Blog: CEO fraud - A simple and significant threat

Posted: 11th December 2017

Many firms are caught out by the simplest forms of fraud. According to the Office of National Statistics, fraud accounts for nearly 50% of all crimes in the United Kingdom, with cyber related crime accounting for 57% of all frauds.

Criminals have excelled with the digital age, sometimes using sophisticated methods to relieve firms and individuals of cash or their sensitive information, but the simplest methods still appear to be effective, and can have large impacts on a firm.

'CEO fraud' – where the perpetrator poses as a CEO or senior manager, sending an email to a staff member requesting some form of payment – otherwise known as ‘business email compromise’ or ‘whaling’, is simple, but can yield significant consequences. CEO fraud cases can involve large amounts of funds being transferred and withdrawn immediately, leaving limited trace of the fraudster. Action Fraud reported that out of £32 million lost to CEO fraud in a 6 month period, only £1 million was recovered by victims. The impact of the crime can lead to reputational damage and loss of customer trust.

The National Cyber Security Centre (NCSC) considers CEO fraud to be a form of ‘cyber-enabled crime’ as it does not depend purely on networks (such as in the case of DDoS or malware attacks), but in most cases, is enabled using the internet and communication technology.

However, firms can mitigate the risk of CEO fraud with adequate anti-fraud risk controls.

CEO fraud explained

An example of this could be that a fraudster emails a front-line staff member (for this example, in the Finance department) claiming to be a senior manager or the CEO at the firm they work for, requesting a payment is made to a third party as a matter of urgency. The fraudster has masked their identity, and the email address appears to be that of the senior manager or CEO, to the extent that it could be missed if the employee does not investigate it. However, the challenge is where fraudsters use fake mail generators masking the true sender’s identity with the appearance of the senior manager. To the employee, it appears to be a genuine communication.

An example of one such email:

Hi [name],

Your assistance is urgently required to make a payment for me. Our legal team has confirmed to me an offer has been accepted by a new vendor, that I have been negotiating with for some months. We aim to have this acquisition finalised and announced within the next week or so.

In the meantime, as per the conditions agreed upon with the vendor, we are required to make an initial deposit payment of £250,000 by COP today. See below the transfer details – please action this ASAP. Let me know once this payment has been made and I will confirm the vendor has received it.

I would appreciate your discretion regarding the new vendor; an announcement will be made shortly, and we do not want this leaking to the business or the press ahead of a formal announcement.

[Transfer details]

Please do not hesitate to email me if you have any queries.

Kind regards,

[Name]

CEO

Impersonation is easy for fraudsters, with the amount of readily available information on the internet regarding our social and professional lifestyles. The simplicity of CEO fraud means it only takes a small amount of research to execute and add authenticity. Due to its simplicity and reliance on human error, firms may wonder how frauds like this can happen, however, its presence serves to prove the need for a robust internal fraud awareness programme and fraud risk approach.

How to protect your firm against CEO Fraud

When faced with the risk of CEO fraud, ensuring staff think about the following is a good start (and indeed will assist them in their own personal awareness of fraud and scams):

The tone, language and layout – is it consistent with the firm’s / staff member’s tone of voice?
The urgency of the email – is this an immediate task, and what are the implications of not doing it immediately and seeking guidance?
Whether the authenticity of the email address and it’s point of origin can be verified

As well as ensuring staff awareness of these factors, firms should consider:

Implementing an internal authorisation process for payments, including payment transfer thresholds
Maintaining or developing robust quality assurance processes on payment transfers
Ensuring good communications across departments / the company to support information sharing and accuracy

With this in mind, the internal message around fraud will almost certainly benefit from visible top-level endorsement – for example, via a formal internal fraud awareness programme, which will make fraud awareness a prerequisite to working in a firm. In short, a publicised programme can make the mitigagtion of fraud risk an intrinsic part of a firm’s culture, and more likely to be borne out in day-to-day business as a result.

It is important for firms to provide regular awareness training and competency testing on different fraud types and preventive methods to reduce the risk that fraud presents. Employees with access to their firm’s banking and payment arrangements should be considered for mandatory training on fraud threats, trends and reporting requirements.

Additionally, appropriate anti-fraud systems and controls can include enhanced supervision of business transactions, as well as clear payments and verification procedures and policies, all of which should be publicised within the business.

Promoting awareness

Firms that adopt and / or refine these kinds of fraud prevention measures will be more effective in mitigating risks to their firm – and not just the risk of CEO fraud.

A key part of prevention sits with your staff; ensure they are aware of the risks, threats and red flags, and they will be better equipped to join the fight against fraud. If they are ‘brought on the journey’ through effective, publicised internal messaging, they will better understand how policy and process translate to fraud prevention, and they will be more aware of the options available to them when suspicion of fraud arises.