Partner Article

The rise of CEO fraud

Alan Norton, Head of Intelligence at Graydon UK

The growing availability of data comes with a dark side: more and more criminals are using such data to defraud organisations. Picture this. A financial employee of a multinational is working at their desk. Suddenly they receive a personal email from the CEO, asking for their involvement in a major deal. It concerns a huge international take-over: a big project, but still top-secret. To finalise the deal, £500,000 needs to be released discreetly and quickly.

The employee feels flattered that the CEO has trusted them and transfers the requested sum to the specified account as soon as possible. A number of weeks later it turns out there is no take-over and the company in question has lost a lot of money.

The example might be fictitious, but unfortunately a number of similar cases have come to light recently, with companies losing staggering amounts of up to £3,000,000.

Misuse of online information

CEO fraud is a recent variation of social engineering, whereby hackers manipulate the weakest link in a company’s network – the people - to divulge sensitive information or to perform dangerous actions unknowingly. And these fraudsters know what they are doing. They take advantage of the growing availability of online information to quietly infiltrate a company.

Using information on social media, online organisation charts or data on the company website, the fraudsters figure out the payment processes of a specific company. They know who is authorised to transfer large sums of money and gain insight into a company’s communication style. With this information, they pretend to be the CEO or another top executive using a fake email address.

A worrying shift

It is thought that CEO fraud originated in France, where gangs defrauded more than 350 companies for a total of 250 million euros (Eversheds, Faroek). But this kind of fraud is fast spreading across Europe and has certainly arrived in the UK. Although precise figures are difficult to state, we can be sure that actual figures are always much higher than reported ones, as many companies prefer not to disclose their experiences of fraud.

Interestingly, there has also been a shift in terms of the types of companies that are being targeted. Whereas at first, major corporations were targeted, it is now also affecting much smaller companies. This shift is worrying, as fraud of this magnitude for an SME - which usually has less of a reserve than a multinational - can have even more devastating consequences.

An evolution

As more and more complex and innovative tactics arise, companies can easily be distracted and fail to adequately guard against more classic types of fraud. However, most “new” frauds are in fact an evolution of an old one. Take for example invoice fraud. Here fraudsters intercept invoices sent by post and change the account number. Unsuspectingly, the recipient transfers the money to the wrong account.

As fraudsters become increasingly inventive in this world of digitisation and data-availability, we now see digital invoice fraud. Here a hacker gains access to the IT system or supplier’s mailbox and intercepts invoice emails or accounting data, or perhaps infects the finance system with a virus, enabling them to remotely change an account number.

You are the weakest link

With more advanced technology at the fraudsters’ disposal, technology to combat fraud has also advanced. However, can the same be said for your staff? Has your training advanced to ensure staff are aware of social engineering tactics? I doubt it. Your staff remain your weakest link.

Now back to the CEO, if I may. What could have been done differently? Replying to the CEO in a new email as opposed to hitting send is a good idea. Two-factor authentication for email is advisable, but how about actually picking up the telephone and speaking to the CEO? It’s good to talk.

This was posted in Bdaily's Members' News section by Financial News .