of pressure placed on the employee receiving the email to act quickly and transfer the funds immediately. If the request is made over the telephone, there is a similar level of urgency – the “CEO” is just about to get on a flight and will be out of contact, so the payment needs to be made immediately.
This type of scam can be very effective because if an instruction is received from a senior executive, an employee may not wish to appear uncooperative or obstructive and may be unlikely to challenge the request as being something outside of normal procedures.
In one incident of attempted CEO fraud we’ve witnessed, the fraudster stressed the payment was needed in order to secure a deal which nobody else knew about and it was important to maintain secrecy and not tell anyone about it. This was done to try and convince the employee receiving the phone call to not seek confirmation from other senior managers within the organisation. In this attack, the fraudster made several telephone attempts throughout the day to firstly request an urgent payment and then later to check on progress.
Targeted attacks and other tactics
When targeting a business, fraudsters may research and build up as much information about the business as possible, using company websites, LinkedIn and other social media to collect details on relationships with customers and suppliers as well as named contacts working in various departments. Details shared publicly – such as attending a conference or event or going away on holiday can help a criminal appear to have inside knowledge of an executive’s daily whereabouts which can help them to seem more convincing.
Attacks may be targeted at individual employees in the accounts department, again using information gleaned from the public domain and social media or by previously contacting the organisation requesting details of who to contact. An email sent directly to a named contact in the accounts department from the CEO or senior manager is less likely to be perceived as a threat, then an email sent to a generic accounts address.
An email received may look 100% genuine at first glance with the name of the CEO or senior manager appearing as the sender in the from field of the email, however it may have been spoofed to appear genuine. Hovering the mouse over the email address, should confirm the email address the message has actually been sent from. Alternatively, the email address may have been made to look very similar to that of the senior manager being impersonated, this may include an additional letter or character or similar variation of the genuine email address. An email can even be received from the manager’s genuine email account if the company network has been compromised by hackers.
What can you do to prevent CEO fraud?
You may not be able to stop your business being targeted in this way, but there several steps you can take to mitigate the risk.
- Ensure relevant staff are well trained to be aware of and alert to this type of fraud and understand the steps they can take to identify it.
- Encourage staff to question and double check the validity of all payment requests received.
- Have an agreed procedure for 1) making urgent payments and 2) making payments over a certain threshold that are both documented and communicated to all relevant parties within the business.
- Include a confirmation and verification step as part of these procedures so that requests for urgent or large payments are followed up with an independent confirmation using established contact details – remember not to use any contact details provided in the email request.
- Don’t reply directly to an email received, instead forward the email or a screenshot of the email received and type in the established email address for the senior manager you wish to contact to seek confirmation.
- Train staff how to double check the original email address of an email received in relation to payment instructions and change of account details so that spoofed emails can be identified.
Report any attempted fraud to ActionFraud – the police’s national fraud and cybercrime reporting centre. Even if you haven’t suffered any financial loss, you should still report the attempt. You can submit a report via their website at www.actionfraud.police.uk.
CEO and other payment fraud attempts are unlikely to go away as fraudsters become ever more sophisticated in their methods of attack. Ensuring that all staff are aware of and alert to CEO fraud and have been trained how to recognise it, is one of the best defences against this kind of fraud attack and can help reduce the risk of your business falling victim to fraud.
If you would like any further information, require support with staff training, or would like to have your accounts payable procedures reviewed, please get in touch to discuss how we can help.