27th November 2023

Why and how should you raise your staff’s awareness of ‘CEO Fraud’?

Very large sums of money have already been stolen from companies through CEO Fraud, and it's never too late to protect yourself against these threats. To this end, we chose to interview our experts who are in direct contact with our business customers, as well as those in charge of data security. Jean-Luc Bermes and Philippe Hennes, Corporate Banking, and Lars Weber, Information Security Officer at Spuerkeess, share their recommendations on how to better protect yourself against these threats. Happy reading!

Can you explain what ‘CEO Fraud’ is?

This refers to a fraudulent transfer scam. This type of fraud is often carried out by company employees, without them even realising that they are part of a fraud scenario. In effect, the fraudster manipulates an employee who will end up initiating a transfer, and this fraudulent transfer will then be validated and signed by other employees authorised on the account, or even the company directors. The transfer thus approved appears legitimate when it is not.

Fraud takes place in two stages:

1. Information gathering

Fraudsters will search for all kinds of information about the company, its managers and employees, by visiting the website and social networks (e.g. LinkedIn profiles), or by buying information from websites specialising in business intelligence. Next, they will intrusively enter the privacy of the company, contacting employees under false pretences in order to extract further information. For example, a receptionist who discloses the nature (leave or sick leave) and duration of an employee's absence to a stranger trying to contact them by telephone is providing valuable information to a fraudster.

Once the fraudsters have acquired enough sensitive information, they will devise a scenario in order to get close to their target.

2. Manipulation

Using a well-thought-out strategy, the fraudsters will then contact their target by telephone or e-mail, with the aim of getting them to initiate payments, by changing an account number and insisting that the situation is exceptional, very urgent, highly confidential, etc. The timing of the contact is often carefully chosen: in the absence of a line manager, or while a partner is on sick leave, all the factors are in place to persuade the target to give in.

Fraudsters can also hack into an e-mail account in order to collect data such as contacts from an address book, to obtain information from correspondence to use as a hook, or simply use the e-mail account to make contact. They pretend to be the real sender of an e-mail and use falsified documents such as transfer orders, invoices, etc. as proof in order to initiate fraudulent transactions.

More classic variants of fraud also exist, based on sending a false invoice issued in the name of a real subcontractor to a company and sent in paper form (post) or electronically (e-mail), with the only difference being that the account number has been changed.

Which companies are affected by this type of fraud?

All companies need to be concerned about fraud. However, the more complex and/or geographically dispersed their hierarchies, the more likely they are to be the perfect target for fraudsters. Also, when company employees have little direct contact with their managers, the risk of executing a fraudulent transfer may be even higher.

The type of company that is targeted is often:

  • A complex and/or geographically dispersed structure: organisation and hierarchy

  • A large network of partners and subcontractors

  • A management team geographically separate from the entity

  • Little direct contact between managers and workers

It is important to remember that no small, medium-sized or large company can be excluded.

What advice would you give to companies to protect themselves against ‘CEO Fraud’?

Above all, the best advice we can give companies is to make their employees as AWARE as possible. Indeed, it is employees who are the first target of fraud against a CEO, whether they are directly or indirectly involved in the company's financial hierarchy. It is therefore important that managers, administrative staff, and all those who have access to cash or participate in accounting are aware of the existence of various types of scams.

To protect themselves against fraud, companies are strongly advised to:

Raise employee awareness of scams

Employees who are aware of the types of scams that exist are a real asset to your business. Indeed, your employees are the first to be targeted in this type of scam, which is why it's essential that they know how to recognise a situation that seems suspicious or unusual to them (e.g. a supplier who usually sends invoices by post, but the latest one arrived by e-mail). These situations should raise your suspicion if they are extremely urgent, highly confidential, or unusual.

Establish internal control procedures

Even if you dislike the rigidity of certain procedures, you should know that for your security they are a real deterrent to fraud. A strict validation process can help protect you against scams. For example, in order to ensure that an invoice is compliant, why not put in place a procedure involving multiple levels of validation, one of which may have to be performed using the ‘four eyes’ principle? Or simply maintain a restricted list of current account numbers to be used as beneficiaries, which can only be changed by following an internal validation procedure. For the same reason, it is important to always check the origin of an e-mail. The address or sender of an e-mail is often disguised. At first glance, everything looks fine, but on closer inspection, it turns out to be a 'counterfeit' almost identical to a known address.

These few methods of strengthening the control of transfers will give you an initial filter to avoid careless errors. 

If in doubt, contact your bank

If an invoice does not seem to correspond to previous ones (new bank account, unknown telephone number, etc.), this should attract the recipient's full attention. Moreover, if the company still has doubts about the authenticity of the document after this check, it is advisable to contact its bank advisor, who can in turn verify the document's authenticity. Banks want to anticipate the risk of fraud rather than having to inform customers that they have been scammed.

A highly urgent and confidential transaction requires your full attention!

Lars Weber

And if it's too late, what should you do?

As soon as a company realises that it has been the target of a scam, it has a duty to:

Inform your bank immediately

The bank will then try to block all transactions and carry out a ‘call-back’, i.e. it will recall the funds from the beneficiary's bank, if there is still time.

File a complaint with the police

As with any kind of theft in everyday life, when a company falls victim to a scam, it must immediately file a complaint with the police. A report is drawn up and a copy sent to the bank.

The 7 rules to remember when it comes to ‘CEO Fraud’.

1. Raise awareness, raise awareness and raise awareness again;

2. Maximum vigilance when it comes to urgent, ultra-confidential and high-value transactions;

3. Maximum vigilance when it comes to changing the bank details of an existing customer or subcontractor;

4. Check the authenticity of the sender and the details on the invoice (account number, telephone number, e-mail address, etc.);

5. Where possible, introduce ‘four-eye’ validation for high-value transactions;

6. Avoid opening suspicious attachments;

7. If in doubt, inform your bank.

Would you like to find out more?

Spuerkeess would be delighted to invite you to its next workshop. To be informed of the date, please fill in the form below.

Workshop: CEO-Fraud

I would like to be informed of the next date

Format: email@example.com

You might also like