CEO fraud: how to protect your organization from fraudsters?

IN THIS ARTICLE
Table of Contents
Like it? Share it

CEO fraud is otherwise known as impersonation fraud, performed by highly organized criminals in targeted cybercrime attacks. Businesses often feel helpless regarding CEO fraud, since it’s about the hackers but also about the actions of their employees. But there are ways to prevent it, and in this article, you’ll learn how to protect your business from it. Read on for details!

Trustpair protects you against CEO fraud and other financial threats through constant account validation. Request a demo to learn more!

New call-to-action

What is CEO Fraud?

CEO Fraud is a type of impersonation or identity theft that can defraud companies out of thousands. 

Criminals send out emails to an unsuspecting employee pretending to be the CEO or another senior executive and ask them to deposit funds into a business account… except it’s not a business account. Instead, it’s an entirely separate account belonging to the criminals themselves, enabling them to steal huge amounts from organizations.  Sometimes the fraudsters send a fake invoice and request an urgent payment for a “secret” partner or vendor. 

By placing high-pressure and time-sensitive conditions on their email requests, scammers can avoid scrutiny. It’s an effective tactic and executive fraud events (another name for CEO fraud) often appear in the news. In fact, in 2021, more than $2.4million was lost by businesses to CEO fraudsters.

 

Impacts of CEO fraud

There are three major impacts of CEO fraud scams on b2b organizations:

  • Monetary
  • Regulatory
  • Reputational

In financial terms, CEO fraud has been known to cause millions of dollars of loss. For example, European company Leoni AG lost €40 million to a CEO fraud attack in 2016. The money was never recovered.

In a regulatory sense, there are legislations all around the world that firms must adhere to, which help prevent CEO impersonation fraud. For example, here in the US, we follow SOX Law to increase levels of transparency and be able to trace accountability for certain decisions. SOX Law also helps prevent money laundering.

Without detective controls (such as a traceable paper trail) that the regulations require, a case of CEO fraud would expose your company for not following the regulatory requirements. Non-compliance is another serious problem, leading to fines or imprisonment for senior executives.

Finally, the reputational impacts of fraud (CEO scams in particular) could do the most damage to the business. When confidential company security systems are breached you have a duty to inform your customers (and sometimes, the authorities). This can generate mistrust of your brand among consumers, also causing stocks to tumble. In the case of Leoni AG mentioned above, the stock value dropped by 5-7% overnight.

 

How does CEO fraud happen?

CEO fraud attacks usually happen through a technique called spoofing. This impersonation technique allows the criminal to bypass cybersecurity and imitate the business email address of a senior manager or CEO. The employee will be asked either for a cash transfer from the company accounts or to share confidential information. 

  1. Criminal impersonates a CEO or another executive with a similar email address
  2. The criminal sends employees high-pressure emails with a request to transfer company funds into a malicious account
  3. The criminal empties the account before the business realizes what’s happened  

Most often, mobile email users fall for this as the default email address doesn’t show in full on a mobile screen. Plus, the scammers use urgency techniques to rush the employees into making a decision without rational thinking. Finally, those without security awareness training are also likely to fall victim to a spear phishing attack from cybercriminals.  In the past years, these attacks have become more and more sophisticated and linked to cyber fraud. On top of that, cybercriminals use social engineering techniques that make the attacks more credible and difficult to detect, even for a trained and cyber-aware employee.

What’s the difference between CEO fraud and phishing?

It’s important to note that CEO fraud is a separate ploy from phishing, even though there are some similarities

CEO fraud is a much more targeted attack since the scammers already have insider information about the company’s background and how it is run. This is how they are able to spoof the CEO so convincingly. 

Instead, phishing scams are less targeted. Criminals will pretend to be a third-party company that deals with the business (think suppliers or delivery companies). Then, they send out the same email to thousands of employees from different organizations, hoping that one or two recognize the supplier and think the email is legitimate.  

However, both are types of Business Email Compromise (or BEC). 

What to do if you suspect you’ve fallen victim to impersonation fraud?

First things first, contact your CEO or the person who you thought instructed you to carry out the payment or share information. Double-check their credentials and verify the information with your exec. 

Then, once it’s confirmed that you’ve fallen victim to a CEO fraud scam, notify your bank immediately. Provide evidence like the fraudulent email so that they can begin investigating immediately. Notifying the police to report the crime is also wise. Being reactive about it is the only chance you’ll have of getting your money back – even if it doesn’t guarantee it.

If other confidential information is shared, be sure to change passwords immediately and perform an audit of your security. Now, it’s about risk management. Try to update your antivirus software to protect your email security against malware, too. 

Learn all there is to know about all the types of payment fraud in our latest fraud report!

fraud study us

What to do to prevent CEO fraud efficiently?

Email fraud is not a new scam, but the way that criminals do it is constantly evolving. This is supposed to catch even the most suspicious of employees. 

But there are some things that you can do to help prevent CEO fraud in your organization. These include:

  • General fraud protection
  • Invoice fraud interception
  • Vishing and smishing prevention

Fraud Protection

One of the best fraud protection methods is by using fraud prevention software like Trustpair. It automatically verifies banking information with the card number and account name and tracks historical finances to notify your business about anomalies and suspicious behavior. Any employee trying to wire money to an unknown account will be flagged and the transfer will be blocked.

Moreover, installing a good antivirus program within the email system can help filter whaling scam attempts and junk more efficiently than the standard email software.

