With CEO or BEC fraud, fraudsters take a very targeted approach. Using sophisticated methods, they convince you that you have been contacted by an executive with the intention of making a payment or donating a gift card to the fraudsters. Follow our tips to beat the scammers!
CEO-fraud: targeted deception
With CEO fraud, an attempt is made to convince a company's financial employee to transfer an amount to the fraudster's account. This fraud has been around for some time, but the advent of messaging services like email, Whatsapp, etc. has made it easier to impersonate someone else. Especially since there is often a lot of information on social media about that particular person!
This is how the fraudster works:
- Elaine works in the accounting department of the company Solar. She has power of attorney to make payments.
- One day, she receives an email or Whatsapp message coming from John Dirks. She does not know the man personally, but knows he holds a high position in the company.
- In the message, Dirks says he is abroad, and an urgent payment needs to be made. Normally Dirks would ask Josh Peters, Elaine's boss, but he is unreachable. And if Elaine could just make the payment? There is a rush, because it involves a sensitive operation (a merger that must be kept secret).
- Elaine makes the payment to the account number mentioned in the mail. The fact that the mail mentions Josh Peters' name removes her suspicions. Later, it turns out that the mail did not come from Mr Dirks at all, but from a fraudster, who had plucked Elaine's name, her personal details (mail and phone number) from the internet, as well as the details of Mr Peters and Mr Dirks. Result: the money is gone!
How to recognise CEO-fraud?
With CEO fraud, bells should ring with a financial employee when an executive suddenly contacts him directly and asks to deviate from internal procedures when making a payment. Especially when the alleged executive applies pressure to make the payment quickly, or asks for strict confidentiality, mistrust is justified.
Take these precautions the prevent CEO-fraud
Check e-mail addresses and URL's before clicking on them.
Do not rely on the address mentioned in the 'From' line ('From') of an email, as it can be very easily faked ( spoofing ). You too can send mails that appear to come from firstname.lastname@example.org!
This is how you check clickable links in the e-mail:
- in the mail program in your computer: hold the cursor over the link for a moment, and in the status bar at the bottom of the page you will see the real address. Don't see a status bar? In most mail programmes, you can activate it via View > status bar.
- on your smartphone: long-press on the mail address or link. From the context menu that now appears, choose 'copy'. Then go to your notes app, long-press and choose 'paste'. Now you can study the email address or link.
- Dissect the web address carefully. http://clients.argenta.be.selling.com/inlog is not an address of the domain name argenta.be, but a subdomain of selling.com. Only the last two parts of the address, separated with a dot, make up the domain name!
- Did you receive an e-mail that seems to come from your bank? Never click the link in the mail, but type your bank's address into your browser yourself.
- Ask your correspondants to sign their e-mails (read here how to do that on Outlook)
- Secure e-mail with the Sender Policy Framework can be a solution, but not all e-mail providers carry this option.
A forewarned man/woman is worth two! And don't forget: with an attempt at fraud, always contact the police. Even if you did not fall into the trap, the attempted fraud is still a crime. And by doing so, you may help prevent others from falling victim to the fraud!