More and more businesses are targeted for so-called CEO fraud that may end up costing them a lot of money. Many European businesses have already fallen victim to the scam, and the number is increasing. In Denmark alone, more than DKK 200m were cheated out of businesses in 2016.
It is therefore of paramount importance that your security procedures are in place and that employees are vigilant when they receive suspicious e-mails about transfers to countries outside Europe.
This is how CEO fraud works
CEO fraud exploits employees' natural disposition to solve tasks set by their superiors quickly and efficiently, and it may be very difficult to see through this type of fraud.
Typically, the IT criminals will send an e-mail to an employee at a company, usually an accountant. The e-mail appears to come from the top executive of the company, asking the employee to make one or more transfers to banks abroad. E-mails are often followed up by telephone calls from a person who may sound very trustworthy and who asks the employee to accelerate the payments. Upon payment, the IT criminals will retransfer the amounts to accounts with other banks.
The IT criminals may pass themselves off as an executive at a company in several ways. In more sophisticated cases, the e-mail account of the executive is hacked by means of malware, so the IT criminals may be extremely convincing, both as regards language and contents, because they have had the opportunity to read the executive's other e-mails for a long time. In other cases, more low-tech methods may be used, with IT criminals making only adjustments to the settings of the e-mail programme, making them appear to be someone else in the "From" field. A third type is when the IT criminals call the employee on the phone, pretending to be an executive at the company.
What can you do?
It calls for robust internal procedures in a company to counter this kind of scam – and not least vigilant and well-informed employees in the departments in charge of processing transfers.
Companies must be aware of the following:
- Are the employees aware of the risk of CEO fraud?
- Are procedures for processing large transfers up-to-date? And are they followed?
- Is the transfer in any way abnormal? A payment may stand out in a number of ways. The recipient country may be one of them. Often, fraudulent payments involved in CEO fraud go to banks in China and Hong Kong, but also banks in countries inside and outside the EU have been registered as recipients.
- Often, the fraudsters' recipient account belongs to a newly established business. A search on the Internet for the recipient company may reveal whether any suspicion is well-founded.
- The fraudsters will often try to stress the employee by setting tight deadlines.
- The fraudsters often take advantage of situations where the executive in question is not easily accessible, for instance, if he or she is on holiday.