What is CEO fraud and how can I identify it?
Source: Business Advice
What is CEO fraud and how can I identify it?
Business Advice unpicks one of the growing threats to small companies, asking what is CEO fraud, before consulting two experts on the typical tactics employed by scammers and how owners can protect their firm.
What is CEO fraud?
CEO fraud involves the impersonation of a senior company executive in order to divert payments for goods and services into a fraudulent bank account. Fraudsters will typically target a company’s finance department, either via email or over the phone.
As detailed in the 2017 Annual Fraud Indicator, CEO fraud is an increasingly prominent type of procurement fraud. As the procurement of goods and services can represent a high proportion of a firm’s expenditure – often involving numerous individuals across different departments – the risk of fraudulent activity is high.
According to the report, procurement fraud costs UK businesses £121.4bn every year, and with a reported 2,370 per cent increase between January 2015 and December 2016 alone, CEO fraud is gaining notoriety.
Jim Gee, head of forensics and counter fraud services team at Crowe Clark Whitehill and author of the report, offered Business Advice readers a further explanation of this growing threat to small firms.
“Fraud occurs in every business irrespective of the sector or type. The question is not whether fraud is an issue, it is what type of fraud and how much is being lost,” Gee explained.
“CEO fraud has gained prominence over the last 18 months, cropping up repeatedly as an issue that affects small businesses. Fraudsters impersonating CEOs can be very convincing, hence why this type of approach is so effective.”
CEO fraud in action
According to crime agency Action Fraud, the largest reported amount of money ever transferred by an employee to a fraudster was £18.5m.
The company, a global brand of healthcare products, remained anonymous. However, it emerged that a man impersonating a senior staff member phoned a financial controller in the firm’s Scotland office and requested funds to be transferred to accounts in Hong Kong, China and Tunisia. The employee was so duped that the transaction occurred despite several phone calls and emails occurring.
Outside of this extreme case, the average amount acquired by fraudsters via CEO fraud is believed to be around £35,000.
“The fraudsters perpetrating CEO fraud are often sophisticated criminals rather than amateurs trying their luck,” Gee noted. “They may have targeted the business over months, building up a picture of who works in the business, reporting lines and the individuals responsible for authorising payments.”
Key business fraud stats
• 25 per cent – proportion of small firms hit every year
• £18.9bn – losses to small firms each year
• 36 per cent – amount which don’t know who to call in event of invoice fraud
• 47 per cent – amount which have not made any changes to prevent fraud
Even a company’s website could reveal names of legitimate suppliers and provide information which can be exploited by fraudsters. Malware also continues to be used to access internal email systems.
Gee added that fraudsters have been known to follow CEOs on social media channels, such as LinkedIn, to observe any posts suggesting the individual is not in the office, meaning automatic “out of office” replies can be a dangerous giveaway. He warned that the agile operations of a small business, where it is more typical for a CEO to authorise or instruct payments, put such firms at a greater risk.
How to identify CEO fraud
With the lethal threat facing small firms now established, Dr Markus Jakobsson, chief scientist at cyber security firm Agari, outlined three potential warning signs that could save you from falling victim.
Consider the sender
“First of all, is this an email from somebody in power? And does it ask for help with something? Is it addressed only to you, or to the entire company? Scammers like to single out their victims. If they sent a scam email to everybody on your floor, somebody would say ‘hey, this is no good’, and you would all put the email in the spam folder.
“If the email asks for a wire transfer, or for help paying an overdue invoice, it is probably bad. After all, does your CEO normally send such requests? Well, scammers do. Or, if you are in HR, maybe the email asks for employee data. Very fishy.”
Look at the email address
“Not the name in front of it, but the email. Is that your boss’ normal email address? Or is it a Gmail address, an address from ‘ceo123.com’, or just something you have not seen before?
“Some 94 per cent of all CEO scams involve a deceptive display name – that’s the part of the email that says the sender’s name, which is displayed to you before you even open the email – and an email address that does not match what you normally see from this person.”
If you are not sure, don’t be embarrassed to ask. Send a copy to your admin. Walk over to your boss and ask – did you just ask me to pay a late invoice? Four eyes are better than two.
How can I prevent CEO fraud?
Gaining a full awareness of the warning signs is the first step in preventing CEO fraud. To ensure the strongest defence, Dr Jakobssen advised business owners to put the right security software in place and look at internal processes, such as staff awareness.
Meanwhile, Gee urged all business owners to prepare to be targeted amid the UK’s fraud “epidemic”.
“To reduce vulnerability to CEO fraud, small business owners should put time aside to consider their fraud vulnerabilities, who in the company is responsible for countering fraud on an on-going basis, and whether there is sufficient expertise within the organisation to adequately protect the business,” he advised.
“Spending on professional advice may seem like a luxury for many businesses, but such spending should be considered an investment compared to the potential financial, legal and reputational costs associated with fraud.”
If you’ve been a victim of fraud then Business Advice would like to hear your story. Please get in touch by emailing us on firstname.lastname@example.org.
The story of a small business defrauded out of £7,000 – and the lessons learned