If you haven't already heard of CEO fraud, then it is probably about time you did. At present, CEO fraud represents a small percentage of overall fraud. But this is only because it is a relative newcomer to the expanding world of cybercrime. Cases are increasing and are expected to rise rapidly over the next few years unless businesses become a lot more savvy and learn how to protect themselves. According to a recent report CEO fraud cost businesses around £8m in the first half of 2018. That reflects 347 cases with an average pay out of £23,055. But his only reveals part of the problem as many businesses do not report it. This may be because conviction and recovery rates are alarmingly low. And what's more some businesses are afraid that it will damage their reputation to admit publicly that they have fallen victim to fraud.
So what exactly is CEO Fraud?
The definition of CEO fraud is quite simple. It is when someone impersonates the CEO or other senior manager and tricks a member of staff to transferring money into their bank account. CEO fraud is a form of social engineering.
The scenario goes something like this: a member of staff receives an email from the CEO asking them to transfer money into a bank account. The email might say that it is for some unexpected emergency that has arisen. The employee believes the email is genuine and transfers the cash. Once the criminal receives the money, they will move it around various bank accounts set up for the purpose before closing the original and covering the trail. Because of the nature of the crime, it can be a while before it becomes known. This makes it much more difficult to trace back and accounts for low conviction and recovery rate.
It all seems so simple that you might wonder how they get away with it. But the key to carrying out a successful CEO fraud is planning and plausibility. Fraudsters will set up the request for funds in such a way that it is totally convincing.
There are a couple of ways they can do this. The attack might start with CEO Phishing. This means that by sending fake emails the fraudsters are able to get sensitive information, which will allow them to gain access to the CEO’s email account. In this case, the email requesting the funds will be more likely to pass without question.
Alternatively, they might use a trick called “typosqatting”. This involves buying a domain name that looks very similar to the company's name and setting up the appropriate email address. There may just be one small difference, such as a changed letter or a dot added so that the discrepancy between the email addresses won't be picked up.
Who does it affect?
CEO fraud can affect any business. It's not just big global corporations. It affects small to medium-sized businesses too, so don't imagine that you no-one is interested in you because you are small. According to the Small Business Report more than half of small business owners and board member to not regard CEO fraud as a serious risk. This contrasts with those who have been targeted, with more than 70% saying it poses the greatest threat to their business and that they expect the situation to get worse.
How can I protect my business
While you can never be 100% fraud-proof there are some simple steps you can take to reduce the risk of CEO Fraud happening to your business.
Security training for staff
Ensure that all staff, but especially those with financial responsibilities are trained in cybersecurity issues including to email fraud. And keep up to date with new developments, as new risks seem to be appearing all the time.
Do a security audit of your financial processes and make sure you have robust procedures for authorising financial transactions. Something as simple as routinely verifying transfer requests by phone could save you thousands.
Look at what information is publicly available on the web. As well as your company's website consider what goes on your business social media pages as well as blogs and even staff LinkedIn profiles. Make sure there is nothing out there that is going to help fraudsters. The more they know the more plausible the attack will seem.
CEO fraud isn't going to go away and if anything, it is going to become a bigger problem in the future. However, taking the steps suggested above can reduce the chances and protect your business.