How the fraud works
The first thing the scammers will do is adopt a fake identity, usually the Managing Director, CEO or other senior decision maker in a business. They then use this identity to coerce the employee of the target company to make an emergency bank transfer to a third party. Often the scammers will use time sensitive instructions to hasten delivery and reduce any reluctance. Examples of this could be a debt to pay, or a payment to secure new business.
These types of frauds are created by well organised criminal organisations with a complete knowledge of the market, business structure and customers of the companies they are attacking. This knowledge is used to give them all necessary arguments to convince their victim and pay the sums demanded.
1. Establish contact
The fraudsters impersonate a group executive (such as the MD, FD or other senior decision maker) or a trusted partner (such as a solicitor, lawyer or accountant etc.) of the company. They then contact a specific low level employee they think useful to achieve their con. Often the targets are in finance or legal positions in the company with access to bank accounts and other financial data.
Contact with this employee will often originate from an official email address that has been hijacked, or by an address crafted to be almost indistinguishable from the legitimate email being cloned. Once the employee has been contacted and the scammers “identity” has been confirmed they will move in for the kill.
2. Urgent and exceptional request
The fraudsters request an urgent bank transfer of a large amount to a bank account under their control.
3. Persuasive dialog
To be convincing, the fraudster will use a combination of the following elements:
- Use of implied authority: “You are ordered to do this”
- Unusual secrecy: “This project is still secret and its success depends on this transaction”
- Peer pressure: “The success of the project rests on your shoulders”
Content continues below
Risk is an unavoidable part of business, particularly if you provide credit to your clients - even in the sense of invoicing for work done only once it has been delivered, let alone more complex…
Business overdrafts have been called the 'hidden credit crunch' following the news that while traditional bank business loans have fallen 9% in the past two years, the banks have called in 23% of…
The payment practices of the UK's biggest companies have been under scrutiny for a while now, with voluntary efforts such as the Prompt Payment Code attracting criticism for being 'toothless' in…
We have previously covered how unpaid invoice spammers target credit control failures using an archaic .arj file to spread malicious software, but a new and considerably more dangerous threat has…
4. Transfer order
Once the scammers have the authority, the employee will be directed to make an urgent payment outside of normal channels. Often these can be direct bank transfers by BACS, internet or phone banking.
Again, pressure is applied to the employee in order to expedite the fraudulent payment, employees may be told their job or some future promotion is contingent on their actions in this case. The aim is to over-ride any reservations the employee has in making transfers outside of the usual payment channels.
Once the payment is in many fraudsters will attempt to “double dip” and again target the victim for further payments.
5. The “double dip”
On receipt of funds, many scammers will try the same trick again to steal the maximum value prior to being identified. Often these requests will tie in with the original request and may be seen as an extension of the original request such as payment for legal fees or the like.
In these cases, the fraudsters may praise the good work of the employee and make promises to remember or otherwise reward them for their discretion. The aim being to make the mark think they are satisfying a genuine business need rather than lining the pockets of criminals.
How to prevent CEO fraud
As with most fraud targeting businesses, having clear lines of communication and oversight can significantly reduce your risks. If employees know the signs to look out for and where to go for clarification of any unusual requests these type of frauds become nearly impossible to pull off successfully.
Here is what you can do to reduce the risks in your business:
- Inform your staff that this type of fraud is currently active, especially staff in sensitive positions or those with the authority to make payments.
- Reinforce respect for standard working procedures and management oversight.
- Encourage staff to be vigilant to any urgent or confidential requests, especially those that do not respect standard working procedures.
- Independently verify the legitimacy of any unusual request by calling back the person using the internal contact information, not any details given by phone or email.
- Encourage staff to be open and transparent when requesting further information and encourage senior managers to welcome these requests.
- Be aware of any unusual bank transfer requests (Ie those with unusually high amounts to an unknown or foreign accounts, or to countries where your company has no suppliers or customers).
- Follow your intuition: if in doubt, ask. Businesses would do well to encourage staff to ask questions at the beginning rather than try to recover losses at the end.
If your staff do spot something untoward then make sure:
- They know how to react
- They do not complete the requested action until it has been independently verified as a genuine request.
If it is not a genuine request then steps must be taken to secure the business from further attempts, action fraud have further information on how to protect yourself from this kind of fraud.