This article is part of our collection on Cyber Security
In the latest in a series to increase awareness among businesses of the potential threats they face from scammers, we look into CEO fraud – including how it works, who is most at risk and how to stay safe.
Last updated: 19 May 2020 7 min read
An urgent email arrives from a senior member of staff demanding funds. What should you do? Despite the risks it poses to cash flow, many companies are not equipped to protect themselves or spot so-called ‘bogus boss’, or CEO, fraud.
CEO fraud occurs when a criminal poses as a senior person within an organisation and sends a very plausible-looking request to another member of staff.
The scam continues with the fraudster asking the recipient to make an urgent payment to a specified beneficiary, bypassing normal procedures because of exceptional circumstances – such as on the pretext that an early payment discount will be missed if funds are not transferred immediately.
In reality, the fraudster has spoofed or hacked into the relevant email account, and if the request isn’t verified independently, the company risks paying funds directly into the criminal’s bank account, likely opened under a false or stolen identity and closed soon after the funds are transferred.
CEO fraud can have serious repercussions for businesses. According to banking trade body UK Finance, there were 603 cases of CEO fraud in 2018, leading to total losses for businesses of £14.8m.
David Mount, director at security software group Cofense, explains: “They use motivators such as fear, urgency, and the innate human desire to help – after all, who wants to be the person that didn’t help the executive in their time of need?”
In contrast to some other email frauds, CEO fraud can be extremely targeted. While companies may be alert to spam messages containing easy-to-identify grammatical and spelling errors, bogus boss fraud is a one-on-one operation conducted by con artists targeting specific organisations, and specific individuals within those organisations. For instance, a fraudster targets a school, posing as the head teacher, and makes a request for an urgent bank transfer to an employee with the authority to sign off financial transactions. The employee, who will be used to fulfilling such requests, will likely do as they have been told without questioning it.
Another example is seasonal targeting, where a fraudster posing as the CEO requests, via email, that a staff member purchase gift card vouchers to give out to employees as Christmas presents. The bogus boss then requests copies of the cards and their codes, allowing them to spend up to the value on each one.
One survey by the Association of Financial Professionals found that 77% of organisations had experienced attempted or actual bogus boss scams in 2017.
“The information age has led to a proliferation in cyber attacks and a growing level of sophistication,” says James Maycock, forensic partner at KPMG.
“Many attacks to date have used tried-and-tested exploits, mixing traditional social engineering with known software vulnerabilities, including phishing attacks, which target employees in large organisations or government offices for financial gains.”
A report from the City of London Police’s National Fraud Intelligence Bureau shows that more than £32m has been reported lost from UK businesses as a result of CEO fraud, while FBI estimates suggest that, globally, the problem is increasing at an alarming rate.
Typically, the average amount inadvertently handed over to a fraudster is £35,000, according to the City of London Police – but the largest individual sum reported lost through bogus boss fraud was £18.5m.
“Great care is taken by the fraudsters to make sure the emails they send really do look like they have come from a very senior figure in the company,” adds Maycock.
“Add to this the fact that targets are carefully chosen to be important enough to sign off on substantial sums – particularly staff who work in the accounts department. The fraudsters are good at keeping up the pressure on the unsuspecting targets who are pressured into acting quickly to stop them getting suspicious until the payment is made.”
“Many attacks mix traditional social engineering with known software vulnerabilities, including phishing, which targets employees in large organisations or government offices for financial gains”James Maycock, forensic partner, KPMG
Experts warn that much of the information needed for the crime, such as the name of a firm’s accountant, CEO and head of finance, are easily available online to fraudsters via Companies House, a firm’s own website or social media, and that fraud can be for a sum that is substantial but not large enough to attract attention.
“It can be for any amount,” says Lynne Beaton, operational fraud manager at the bank. “Time is of the essence: the quicker the customer identifies it as a scam and they contact the bank, the quicker we can try and recover the funds on a best endeavours basis.”
There are a number of simple steps that can help protect companies from falling victim to this type of crime.
Beaton says good staff training and preparedness, as well as an open company culture, are vital in preventing CEO fraud.
“It goes back to having a culture that you can challenge the authenticity of the email and don’t take the email on face value and pay the funds away,” she says.
Meanwhile, Mount advises: “Robust financial controls are essential to preventing losses from CEO fraud, particularly appropriate checks and balances around payments to previously unknown sources.
“Wherever possible, organisations should enforce appropriate separation of duty – for example, the person who requests a financial transfer or payment is not able to authorise it. In addition to this, employees should be provided with relevant ongoing training to be able to identify CEO fraud scams and then easily report them to security teams for review.”
Mount also suggests “phishing simulation programmes” that specifically target financial users, using examples of real CEO fraud emails to help identify tactics used in these scams and reinforce the correct processes to keep the organisation secure, including independent verification.
Beaton says simple checks can help, such as looking out for the email address changing when the user hovers a cursor over it or looks at its properties, and not relying on any contact details within the requests, as the fraudster may have altered these. “Contact the sender directly by phone or on a fresh email to ensure the request is legitimate,” Beaton says.
Companies can also protect themselves by ensuring the browser, operating system, firewall and anti-virus or malware software are all up to date, with regular scans run of the system.
A Joint Fraud Taskforce was set up in 2016 to tackle this and other types of financial fraud, made up of representatives from the City of London Police, the National Crime Agency, Financial Fraud Action UK (now part of UK Finance), the Bank of England, and chief executives of the major banks.
There are various channels available if companies find themselves victims of CEO fraud. Importantly, they should contact the bank and Action Fraud straight away, particularly as criminals become more sophisticated in their tactics.
“Recent trends suggest that criminals are becoming more aggressive, seeking larger payoffs with growing disregard for victims,” warns KPMG’s Maycock.
With that in mind, Beaton recommends organisations ensure staff have their wits about them and be on their guard for unusual variances in email communications.