Why and how should you raise your staff’s awareness of ‘CEO Fraud’?

This refers to a fraudulent transfer scam. This type of fraud is often carried out by company employees, without them even realising that they are part of a fraud scenario. In effect, the fraudster manipulates an employee who will end up initiating a transfer, and this fraudulent transfer will then be validated and signed by other employees authorised on the account, or even the company directors. The transfer thus approved appears legitimate when it is not.

Fraud takes place in two stages:

Using a well-thought-out strategy, the fraudsters will then contact their target by telephone or e-mail, with the aim of getting them to initiate payments, by changing an account number and insisting that the situation is exceptional, very urgent, highly confidential, etc. The timing of the contact is often carefully chosen: in the absence of a line manager, or while a partner is on sick leave, all the factors are in place to persuade the target to give in.

Fraudsters can also hack into an e-mail account in order to collect data such as contacts from an address book, to obtain information from correspondence to use as a hook, or simply use the e-mail account to make contact. They pretend to be the real sender of an e-mail and use falsified documents such as transfer orders, invoices, etc. as proof in order to initiate fraudulent transactions.

More classic variants of fraud also exist, based on sending a false invoice issued in the name of a real subcontractor to a company and sent in paper form (post) or electronically (e-mail), with the only difference being that the account number has been changed.

Employees who are aware of the types of scams that exist are a real asset to your business. Indeed, your employees are the first to be targeted in this type of scam, which is why it's essential that they know how to recognise a situation that seems suspicious or unusual to them (e.g. a supplier who usually sends invoices by post, but the latest one arrived by e-mail). These situations should raise your suspicion if they are extremely urgent, highly confidential, or unusual.

Even if you dislike the rigidity of certain procedures, you should know that for your security they are a real deterrent to fraud. A strict validation process can help protect you against scams. For example, in order to ensure that an invoice is compliant, why not put in place a procedure involving multiple levels of validation, one of which may have to be performed using the ‘four eyes’ principle? Or simply maintain a restricted list of current account numbers to be used as beneficiaries, which can only be changed by following an internal validation procedure. For the same reason, it is important to always check the origin of an e-mail. The address or sender of an e-mail is often disguised. At first glance, everything looks fine, but on closer inspection, it turns out to be a 'counterfeit' almost identical to a known address.

These few methods of strengthening the control of transfers will give you an initial filter to avoid careless errors. 

If an invoice does not seem to correspond to previous ones (new bank account, unknown telephone number, etc.), this should attract the recipient's full attention. Moreover, if the company still has doubts about the authenticity of the document after this check, it is advisable to contact its bank advisor, who can in turn verify the document's authenticity. Banks want to anticipate the risk of fraud rather than having to inform customers that they have been scammed.

Spuerkeess would be delighted to invite you to its next workshop. To be informed of the date, please fill in the form below.