Source: Pixabay
Online fraud schemes are constantly evolving and becoming more devious. In some cases, it can be extremely difficult to spot the scam. Yet one particular fraud method seems to be growing in popularity in recent years and, more importantly, causing ever greater damage: the CEO Fraud. In this article, we’ll explain exactly how this method works and how you can protect yourself from it.
What is CEO Fraud?
CEO fraud is a fraud method in which perpetrators pretend to be a company’s CEO, boss or manager. In this scam, employees are usually asked to disclose sensitive data and company secrets or to transfer large amounts of money. The scam is often not recognized by the employees. They obey the prompts in the belief that they are coming directly from their superiors.
What are the types of CEO Fraud?
The attack can occur through a variety of communication channels. The most well-known method is contact by e-mail. Fraudsters frequently send fake e-mails or even take over the real e-mail accounts of CEOs. But even a supposed call from a superior can actually be an attempt to trick an employee. So-called “deepfake calls” are not uncommon and cause considerable damage. In the case of a deepfake call, not only is the telephone number faked or disguised, but the real voice of the superior can be imitated by an artificial intelligence.
What is the typical course of a CEO fraud?
Perpetrators of CEO fraud are usually very well prepared. They prepare their crime by collecting a large amount of data about their target. This information can be found on the company website, social media, business reports or brochures. Frequently, scammers also establish direct contact with employees, for example by calling them on the phone. During this supposedly harmless phone call, the perpetrators try to obtain further information, for example about the company structure, employees or working hours. At first glance, this information may seem trivial, but these details are often the reason why the fraud is not detected as such.
When sufficient information has been gathered, contact is made with the victim. In doing so, the perpetrator, acting as a superior, describes his/her concern and asks the victim to carry out a specific action. Psychological manipulation, emotional blackmail and pressure build-up eventually lead to the final goal. The consequences for the company can be fatal.
Actual example of a CEO Fraud
An employee receives an email from the management:
Hi D.,
I have a very busy schedule today. I am in a conference call with a new investor/partner right now. I really need your help to buy voucher cards worth 5x 100€ each. It is really urgent. You can buy the gift cards at any store near you. I am in an online conference, which is why I am contacting you by email. I would have called you, but calls are not allowed during the conference. Unfortunately, I do not know when the session will end. I will refund you as soon as I am done with the conference.
Please let me know briefly if you can take care of this for me.
Kind regards,
Name of Executive
In this example, the scammer explains several times that the request is urgent and why the executive cannot take care of it by her/himself or contact the employee by phone. In addition, the victim is put under pressure by the urgency and the position of power of the management. As a result, the employee has great reluctance to call the management personally to reassure her/himself. The fraudster would then ask the employee to send her/him the voucher codes.
Using a similar approach, cybercriminals can also contact a company’s accounting department, for example, and order transfers of large sums of money. The more insider information the perpetrators have, the more credible they will appear to the employee.
How can I protect myself from this method of fraud?
As with any other form of fraud, it is of utmost necessity to first train and raise awareness amongst employees. Employees should develop a sense and understanding of potentially fraudulent activity and always be aware of the risks of a possible fraud attempt.
From a company perspective, it can also be beneficial to maintain an open corporate culture and avoid an authoritarian management style. Employees are more inclined to follow a supervisor’s instructions without asking questions when an authoritarian leadership style is in place, especially when they are put under pressure. Specific hedging and approval processes for financial transactions can also prevent money from being transferred.
Employees should always exhibit a healthy level of scepticism when responding to emails and phone calls. They should also always consider contacting their supervisor in person to reassure themselves before complying with requests. Any emails or phone calls that seem odd should always be reported for safety’s sake.
You can also find out how to protect yourself from other fraud methods in this blog under the IT security tag.
Responsible for the content of this article is Stéphanie Bauens.
