CEO fraud: one of the most dangerous scams, affecting businesses all around the world

CEO fraud? Can you identify this concept, and how can you prevent it? This scam sets out to deceive employees so that they pay a bill or make a transfer from the company to an account held by the cybercriminal.

It can affect any employee at a company, especially employees who have access to economic and financial resources, or who have authorisation to make payments by transfer. We will take a look at the modus operandi, the most common practices and, most especially, how to prevent it.

How are these scams carried out?

Once you are aware of the various ways in which cybercriminals act, it is easier to put a name to them and foil a practice which is becoming increasingly common. This scam may begin with something as simple as an e-mail: 

 1. The e-mail purports to be from another employee or from the boss, requesting assistance with an urgent confidential operation.

 2. The cybercriminal uses an e-mail address similar to the genuine address, or has even taken over the address.

 3. The contents convey the sensation of authority and urgency, and call for rapid action in secret, thereby preventing any information from reaching other employees. 

 4. The ultimate goal is to deceive victims so that they make a transfer or transfers to the criminal's account, while under the impression that they are carrying out an operation which is legitimate.

In these attacks, known as social engineering, targeting employees of a specific organisation, the scammers usually compile all possible information beforehand to secure proper knowledge of how the company operates, and to make their messages credible. Most of these scams are carried out by e-mail, although lately there have also been cases of phone calls. If the scam is not detected, confidential information could be disclosed such as access codes for online banking, and the scam could be carried out with a severe economic and reputational impact on the organisation.

Most common scamming practices

What are the most common ways in which criminals act to carry out the CEO fraud? The following are two of the most common examples:

In these cases the cybercriminals demonstrate they have extensive knowledge of the company, suppliers and employees.

What we can do to prevent this

What should I do if I have fallen victim to this online fraud?

Aware of the magnitude of this kind of fraud, the National Police insist on the main security recommendations which are to distrust this kind of communication, consult and check the request received through other channels, and pay close attention to the e-mails of the senders. Fraudulent e-mails are sent from an e-mail address that is almost identical to that of the boss or the usual emissary, with a difference of only one character.

Even so, if the preliminary filters and precautions do not prevent you falling victim to the CEO fraud, Spain's Interior Ministry issues recommendations as to what to do:

TAfter the report has been submitted, a second step could be to raise awareness among your colleagues concerning different protection techniques and good information security practices and, as the National Police recommend, implement secure procedures to make payments with dual verification.

It is most important to be aware of the various fraudulent techniques used by cybercriminals, and this information must be available to all members of the company. This means that any indications may be detected of attacks through social engineering and these may be reported on first suspicion in order to prevent major damage and losses for the company. Remember: we are all responsible for the company's security.