Please transfer £5,000 to Joe Bloggs…
CEO Fraud is one such scam, that relies on the loyalty of your employees and uses it against your business to steal thousands of pounds. It remains a niche type of fraud, however, unlike phishing scams that have a 30% success rate, CEO fraud has a 90% success rate. A report from earlier this year by the National Fraud Intelligence Bureau (NFIB) shows that over £32 million has been reported to have been lost as a result of CEO Fraud.
So What is CEO Fraud?
CEO Fraud (also known as the Fake President trick) is a scam in which cybercriminals steal the identity of the CEO or other higher management team members, and uses bogus emails to request a transfer of funds from an employee within the business.
The targets will usually be a member of staff who has access to sensitive details or the authority to approve large transfers of money, such as a PA, members of the accounting or the HR department. The email will usually be a convincing fake and will appear to be from the CEO. It will contain a request for the transfer of funds, usually under the guise of a confidential transaction.
Surely the email can’t be that convincing?
You would be surprised. In previous cases, the fraudsters use social engineering tactics to research the name and email address of the people they are looking to portray, whilst also researching the persons who are most likely to have the authority to make the transfer. This information is likely to be readily available on your company’s website, previous press releases, or LinkedIn profile. The fraudsters can also make use of out of office replies and posts on social media to help make their email more convincing.
For example, a CEO might be on a business trip in a different country, one that they have posted about on LinkedIn or Twitter. The fraudster can use this information to convince a member of your business that you are in need of the funds immediately for a transaction in the region, or to pay a fine or damages caused by an incident such as a crash. A loyal and concerned employee is unlikely to question the request.
Well, I run an SME, we’re not likely to be targeted
Companies of all sizes have reported being targeted. Fraudsters can easily estimate the amount of money your business makes and request funds that wouldn’t raise an eyebrow. With larger corporations carrying stricter controls on how funds are transferred, smaller businesses are far easier targets for scam artists.
So what can I do to safeguard my business?
In all cases of a transfer request, it’s probably wise that your employees know that it is standard procedure to get secondary confirmation – in person or over the phone. A two-stage approval process that requires the physical signature of the CEO and another senior management member is a good system for ensuring that no one person has the authority to make transfers. Replying to the scam email, to request further verification, should be avoided. It sends a sign to the fraudster that the bait has been taken, and they will intensify their efforts.
If you or an employee suspects that an email may be an attempt at CEO Fraud, you should follow company protocol for reporting cyber attacks. If you suspect you have already fallen victim for one, you should immediately get in touch with the police, and your company’s bank signatories should get in touch with your bank to see if it is possible to block the payment.
Are there any technical options we can take to safeguard ourselves?
Due to the human factor in this scam, technology is not a better defence than well-trained staff. However, having a good firewall and keeping your email programmes up-to-date with the latest security can assist in the screening of your emails. Hopefully, the vast majority of scam emails will end up in your junk folders instead of your main inbox.