Panic: the overwhelming feeling when you realize that you’ve just sent millions of dollars to someone at your CEO’s request. Except, as it turns out, it wasn’t your CEO at all.
Then uneasiness as you have to report CEO fraud to your boss and they in turn have to make a statement to the investors.
It’s more than the initial financial damage: the reputational wounds that come with falling victim to CEO fraud lead to customer anger, mistrust, and the tumbling of stocks. It doubles the losses – a scam that 26% of workers have fallen for in the last year.
But CEO fraud is one of the most preventable crimes and the right combination of policies and technology can protect your business. You can combat fraud efficiently with the right protection measures against CEO fraud and mitigate the risks to your B2B organization so you never have to feel this way.
At Trustpair, we’re fraud experts here to help you combat this growing phenomenon. Download our free study about B2B payment fraud to learn more!
Here’s how CEO fraud works
Typically, someone associated with finance receives an email from what they think is the CEO or another senior executive. The fraudster (who is impersonating your CEO) requests a payment to a (fake) supplier or access to sensitive information – urgently. With the pressure on and persuasive social engineering tactics, it’s common for employees to make the payment without questioning anything.
The money is never seen again.
CEO fraud emails are a form of phishing, since cybersecurity hackers are able to spoof the email address of your CEO. However, there is a more complicated version of CEO fraud phishing, known as spear phishing. This is differentiated in two ways:
- The fraudster actually hacks into your email system in order to study the way that the CEO talks. This will allow them to be more convincing in their unsolicited request, matching the real tone and style of their target.
- The fraudster gains an insight into who your real vendors are so that they can impersonate a known supplier and again, make the ruse more convincing.
Save the Children fell victim to one of the biggest CEO frauds in 2017.
Fraudsters hacked into the email system and were able to internally access the email account of a senior employee. The hackers, based in Japan, then used the account to send bogus documents pertaining to the installation of solar panels onto health facilities in Pakistan. Accompanying the fake documents were false invoices, which Save the Children paid approximately $1 million into.
Fortunately, Save the Children were insured and able to claim back over $850,000. However, the funds were never actually recovered and remain in the hands of the cybercriminals.
Impacts of CEO fraud
There are three major impacts of CEO fraud scams on b2b organizations:
- Monetary
- Regulatory
- Reputational
In financial terms, CEO fraud has been known to cause millions of dollars of loss. For example, European company Leoni AG lost €40 million to a CEO fraud attack in 2016. The money was never recovered.
In a regulatory sense, there are legislations all around the world that firms must adhere to, which help prevent CEO impersonation fraud. For example, here in the US, we follow SOX Law to increase levels of transparency and be able to trace accountability for certain decisions. SOX Law also helps prevent money laundering.
Without detective controls (such as a traceable paper trail) that the regulations require, a case of CEO fraud would expose your company for not following the regulatory requirements. Non-compliance is another serious problem, leading to fines or imprisonment for senior executives.
Finally, the reputational impacts of fraud (CEO scams in particular) could do the most damage to the business. When confidential company security systems are breached you have a duty to inform your customers (and sometimes, the authorities). This can generate mistrust of your brand among consumers, also causing stocks to tumble. In the case of Leoni AG mentioned above, the stock value dropped by 5-7% overnight.
Best practices to mitigate CEO fraud
It’s not all doom and gloom. There are some tried and tested ways to protect your b2b organization against CEO fraud and set up your company for success. And it’s always important to remember: if it looks too good to be true, it probably is.
Build anti-fraud into your policies
At any b2b organization, documenting your processes will be key to maintaining quality as you scale. This is common practice, but what’s not quite so typical is going granular with it. By this, we meant building anti-fraud features in even the smallest details of each and every business policy.
By ensuring that you’re naturally built to protect against scammers down to the very core of the business, you’ll not only prevent CEO fraud but also other cybercrimes such as bank transfer fraud or payment fraud.
Here’s an example:
During your payment approval process, you could enforce a second approver if the invoice is greater than $10,000. This way, instead of succumbing to the plans of a CEO impersonator, a secondary colleague would have to double-check that the personal information is legitimate prior to payment.
Also during this process, you could build in automated three-way matching. This means that once your invoice is received, the financial information is automatically checked. ‘Three ways’ include invoice against the purchase requisition form (or purchase order), and the goods delivery receipt. Only then can payment be made. It ensures that, as part of your procurement process, your people won’t be caught out by false supplier documents that demand payment without delivering any product.
