Payment traffic is subject to increasingly secure protection. This is why fraudsters often target the weak link: the trust between a company’s workers. By deceiving them, for example through CEO fraud, fraudsters manage to get their hands on substantial amounts of money. But how does it work exactly and what can you do to stop it?
CEO fraud is a form of social engineering. Someone contacts one of your employees by mail and/or telephone and pretends to be a manager in your company. Your worker is convinced the situation is urgent and makes a hasty payment. As these payments concern legitimate payments, it is hard to reclaim the money. After all, prevention is better than cure.
350 000 euros
The average damage of CEO fraud according to a BDO study.
How does it work?
Two major types of CEO fraud can be distinguished: targeted, well-organised attacks and so-called spray and pray attempts. Two methods with the same final goal, but a completely different approach:
Spray and pray: big net, small catch
Fraudsters send out huge numbers of generic e-mails. Most people consider them as spam and delete them immediately, but for some the message is relevant at that time. And that small percentage may make a payment. The underlying idea, in other words, is: “If I cast my net wide, I will always catch something.”
Targeted attacks, targeted and organised attacks are a lot more ingenious. Sometimes they involve weeks and even months of preparation. Fraudsters try to find out as much information as possible through social media, false telephone calls, fabricated e-mail addresses, etc.
They usually get to work when a high-ranking member of the management, such as the CEO or the CFO, is on holiday. They contact workers with payment authorisation on behalf of the absent manager with an urgent request to make a substantial payment. They use a very authoritative tone, so that the person in question feels uncomfortable and doesn’t dare question the transaction. The idea behind it is to seek out a specific victim, hunt him/her down and strike at the right time.
What can you do against it?
- Create awareness among your workers
Ensure your workers are aware of the risks and fraud methods. In an earlier blog post we already gave a number of playful tips to create awareness in your company.
- Always double-check
Always double-check urgent payment requests by calling or mailing the person requesting the payment. Attention: never use the contact data in the possibly fraudulent mail, but pass by their office or check with a colleague.
- Apply the four-eyes principle
The simplest way to combat CEO fraud? Ensure potential fraudsters need to deceive more than one person. By demanding several signatures for payments, – for all payments or from a certain amount – the risk of CEO fraud drops drastically.