Building a company culture that doesn’t involve high-pressure decision-making would also make an employee stop and question a time-sensitive rogue email. This means ensuring the payment approval process goes through several verification steps and empowering even junior staff to think for themselves. You can also set rules within your system so that unauthorized parties cannot gain access to funds.  Overall, having the right internal control policies will help you prevent CEO fraud.

Invoice fraud interception

Invoice fraud accounts for over $300,000 in losses every year for medium-sized businesses. It’s one of the ways fraudsters can impersonate your CEO: by presenting a fake invoice and pressuring an employee to pay. What’s worse, departments usually play the blame game when planning measures against invoice fraud, which means that between the IT department and finance, fraudsters can fall through the cracks. 

There are plenty of best practices to prevent invoice fraud, such as verifying supplier details directly and using 3-way matching. But these can be manual and extremely time-consuming. 

So, the most effective way to protect against invoice fraud is by using fraud prevention software like Trustpair. Not only does this involve automating finance processes, you’ll also enrich data to easily spot suspicious activity. It takes professionals 30 minutes on average to hard check bank details, but with automated third-party pairing, you can do it in a matter of seconds. 

Vishing and smishing prevention

So what’s the difference between phishing, vishing, and smishing?

  • Phishing: the scam is delivered by email
  • Smishing: the scam is delivered by a link on an SMS or text message
  • Vishing: the scam is delivered by a video link

It’s important to note that each of these techniques is a successful way that criminals can gain access to unauthorized funds and defraud businesses by impersonating your CEO or another high-executive. They each rely on social engineering, so training your employees in security awareness is key. 

 

CEO fraud prevention: how to protect your organization from fraudsters

The secret to preventing CEO fraud and fraud in general? Protecting your payment chain from beginning to end. 

This means a clear risk analysis, anomaly detection, clear communication channels in finance, and data traceability. No files changed at the last minute and no financial information hidden from view.  

Sound like a lot of work? That’s because it is. 

But your team could automate all of these CEO fraud prevention processes and save over 100 hours every single week, with Trustpair. Leading the way in anti-fraud technology, we facilitate finance teams’ access to international banking sources and wipe out wire transfer fraud. Cybercriminals can’t compete with our cutting-edge technology and innovative protection.  In fact, we have a 100% hit rate

So what are you waiting for? Protect yourself from CEO fraud and other financial threats:  demo the Trustpair platform today Don’t be a target for cybercriminals anymore!

 

In summary:

  • CEO fraud is a type of cybercrime that uses social engineering techniques to exploit vulnerabilities with malicious software (such as spyware or viruses) or spoofing to defraud your business.
  • Online fraud criminals steal money with fraudulent emails to manipulate employees into sending money or sensitive information (such as company credit card information)
  • Protection measures against CEO fraud include protecting yourself from social engineering attacks by using an email security system that screens email attachments and training employees not to click the link or redirect. It’s also about constantly checking who you’re transferring funds to, to make sure you aren’t paying a fraudster.
  • Anti-fraud platforms like Trustpair can help you stay vigilant by automatically checking banking details and blocking any suspicious payment.

You’d like these articles

FAQ
Frequently asked questions
Browse through our different sections and find the answer to your question.

Criminals commit CEO fraud by impersonating the CEO or another senior executive at a business and extorting money (in the form of a wire transfer) or sensitive information (such as a social security number) from their employees, via email. Their request is often described as urgent and time-sensitive. 

The CEO fraud email scam is a highly-targeted cybercrime committed by fraudsters who have a solid background on the organization they are targeting. These criminals also have a good grasp of how to conceal their identity through email.

Most often, CEO fraud is interchanged with impersonation fraud. 

Sometimes, CEO fraud is also known as whaling (a reference to phishing). But instead of small fish, the criminals impersonate the executives who tend to have the power to ask for payments without being questioned. Therefore, the exec targets are known as whales.

It’s also sometimes referred to as executive fraud.

The most effective way to prevent a CEO fraud attack is to build verification checks into your finance processes. No matter who is asking for the money, your system should automatically match the bank account details with the name of the person asking (at the very least). 

But Trustpair can help you go further. We detect suspicious behaviors through the mutualization of payment habits, historical payment analysis, and anomaly detection. Flagging anything that lies outside of the rules you set. What’s more, we use AI and both legal and banking data to continue tracking your third parties over time. 

All this without the clunky, junky dashboard. Your finance function will breathe a sigh of relief when they find out that our master file needs up to 70% less data cleaning.

CEO fraud phishing is a type of crime – fraudsters spoof an email address to look like it’s coming from the CEO or another senior executive, and send this to employees in the HR or finance department. If successful, the phishing attack ends with an employee committing wire fraud or sending confidential information. 

Employees fall for this ploy since their phishing email address able to look identical to the actual executive’s email. Plus, there is urgency within the email itself, encouraging a quick chain of events that would allow the criminals to steal while avoiding scrutiny and detection.

Richard Scrushy was the CEO of Healthsouth between 1996 and 2002, a period over which $2.7 million was defrauded from the company accounts. Richard was allegedly instructing the finance team to fix the numbers. This was done to disguise a shortfall discovered between the reported profits and actual cash flow. 

To prevent the stock from tumbling, Richard allegedly instructed the finance team to inflate the earnings in an entirely different type of CEO fraud.