Instances of CEO fraud have seen a dramatic increase in recent decades. This technique of embezzlement, which has targeted SMEs for years now, costs UK businesses in the region £121 billion each year. It is an increasing problem, but with the right kind of training, and knowledge of which red flags to look for, there is no reason your company can’t be as well protected as possible.
How Fraudsters operate via email
It’s easy to assume we would never be a victim of an email scam, but the statistics show an alarming number of people have been duped. The trick is in the very obvious simplicity of it all. Imagine sitting at your desk and receiving an email from your CEO asking for your assistance in finalising a large takeover or piece of foreign investment.
Wouldn’t you trust an email from your owner or CEO? The email is often addressed to the employee directly and instructs them to release certain funds to finalise the deal. Fraudsters do not want an employee checking into the matter too much, so they will often urge them to use their discretion. The use of intermediary “firms” is becoming increasingly common, with professional service firms such as PwC being used (or claimed to be used).
This may all sound highly suspicious in the context of a blog on CEO impersonation, but the truth is in a hectic office environment sometimes the right level of checks are not done and mistakes can be made when an employee feels it is an urgent matter.
Phone calls are increasingly used as a way of adding legitimacy to the original email. Occasionally a specific representative will be mentioned in the email, which will state that he or she will be in contact before the transfer is made. Once an email reply has been sent, the fraudsters will make contact with the employee, posing as the representative in the email, often claiming to work for a professional service, such as PwC.
Flattered by the trust being shown by the CEO, and the responsibility of dealing with such a large, sensitive matter, leads many to carry at the action quickly and efficiently. Later on down the road when the large transaction to a mysterious account is flagged as suspicious, the damage has already been done. The company suddenly realises it has lost a substantial amount of money to CEO fraud.
Here’s a quick example of the kind of email that you should be wary of:
Do you have a few minutes? I’m out of the office all day but forgot an important matter I need to take care of urgently.
There is a pending invoice from one of our vendors that needs to be settled by the close of banking transactions today. I have asked them to email me a copy of the invoice and I will pass it on to you.
I would really appreciate it if you could settle the account by the end of the day. I can’t take any calls at the moment, so a quick email is fine.
Be wary of the following examples
The domain names below are known to have been used by fraudsters when impersonating an intermediary used for the deals. Neither are legitimate and have absolutely no affiliation with Pricewaterhouse Coopers or PwC Legal @pwc-ukglobal.com and @pwc-office.com
Of course, fraudsters may well pose as another company assisting with the transaction. These are simply two of the most common used.
Fraudsters may also use an alternative method where the sender’s name is that of the CEO or owner, but the email address used will be unfamiliar, typically an email unassociated with the company, such as Gmail or Yahoo.
Is our focus elsewhere?
Thanks to a huge drive in training, the awareness of cybercrime has never been higher, but this does leave us vulnerable to more traditional methods of fraud. Though this method uses technology and may be considered relatively new, there is no hacking involved and the criminals need not use much technical knowledge. It is simply a case of old fashioned trickery.
It’s all online
Never assume legitimacy just because a caller or email has used your first name or seems to know certain information about you. This information is widely available on the internet, from employee names and their departments to CEO’s names and email addresses. What’s more, the internet will provide a rough idea of financial standing which can help when fraudsters decide on a realistic sum of money to request. Never underestimate how easy it is to pose as somebody else online. Email programs can allow customisation of a sender and even the reply address. In the future, these techniques are likely to become even easier as technology develops so it’s important to keep up to date.
Who is to blame?
It may sound unfair to say but people are the weak link in this type of fraud. Fraudsters must first scour a company’s information to find the relevant employee capable of making the transfer. If the person they have targeted can be manipulated easily there is no software or security hardware effective enough to stop it. It is a case of making sure employees are well trained and have the latest relevant information.
How to prevent SEO fraud?
Inform all employees about the dangers and what to look for in emails and phone calls.
For those who have access to funds directly, make it clear that email is never to be used when requesting a funds transfer. In fact if it ever comes up the matter must be passed on to the relevant parties for investigation immediately.
If regular one-off transfers are needed, set a cap on the amount that can be sent without proper authorization. It is important for your employees to feel like they can still work autonomously while still giving them peace of mind.
About Mustard IT, your cybersecurity partner
Mustard IT provide a trusted team who are experienced and able to explain complex issues to you in a language you’ll understand. Contact us today to find out how we can help you stay secure online.