Cyber Security

Fraudsters are increasingly going after the high flyers in businesses. This approach has seen a significant rise in CEO fraud. In the USA CEO fraud reported by the FBI as being a $26 billion dollar scam. Other stats show CEO fraud is up 2,370% since 2015.

This technique employed by scammers has been in use for many years and targets SMEs in particular. It has been estimated to cost businesses in the UK around £121 billion per year.

Let’s look at what training and security procedures can be put in place to tackle this growing concern for businesses in the UK and across the world. Look out for these warning signs and protect your business.

CEO email scams

CEO email scams are surprisingly simple and this can be part of the reason they work. They can be disarming and you don’t see the threat. Even though the majority of CEOs and tech-savvy business people think they will never be caught out by a fraudster, it is alarmingly common.

CEOs have authority and respect from their employees so naturally there is an inclination to want to please them whenever possible. After all, it is going to be best for your career if you do.

So imagine this common scenario, your sitting at your desk and an email notification pops up. It’s from the company CEO. You quickly respond to open it assuming it must be really important.

The content of the email asks for your help in finalising something like a financial deal, partnership, or takeover bid.

There’s no reason not to trust an email from the CEO of your company, unless you have had training and are aware of the types of scams that are often used of this nature.

It is very likely that the email will be addressed directly to you, the employee, giving you instructions to pay funds to finalise a deal.

This could raise suspicion for the employee so the fraudsters will use urgency and a need for discretion and keeping this a secret as a way to disarm them and create the action they want.

Again you may think no one would fall for this, but the figures show differently. In a busy, high-pressure corporate environment the right level of processes and checks can be skipped if enough of a pressured situation is created on an employee. The sense of urgency is the way scammers create this.

Fraudsters know that despite this most employees won’t act on the email alone and will still be cautious. So as a way to add more credibility and convince them to act, phone calls being used.

The email will claim that a representative will be in contact by phone before the transfer is completed. Once the employee replies to the original email, contact by phone is made and here the scammer will claim to work for a well-known intermediary service like PwC giving more credibility to the process.

The employee now happy that the deal is genuine and encouraged by the importance of the deal to the business has been trusted to them, acts swiftly making the transfer and the damage is done.

Once the transaction eventually is flagged internally by the business the company and employee realise that they have become a victim of CEO fraud and a substantial amount of money has been lost. 

Let’s look in more detail at an example of the type of email that should start alarm bells ringing:

Dan,

Do you have a few minutes? I’m traveling and in meetings all day but there’s something important I need to manage urgently.

One of our suppliers issued an invoice that must be settled today.  I have requested a copy of the invoice that I can forward to you.

It would be appreciated if you could settle the account by the end of the day.

Andrew

Legitimate looking email addresses

Fraudsters are looking to add credibility to their efforts so they will register domains and set up emails that look like those of professional financial companies like PwC and other intermediaries.

Also, look at the email address that the email has been sent from. Most often it will have the CEO’s correct name but not their usual email address. A new email account will be set up with an email provider like Gmail.

How do they know personal information?

It’s not safe to assume the email or call is genuine and can be trusted just because they seem to know personal information about you.

Most often scammers can research you on the internet and find out enough personal details to be convincing, but this is all just part of the trick.

When it comes to the finances of the company this can all be estimated by using information available online from Companies House and other sources of business information. This can help the scammer use a realistic figure to be transferred during the scam which will help them to  evade suspicion and an alarm being raised.

Are employees the weak spot?

The truth is, this fraud might use technology as the delivery mechanism, email, online transactions and researching details about you and the company online, but it is an old fashioned trick that relies on human nature.

Most employees want to please their employers and managers so this can override their natural instincts when dealing with this kind of fraud.

If the person they have targeted can be manipulated, software or hardware can’t be used to stop it.

With the right training and awareness, plus the correct company procedures in place, CEO fraud can be avoided.

How to prevent CEO Fraud

The first step is to supply training and make sure all employees know what to look out for when it comes to scam emails and phone calls.

Procedures need to be in place for those with direct access to company funds and ensure that email can not be accepted as a method to request funds transfers.

If your business needs regular one-off payments to be made as part of day-to-day operations, set an upper payment limit that can be made without further authority.  This way you set proper defenses, and still allow employees the freedom to work independently and keep the business moving.

Computers in the City, your IT partner

Computers in the City is London’s longest-standing IT partner. With over 20 years’ experience, we can assist you to meet your IT support, digital security consulting and cloud computing needs. We’re proud to be local, offering 24-hour support in straightforward language that takes the stress out of IT support.