Regardless of industry sector, it is an unfortunate reality that any business is susceptible to fraud.
While fraud is estimated to cost UK business over £140 billion annually, the Crime Survey for England and Wales suggests that just 17% of frauds come to the attention of the police or Action Fraud.
One type of procurement fraud – CEO fraud – continues to gain notoriety, leaving financial scars for many unsuspecting companies. According to a National Fraud Intelligence Bureau report, over £30 million has been reported lost in the UK as a result of this.
CEO fraud is a variation of a phishing email attack that involves deception by impersonation. An employee within the finance/accounts department will receive an email from a sender they believe to be the company’s CEO/Director or someone holding a senior position within the firm. The email will generally be an ‘urgent’ request to transfer money to a certain bank account for a specific reason. The member of staff actions the request, thinking it to be a legitimate transaction. The perpetrator of the fraud will immediately redistribute the funds into other mule accounts then close down the original recipient bank account to make it untraceable. Only a very small percentage of money is ever recovered from CEO fraud. This is often due to the time which elapses before the business discovers it has been the victim of this crime.
Social engineering is a key element of CEO fraud. Criminals do their research and spend time building a profile of a business they intend to target, reviewing personal bios on the company’s website and using e-commerce platforms such as LinkedIn to develop further personalised intelligence. Careful study will reveal how the company is structured and organised from CEO/Director to senior management personnel. They will ensure they have harvested sufficient information to impersonate someone with senior authority whose request would not be questioned by staff.
Initial contact is usually made via email from an address similar to the one the CEO/Director would use, often gmail.com and yahoo.com. In some cases, the exact email address of the CEO/Director can be cloned.
The email communication is generally constructed in such a way as to give the recipient the impression that the CEO/Director is busy in important meetings and does not want to be interrupted or disturbed. It might also suggest that the transfer of funds is in relation to a confidential M&A transaction which is time sensitive.
Often targeted at companies with domestic and overseas offices where the finance function is based in a different location or country to the CEO/Director and senior team, CEO fraud can go undetected for some time.
Rational human intervention can be applied when trying to reduce exposure to procurement fraud.
Here are some tips on how businesses can minimise the risk of CEO fraud: