Regardless of industry sector it is an unfortunate reality that any business is susceptible to fraud.
Whilst fraud is estimated to cost UK business over £140bn annually, the Crime Survey for England and Wales suggests that just 17% of frauds come to the attention of the police or Action Fraud.
CEO fraud continues to gain notoriety leaving financial scars for many unsuspecting companies. In the UK over £30 million has been reported lost as a result of CEO fraud according to a National Fraud Intelligence Bureau report.
A type of procurement fraud, CEO fraud is a variation of a phishing email attack which involves deception by impersonation. An employee within the finance/accounts department will receive an email from who they believe to be the company’s CEO, Director or someone holding a senior position within the firm. The email will generally be an ‘urgent’ request to transfer money to a certain bank account for a specific reason. The member of staff will action the request thinking it to be a legitimate transaction. The perpetrator of the fraud will immediately redistribute the funds into other mule accounts then close down the original recipient bank account to make it untraceable. Only a very small percentage of money is ever recovered from CEO fraud. This is often due to the time which elapses before the business discovers it has been the victim of fraud.
Social engineering is a key element of CEO fraud. Criminals do their research and will spend time building a profile of a business they intend to target, reviewing personal bios on the company’s website and using e-commerce platforms such as LinkedIn to develop further personalised intelligence. Carefully studying how the company is structured and organised from CEO/Director to senior management personnel. They will ensure they have harvested sufficient information to impersonate someone with senior authority whose request would not be questioned by staff.
Initial contact is usually made via email from an address similar to the one the CEO/Director would use, often gmail.com and yahoo.com.
The email communication is generally constructed in such a way as to give the recipient the impression that the CEO/Director is busy in important meetings and does not want to be interrupted or disturbed. It might also suggest that the transfer of funds is in relation to a confidential M&A transaction which is time sensitive.
Often targeted at companies with domestic and overseas offices where the finance function is based in a different location or country to the CEO/Director and senior team, CEO fraud can go undetected for some time.
Commonsense human intervention can be applied when trying to reduce exposure to procurement fraud.
Here are some tips on how businesses can minimise risk against this type of fraud;
1. Don’t take in for red that staff automatically understands the threats and methodologies of fraud. Security awareness is key and all employees, not just those with authority to transfer money should be educated and updated regularly on fraud trends specifically aimed at businesses.
2. Review internal procedures relating to financial transactions, consider monetary authorisation limits of accounts staff and put two tier verification safeguards in place.
3. Educate employees to always check email addresses when urgent financial transactions are requested. Staff should be trained to look for tell tale signs such as gmail.com and yahoo.com look-alike email addresses. Employees should know their company domain name so must be vigilant in this respect.
4. Remember part of this fraud plays on the fact that staff are unlikely to question a request from a senior member of the company. Encourage employees to challenge any financial requests they might be suspicious about. Alerting a senior member of the company and preventing possible fraud is better that telling them they have been a victim.
5. Protecting your company against this type of fraud requires almost no investment in technology, just a heightened awareness of how such scams work and a regular reminder to all employees on the simple steps they can take to minimise the threat.
BTG Advisory has a team of skilled and knowledgeable digital forensics experts who deploy electronic fraud pattern analysis techniques to identify unexpected, erroneous, or anomalous patterns that appear in financial transactions. If your business has been the victim of fraud or financial crime contact our experienced technology consultants to discuss how we can assist.
For further details contact:
0843 320 9198