CEO fraud? Can you identify this concept, and how can you prevent it? This scam sets out to deceive employees so that they pay a bill or make a transfer from the company to an account held by the cybercriminal.

It can affect any employee at a company, especially employees who have access to economic and financial resources, or who have authorisation to make payments by transfer. We will take a look at the modus operandi, the most common practices and, most especially, how to prevent it.

How are these scams carried out?

Once you are aware of the various ways in which cybercriminals act, it is easier to put a name to them and foil a practice which is becoming increasingly common. This scam may begin with something as simple as an e-mail: 

 1. The e-mail purports to be from another employee or from the boss, requesting assistance with an urgent confidential operation.

 2. The cybercriminal uses an e-mail address similar to the genuine address, or has even taken over the address.

 3. The contents convey the sensation of authority and urgency, and call for rapid action in secret, thereby preventing any information from reaching other employees. 

 4. The ultimate goal is to deceive victims so that they make a transfer or transfers to the criminal's account, while under the impression that they are carrying out an operation which is legitimate.

In these attacks, known as social engineering, targeting employees of a specific organisation, the scammers usually compile all possible information beforehand to secure proper knowledge of how the company operates, and to make their messages credible. Most of these scams are carried out by e-mail, although lately there have also been cases of phone calls. If the scam is not detected, confidential information could be disclosed such as access codes for online banking, and the scam could be carried out with a severe economic and reputational impact on the organisation.

Most common scamming practices

What are the most common ways in which criminals act to carry out the CEO fraud? The following are two of the most common examples:

  1. They make contact by passing themselves off as an executive carrying out an urgent commercial operation or purchase calling for speed and discretion. Very often they take advantage of the fact that the CEO is travelling, or they know that he will not be answering the phone for a certain period of time.
  2. They make contact by passing themselves off as a supplier that needs to make an urgent change to the current account for the next payment. Be careful! They have a large amount of data on the company and the supplier.

In these cases the cybercriminals demonstrate they have extensive knowledge of the company, suppliers and employees.

What we can do to prevent this

  • If you have suspicions concerning the genuine identity of the person asking you to carry out the operation, use another means to contact this person. Iif you have received an e-mail, contact this person or company directly by phone. If it is a supplier who is not using the usual number, hang up and call the usual number.
  • Be particularly careful with requests for transfers to foreign accounts if this is not the usual procedure for this type of operation.
  • Check your messages for any indications of phishing. Learn how to identify an e-mail with these characteristics.
  • If you receive an unexpected message, apparently from an employee, asking you to provide confidential information or to carry out an urgent banking operation, do not reply, and do not provide any information.
  • Check messages and requests for banking operations with several people in your organisation to ensure they are genuine.
  • To prevent any access by spy malware to your devices enabling them to read e-mails, or infect systems, keep operating systems and applications upgraded at all times.
  • Do not post work information on social media, such as corporate e-mails, the department you work for and the functions you carry out, the location of the office, your colleagues etc.

What should I do if I have fallen victim to this online fraud?

Aware of the magnitude of this kind of fraud, the National Police insist on the main security recommendations which are to distrust this kind of communication, consult and check the request received through other channels, and pay close attention to the e-mails of the senders. Fraudulent e-mails are sent from an e-mail address that is almost identical to that of the boss or the usual emissary, with a difference of only one character.

Even so, if the preliminary filters and precautions do not prevent you falling victim to the CEO fraud, Spain's Interior Ministry issues recommendations as to what to do:

  • Make a note of the e-mails and phones from which the communication was received.

  • Make a note of the accounts where the deposit was made, and make a list of all the information that could be relevant and could be used to track down the criminals.

  • Report any incidents.

TAfter the report has been submitted, a second step could be to raise awareness among your colleagues concerning different protection techniques and good information security practices and, as the National Police recommend, implement secure procedures to make payments with dual verification.

It is most important to be aware of the various fraudulent techniques used by cybercriminals, and this information must be available to all members of the company. This means that any indications may be detected of attacks through social engineering and these may be reported on first suspicion in order to prevent major damage and losses for the company. Remember: we are all responsible for the company's security.


Rate this item

Tu valoración ha sido guardada.