CEO fraud isn’t, as you might think, fraud conducted by CEOs. Instead, it’s conducted by fraudsters impersonating CEOs and senior executives to trick clients into making payments to fraudulent accounts.
This type of fraud is usually conducted by sophisticated criminal organisations with comprehensive knowledge of the market, its structure and the types of customers or employees that are susceptible.
CEO fraud can take a variety of forms, but there are a couple of common scenarios. For example, a purchaser may make regular payments to overseas vendors. One day, they receive an email purportedly from their vendor contact, asking for payments to be made to a new bank account due to problems with their current bank account or a switch in provider. The vendor’s overseas location makes it more challenging to verify this change and, with a little pressure applied by the vendor, the buyer makes a wire transfer to the new account – into the hands of fraudsters.
Another growing trend targets employees, rather than external clients. For example, a regional CFO of a subsidiary might receive a call, allegedly from the global CEO’s assistant, to request an urgent money transfer to cover a tax payment elsewhere. Naturally, the CFO would want to discuss this first, so calls may be set up and official letter-headed paper used in communications. What’s more, the fraudster would have intricate knowledge of the company’s policies – making the scenario more convincing. But, again, money is wired to a foreign, fraudulent account, and then dispersed rapidly before the fraud is identified.
These types of fraud – and there are numerous variations – draw heavily on the power and persuasion a CEO would incite. Employees may circumvent normal security procedures because the request is coming ‘from above’. For added authenticity, the fraudster may introduce a third party, posing as a lawyer or regulator.
Firstly, make sure your employees are aware of these scams, and know to follow the security procedures in place regardless of who instigates the request. Secondly, be sure to keep computer antivirus software up-to-date and deliver regular anti-fraud training to your employees.
Verify any request for orders, transfers or changes of financial details. The best way to do this is to telephone your original contact using the contact details you have on file for them – or those in an official source, such as a company website. To be extra safe, it’s worth using two forms of contact in case one has been hijacked. And inform your superior, risk or legal department if you have any doubts.