Create an open company culture
One of the reasons that companies fall victim to CEO fraud is because it takes advantage of employees that have a hard-working nature. They’re keen to impress the CEO and want to complete requests quickly.
But taking just a few minutes to think about an unusual payment request from the ‘CEO’ or another senior executive could prevent the theft. Therefore, it’s important to create a company culture that fosters curiosity and encourages employees to speak up.
You can do this by setting examples – following company governance policies and ensuring that payments go through the right routes. This way, a random, unauthorized request from the CEO doesn’t become standard in your organization. Plus, employees are more likely to think twice before they press send on a fraudulent transfer.
You can also encourage employees to call out suspicious payments by holding regular cybersecurity training sessions. They’ll already be familiar with the ruse and feel more confident in flagging something suspicious… but more on that later.
The best prevention and protection measures against CEO fraud
It’s important to mention that things can go wrong even when the best practices to mitigate risks of CEO fraud are followed. In fact, that’s exactly what happened to Mattel in 2015.
One day, an executive at Mattel received a scam email from her colleague requesting payment to a new vendor in China. The phishing email was unremarkable – sent at a time when Mattel was pushing production in China and sent on the last day of the month like most invoices are.
Mattel followed best practices and had a payment approval process in place. Since the sender requested $3 million, it went through the finance executive and newly-appointed, unsuspecting CEO. Everything was wired over before the executives at Mattel realized this was a scam.
However – Mattel got lucky. At the same time, there was a Chinese national holiday which meant that the bank services were delayed. This allowed Mattel to recover all of the funds – a fortunate ending that rarely occurs.
What happened to Mattel shows us that while building policies and enforcing best practices is important, you need to be proactive in preventing CEO fraud. Here’s how you can actively prevent phishing scams at your b2b organization:
- Cybersecurity training and cyber-secure systems
- Two-factor authentication
Cybersecurity training and cyber-secure systems, a crucial measure against CEO fraud
Studies show us that cybersecurity training can prevent the success of fraud attempts. But this level of protection is multiplied when training is held regularly, approximately once every 9-12 months.
Cybersecurity training is effective for two reasons:
- It keeps staff informed of the most recent trends and technologically-advanced techniques that current fraudsters are using.
- The prospect of fraud is fresh in the mind of employees, making them more likely to realize when a payment request is suspicious or something else is out of the ordinary.
Moreover, you can protect your team by securing documentation, systems, and processes against malware. Maybe you’ll upgrade the firewall or spam filters around your email system, for example.
This way, you’ll help staff follow best practice policies and provide a clear trail for accountability. An added bonus, of course, is that clear documentation is easily followed by external accounting auditors – making tax season that much smoother.
Two-factor authentication, a must-have in protection measures against CEO fraud
Implementing a second verification step before payments can leave your bank account could make all the difference.
Multi-factor authentication means that your payee must provide two of the following three components to validate a payment:
- Something they know (for example a password)
- Something they have (for example a one-time passcode sent to their device)
- Something they are (for example, facial recognition or a fingerprint)
Two-factor authentication is successful in preventing 96% of phishing attacks. It could be the most important ‘last line of defense’ that your company ever relies on.
Anti-fraud solutions help you reduce the risks and block the effects of CEO fraud
When you partner with an anti-fraud platform, you can funnel all payment requests through a digital filter. This means that credentials are checked against a secure and reliable third-party database to verify the details. Having a dedicated fraud prevention solution like Trustpair is one of the most effective measures against CEO fraud.
Trustpair’s vendor data management system doesn’t just sit passively on the side of your operations. Instead, we can actively flag third parties at risk of errors with payment before they go through. With the ability to oversee suspicious transactions and data enrichment even for international vendors, your team benefits from real-time information to make decisions with confidence.
Request your very own Trustpair demo, here.
In summary:
- CEO fraud is a type of cybercrime that uses social engineering techniques to exploit vulnerabilities with malicious software (such as spyware or viruses) and spoofing to defraud your business.
- Online fraud criminals steal money with fraudulent emails to manipulate employees into sending money or sensitive information (such as company credit card information)
- Protection measures against CEO fraud include protecting yourself from social engineering attacks by using an email security system that screens email attachments and training employees not to click the link or redirect
- Anti-fraud platforms can help you stay vigilant against a suspicious email by blocking payments that don’t add up and protecting your private information