Over the next few months we're going to look at how to fight back against various types of cyber attack. In this post we'll start with CEO fraud.
CEO fraud explained
CEO fraud is when criminals impersonate company executives to trick employees, mostly in the finance department, into making unauthorised transfers.
They send e-mails instructing the recipient to transfer funds to complete a deal or pay an invoice. Any funds transferred go directly to bank accounts controlled by criminals.
Sometimes criminals apply pressure by saying the request is urgent. And try to prevent recipients from raising the alarm by saying it is confidential, commercially sensitive or should not be discussed with colleagues.
It’s a scam. Either the fraudster has ‘spoofed’ the CEO’s e-mail so that it looks as if it comes from him/her. Or they have hacked the address and taken it over. It’s a more targeted form of phishing, known as spearphishing.
CEO fraud, also known as business e-mail compromise or ‘bogus boss’ fraud, is a serious and growing problem worldwide. It has cost companies billions in losses over the last five years, according to the FBI.
It affects all types of companies: large and small, well-known and less well-known, in all industry sectors. Google and Facebook were stung for $100 million in a CEO fraud, the BBC reported last year.
Variations on a theme
There are variations to the CEO fraud scam. Awareness that these scams exist and how they work is half the battle.
- Supplier swindle — You receive a request purporting to be from a supplier, informing you that their bank account details have changed. They request payment to an alternative account. However, this is not your supplier and the new bank account is controlled by criminals.
- Supplier swindle in reverse — Criminals contact your suppliers pretending to be an employee of your company. They inform them that your bank account details have changed and supply new ones (their own). The first you know of this may be when a supplier contacts you to chase an unpaid invoice.
- Impersonation of professional services firms — You receive a request from a law or accountancy firm, claiming to be handling time-sensitive or confidential matters on behalf of your company. They request a quick or secret transfer of funds.
- Data theft — You receive a request purporting to be from the CEO or head of HR, asking for the personal or tax details of colleagues.
Fighting back
Check sender e-mail addresses by hovering the mouse cursor over them. Also check that they are spelt correctly and come from a corporate account rather than one that resembles a corporate account, or from a free e-mail service, such as gmail.com or yahoo.com.
If a request is made for a wire transfer, bank details or personal information, verify this with the organisation or individual making the request using established contact details. Do not reply to the e-mail or use telephone numbers provided in the e-mail — they may be fake.
Similarly, implement some form of secondary sign-off internally for changes in payment information. Consider two-factor authentication for the corporate e-mail system to raise the bar against criminals.
Be suspicious of requests which seem urgent, secret or arrive unexpectedly at the end of a business day or week, and pressure you to act quickly.
Be wary of what you post online to social media, company websites, especially job titles, organisation charts and out-of-the-office contact details. It is very easy for a criminal to create a spearphishing e-mail from information gained through a simple internet search.
Know the habits of your customers and suppliers. This will give you a better chance of spotting out-of-the-ordinary requests or sudden changes to business practices.
PXP Financial
The End-to-end payment platform
PXP Financial provides a single unified payments platform to accept payments online, on mobile and at the point of sale. Powered by inhouse global acquiring, 200+ alternative payment methods & financial services, PXP processes over EUR 16 billion annually through our unified gateway.
Whatever your business needs today or tomorrow, PXP Financials’ innovative payment platform will support your business growth with all the payment services you will ever need from one source, wherever your business takes you.
