CEO Fraud or Business Email Compromise (BEC) has been widely reported with several recent high profile incidents. It is a global threat to corporates, large and small, and is on the face of it a simple and highly effective way of ‘attacking’ an ill prepared and uninformed company. Before you say, “that can never happen at my company”, we are aware of three cases locally to ourselves where reputable businesses have been the victims of the BEC and have been potentially defrauded of tens of thousands of pounds. In short, this is a big problem.
How does the CEO Fraud Email work?
Ok, suppose you are an accountant or a senior member of an accounts payable team who frequently deals with senior management (CEO, managing director) to handle sensitive and / or urgent payments. You receive an email from senior management in a familiar format using familiar language asking you to make an urgent wire payment stating the bank account details.
The details of the payment (amount, bank details) would typically be on a letter bearing the company logo, and a signature from either the CEO or someone from senior management. Alternatively the email may reference unpaid supplier invoice(s) and ask for immediate payment.
The problem, obviously, is that the email is not from the CEO or senior management – it is from fraudsters targeting your company.
Key CEO Fraud Email Details:
- The email is typically sent from a look-a-like domain – for example if SEPA for Corporates was a huge company with a legitimate email address of companyABCD.com – the scammer would buy a phony domain and set up a fake email address that looks very similar to the unsuspecting eye – such as ceo@companyABDC.com – you may not have noticed, but in this fake email address the D and C are swapped round.
- Speed is of the essence, as soon as the fake domain is activated the email is sent on the same day
- As mentioned above, the email would typically look and feel like a legitimate email from your CEO or supplier
- The details of the payment would typically be for a known supplier highlighting unpaid invoices, or linked to an upcoming acquisition — again, giving the appearance of legitimacy
- The bank details reflect the bank details of the scammers
- The authenticity of the email is enabled by infiltrating company emails through malware
- The fraudsters will also monitor and be familiar with your company, scanning job postings, supplier profiles, employee social media accounts, executive travel plans — basically, anything and everything that will enable them to construct an authentic sounding email
- The amount can vary:
- If it is a supplier invoice related scam, the amount will reflect a typical supplier invoice or multiple invoices
- Otherwise, the amount is a large sum.
- The requested payment method is wire – enabling a quick payment
Don’t be a CEO Fraud Mail Victim:
As simple as it is, the CEO fraud email scam is serious. So much so that global Government Agencies are calling business email compromise “an emerging global threat“.
Stay vigilant and be cautious
- Ensure that ALL payments follow a strict verification process, no matter who sends the email
- All bank details should be independently verified with the supplier by phone and confirmed by email
- Anybody involved in payments should be made aware of this type of CEO fraud email or business email compromise
- Be cautious about any one-off payment requests sent by email
- ‘Pay’ particular attention to the email address – does it look right? Does the email address appear in your company address book?
- Beware of any urgent wire payment emails requests that call for secrecy and ask you to act quickly
- Data Security agencies suggest implementing additional technology and financial controls, and a 2 step verification process, including:
- Implementing additional, in addition to email, checks such as phone calls to verify large transactions
- Using signed or encrypted emails
- Deleting any spam emails
- Not replying to emails, instead forwarding them and either typing the valid email address or selecting it from the company address book
Contact us if you have any doubts about the validity of emails or to discuss your email security.