The term CEO fraud can sometimes be used to describe all aspects of business email compromise (BEC) but is also a specific type of phishing used to fraudulently obtain funds. Fraudsters produce phishing emails appearing to be from a legitimate source but are intended to extract useful information. In CEO fraud scammers target top company executives and take over their email accounts to make payment requests.
It’s known as whaling rather than phishing as CEOs are more ‘important’ – just as whales are bigger and harder to land than fish. In theory, diverting funds using a senior executive’s authorisation should be much more lucrative. Senior executives oversee the largest deals involving the greatest amounts of money. Money worth hundreds of thousands of dollars or euros can be moved in one hit.
The rise of CEO fraud
CEO fraud is constantly evolving, and scammers have plenty of methods for extracting funds from companies (read our business email compromise blog post for an overview). However, targeting the CEO and other senior management figures remains a widely-used, effective method. This is unlikely to change.
After all, who is going to question their top boss, especially if they think they are being asked for a favour that will be rewarded in the future?
It is vital to be aware of, prepared for, and reactive to any potential whaling attacks.
PwC’s Global Economic Crime and Fraud Survey 2020 polled 5,000 companies globally and found, on average, companies had fallen victim to six frauds over the previous two years. Totalling USD 42 billion. Anything a company can do to reduce exposure is a step in the right direction.
How does CEO email fraud work?
There are several stages involved in a CEO fraud attack.
- Information gathering
Fraudsters research companies and targets to ensure emails are as convincing as possible. Social engineering tactics are often employed, such as ‘spear phishing’, a targeted approach using social media accounts and online information. The right research can make language, references, and requests appear more legitimate.
- Email takeover
Once scammers have control of an executive’s account, they have access to useful information and can send messages from that person’s real email account. This is less likely to arouse suspicion and can also be used to intercept real requests for payment. They can respond with fake payment account details.
- Finding and grooming a target
Scammers may already have a target, or they can use the CEO’s email account to access that information. They might send several emails over a period to ‘legitimise’ a payment request. They may claim to ask a favour, say they will be in meetings or travelling, suggest a last-minute deal will need urgent funds to close it at a specific time: there are various ruses, all designed to explain away the need for secrecy, speed, or large payments. The target feels special, important, and thinks their director will be indebted to them.
- Request for funds
The email requesting funds will seem legitimate, but payment details will be those of the scammer, not the intended recipient.
- Transfer of funds
Once funds have been transferred and the transaction is complete the money is gone. It’s not unknown for scammers to make several payment requests to the same individual. And it will often take a while to become apparent.
High profile victims
CEO fraud can be very lucrative. Upsher-Smith Laboratories lost USD 39 million in 2014 (it could have been over USD 50 million but they managed to recall one payment). An employee of Belgium’s Crelan Bank was deceived into making transfers worth almost USD 76 million. It was only discovered during an internal audit.
A company will often not know it’s a victim of CEO fraud until the books are balanced.
How to reduce a company’s risk of this kind of attacks?
Finance department employees are authorised to make payments and are therefore most at risk of being targeted by fraudsters. Employees need to be aware of this and how scammers work. Education is key. Finance department employees need to be properly trained and empowered with knowledge.
Robust systems and internal procedures designed to counter scammer techniques will also help minimise a company’s risk of CEO fraud.
But to add an extra layer of security and make fraudsters’ lives even harder it’s important to use the right software, able to detect and prevent the threats. Trustpair’s Third Party Risk Management software runs an automatic check of payment files to detect suspicious behaviour. Our Bank Account Supplier Check software verifies bank and corporate details worldwide. They save time, money, and risk.
Please get in touch so we can demonstrate how our software can transform your company’s CEO fraud risk. Contact us to request a demo and help guard your business against cybercriminals.
- CEO fraud can lead to extensive losses
- Educate your employees and particularly your finance department on the scams to watch out for
- Install Trustpair software for extra security and peace of mind