a A a A a A
Menu

CEO fraud

Stay up to date with the latest measures from the financial sector

3 min Reading time

In CEO fraud or social engineering, fraudsters impersonate a company’s CEO (or other internal or external person of trust) to manipulate an internal employee of that company into performing an action (often a payment) or revealing confidential information.

 

How does CEO fraud work?

 

Fraudsters first gather information about a company’s internal payment procedures and the employees authorised to process large payment transactions. The fraudsters do this by contacting employees by email or telephone, posing as auditors or a government department.

When the fraudsters have enough information, they contact one or more employees responsible for payments (such as accounting) and pose as the CEO. To do this, they usually hack into the CEO’s mailbox or create a fake email address that closely resembles the CEO’s CEO FRAUD real address. In this case, often one letter is changed in relation to the official address. The fraudsters then concoct a story requiring a large sum of money to be urgently transferred and urge the employee(s) to keep the matter strictly confidential.

Sometimes the fraudsters take things a step further by involving a consultancy or a lawyer (whose identity they have assumed). The consultancy or lawyer will confirm the transaction and reiterate that the payment is urgent and confidential.

Employees who fall into this trap unwittingly transfer large sums of money to the accounts of money mules, from which the money is then diverted to the fraudsters’ accounts.

 

Tips to guard against CEO Fraud

 
  • Always check the domain name in the sender’s email address.
  • Be wary of ‘confidential’ instructions to urgently transfer large sums of money.
  • If you receive such an urgent request, always call the person making the request back on a telephone number you know.
  • Never leave dual signatures to the same person (cards and PINs).
  • Build in sufficient control procedures:
    • Arrange for payments – and especially large ones – to not only be communicated by email but also confirmed by text message (SMS), a WhatsApp message, a phone call, and so on.
    • Designate another person within the company (not the CEO) whom employees can approach if they receive a confidential or urgent request. This person can then check with the CEO that the request is genuine. Note: no one outside the company must know who this designated person is.
 

I fell into the trap. Now what?

 
  • Contact the bank as soon as possible.
  • File a complaint with the police.
  • Inform your company’s ICT department if the CEO’s mailbox has been hacked. Fraudsters probably have access to a lot of information because of that mailbox and passwords, for example, will have to be changed.
Already following us? Stay up to date via Facebook, TikTok, Twitter, LinkedIn & Instagram.
© Febelfin 2024 - Disclaimer - Data Protection Policy - Cookie Policy