Fraudsters are very targeted when they commit CEO fraud. Through sophisticated methods they convince you that you’re being contacted by a manager to make a payment to an account controlled by the fraudsters. Follow our tips to outsmart fraudsters!
CEO fraud: targeted deception
CEO fraud is an attempt to persuade a financial employee of a company to transfer an amount to the fraudster's account. This kind of fraud has been around for a long time, but the arrival of messaging services such as e-mail, Whatsapp, etc. makes it easier to pretend to be someone else. Especially as there is often a lot of information on social media about that particular person!
This is how a fraudster goes to work:
- Els works at the accounting department of company Zonneklaar. She is authorised to make payments.
- One day she receives an e-mail or Whatsapp message from Jan Dierckx. She doesn't know the man personally, but she knows he is high up in the company.
- In the message Dierckx says he is abroad and an urgent payment needs to be made. Normally speaking, Dierckx would ask Jos Peeters, Els' boss, but he is unavailable. And whether Els can make the payment? There is a rush, because it concerns a sensitive operation (a merger that needs to be kept under wraps).
- Els makes the payment to the account number mentioned in the mail. The fact that the mail mentions the name of Jos Peeters removes any suspicions she had. Afterwards, it turns out that the mail was not sent by Mr Dierckx at all, but by a fraudster who found Els' name, her personal details (mail and phone number) on the internet, as well as Mr Peeters and Mr Dierckx' details. Result: the money has gone!
How can you recognise CEO fraud?
In the event of CEO fraud, alarms bells should start ringing when an executive suddenly contacts a financial officer directly and asks him to deviate from the internal procedures in the case of a payment. Especially when the so-called executive puts pressure on you to carry out the payment quickly, or requests strict secrecy, be suspicious.
Take these precautions to prevent CEO fraud
Some simple precautions will lower the risk of this kind of fraud. Below is a list of measures that can be taken, both on company level and by individual employees.
As a company:
- Make your employees aware of the fact that such fraud exists and how they can recognise it.
- Ask your staff to always be careful with payment requests and to check them for irregularities.
- Issue internal payment guidelines. For example, you can agree that payment requests by e-mail are subject to a check to verify their authenticity. Or that for payments above certain amounts extra consultation is necessary.
- Check the information on your website. Transparency is good, but too much information is dangerous. Third parties don't need to know who your suppliers are for example.
- Tell your employees not to share too much information on social media.
As an employee:
- Follow the internal security rules for payments, and do not give in to any pressure from the person asking for the payment - even if that person claims to be your boss.
- When in doubt, talk to an authorised colleague.
- Work out a guideline to confirm the correct bank account and beneficiary for payments above a certain amount.
- Don't share information about your employer, the hierarchy in your company, the security or the procedures. And be careful with social media!
- Check e-mail addresses and URLs before clicking them.
- Don't trust the address specified in the 'From' line of a mail, because it can be falsified very easily (spoofing). You too can send mails that seemingly come from email@example.com!
- Clickable links in the text of a mail message can be checked as follows:
- in your computer's mail program: briefly hold the cursor over the link, the real address will be shown on the status bar at the bottom of the page. You don't see a status bar? In most mail programs you activate it via View >status bar.
- on you smartphone: keep pressing the mail address or the link. From the context menu that appears select 'copy'. Go to your notes app, keep pressing and choose 'paste'. Now you can study the e-mail address or the link.
- Carefully analyse the web address. http://klanten.argenta.be.selling.com/inlog is not an address of the domain name argenta.be, but a subdomain of selling.com. Only the two last parts of the address, separated by a dot, constitute the domain name!
- Received a mail that seems to have come from your bank? Never click the link in the mail, but enter the address of your bank in your browser.
- Ask your correspondents to sign their mails digitally (read here how to do this in Outlook)
- Secure e-mail via the Sender Policy Framework can be a solution, but not all e-mail providers offer this option.
Forewarned is forearmed! And don't forget: in case of attempted fraud always contact the police. Even if you did not fall victim, the attempted fraud is still a crime. And you will probably prevent others from falling victim to fraud!