Regardless of industry sector, it is an unfortunate reality that any business is susceptible to fraud.
While fraud is estimated to cost UK business over £140 billion annually, the Crime Survey for England and Wales suggests that just 17% of frauds come to the attention of the police or Action Fraud.
One type of procurement fraud – CEO fraud – continues to gain notoriety, leaving financial scars for many unsuspecting companies. According to a National Fraud Intelligence Bureau report, over £30 million has been reported lost in the UK as a result of this.
CEO fraud is a variation of a phishing email attack that involves deception by impersonation. An employee within the finance/accounts department will receive an email from a sender they believe to be the company’s CEO/Director or someone holding a senior position within the firm. The email will generally be an ‘urgent’ request to transfer money to a certain bank account for a specific reason. The member of staff actions the request, thinking it to be a legitimate transaction. The perpetrator of the fraud will immediately redistribute the funds into other mule accounts then close down the original recipient bank account to make it untraceable. Only a very small percentage of money is ever recovered from CEO fraud. This is often due to the time which elapses before the business discovers it has been the victim of this crime.
Social engineering is a key element of CEO fraud. Criminals do their research and spend time building a profile of a business they intend to target, reviewing personal bios on the company’s website and using e-commerce platforms such as LinkedIn to develop further personalised intelligence. Careful study will reveal how the company is structured and organised from CEO/Director to senior management personnel. They will ensure they have harvested sufficient information to impersonate someone with senior authority whose request would not be questioned by staff.
Initial contact is usually made via email from an address similar to the one the CEO/Director would use, often gmail.com and yahoo.com. In some cases, the exact email address of the CEO/Director can be cloned.
The email communication is generally constructed in such a way as to give the recipient the impression that the CEO/Director is busy in important meetings and does not want to be interrupted or disturbed. It might also suggest that the transfer of funds is in relation to a confidential M&A transaction which is time sensitive.
Often targeted at companies with domestic and overseas offices where the finance function is based in a different location or country to the CEO/Director and senior team, CEO fraud can go undetected for some time.
Rational human intervention can be applied when trying to reduce exposure to procurement fraud.
Here are some tips on how businesses can minimise the risk of CEO fraud:
- Don’t assume that employees automatically understand the threats and methodologies of fraud. Security awareness is essential and all staff – not just those with authority to transfer money – should be educated and updated regularly on fraud trends aimed specifically at businesses.
- Review internal procedures relating to financial transactions, consider monetary authorisation limits of accounts staff, and put two-factor verification safeguards in place.
- Educate employees to always check email addresses when urgent financial transactions are requested. Staff should be trained to look for telltale signs such as gmail.com and yahoo.com lookalike email addresses. Employees should know their company domain name and must be vigilant in this respect. If in doubt, they should call the person who has ‘sent’ the email to corroborate the payment request is legitimate.
- Remember, part of this fraud plays on the fact that staff are unlikely to question a request from a senior member of the company. Encourage employees to challenge any financial requests they might be suspicious about. Alerting a senior member of the company and preventing possible fraud is better than telling them they have been a victim.
- Protecting your company against this type of fraud requires almost no investment in technology, just a heightened awareness of how such scams work and a regular reminder to all employees on the simple steps they can take to minimise the threat.