CEO Scam: You’re a target. Don’t become a victim.

You are a controller in a SME or the subsidiary of a large company. It’s 4 p.m. on Friday and  you receive an email from the company’s CEO. He explains that you were chosen to carry out a confidential and important task which involves completing a transaction by sending an urgent bank transfer to a foreign bank account. You were chosen specifically because you are someone he can trust and the transaction is extremely important for the company. Of course, he is counting on your discretion since the transaction is confidential. Right after you receive this email, you get a call from a lawyer providing all the necessary details and instructions for making the transfer. You are flattered that the CEO chose you for this all-important task and follow the instructions to send the transfer.

Your life has just been turned upside down: you have just become a victim of a CEO scam.

International wire transfer scams

CEO scams are one type of fraud where the objective is to initiate an unauthorized transfer of funds. A fake executive asks his victim to send an urgent international wire transfer. A so-called lawyer identified in the fraudulent email then takes over to provide additional instructions to the victim.

Fraudsters also use other scams to trigger unauthorized international wire transfers.

The bank technician

The fraudster introduces himself as a bank technician who must test a wire transfer. He assures the victim that the transactions being carried out are totally fictitious and provides specific instructions. Guided by the fraudster, the victim unwittingly triggers a real bank transfer or provides access to information that will be used by the criminals to steal from the company.

Change in supplier account

The scam artist claims that he is the new accountant for one of the company’s suppliers and asks the victim to change his banking information. The amounts transferred to the new bank accounts will never make it to the supplier, instead winding up in the fraudster’s pockets.

More often than not, these frauds are committed with a targeted email message sent to the victim, followed by a call made to pressure the person. Before launching their offensive, the fraudsters study their target, sometimes over a period of several months. Social media research, telephone calls, survey requests and targeted emails are techniques used to gather as much information as possible on a company, its executives and their habits.

Fraud is on the rise

Companies around the world are becoming the victims of international wire transfer scams. In France, more than 700 businesses of all sizes have become victims of this type of fraud and more than 300 million euros have been stolen this way since 2010.

According to the FBI, the number of cases of such fraud in the U.S. is apparently on the rise. Between October 2013 and December 2014, the U.S. authorities estimated that the damages caused by such fraudulent activity totalled $180 million and approximately 1,200 companies have fallen victim to these scams. Between January and August 2015, more than 5,800 companies reported that they were the victims of such scams, representing total losses of approximately $570 million.

In Quebec, the Sûreté du Québec affirms that it has examined sixty or so complaints involving international wire transfer scams since 2014. Approximately $16 million has apparently been stolen from small and large organizations and everything seems to suggest that this is only the tip of the iceberg. The RCMP’s Canadian Anti-fraud Centre estimates that only five percent of frauds or attempted frauds are reported.

The consequences go beyond numbers

These acts of fraud often have major consequences. For instance, a French SME lost 1.6 million euros in such circumstances and had to file for bankruptcy. The company had no more cash and was forced into receivership. As a result, more than 40 employees may lose their job. In the same manner, early November 2015, a Saguenay-based SME with about 100 employees revealed that it was defrauded out of approximately one million dollars in September. The fallout for the company will surely be significant.

The impacts of fraud go well beyond numbers. Employees who were the direct victims of a scam are often psychologically scarred, not to mention the fallout for their career (e.g., fewer responsibilities, dismissal and a lengthy period of unemployment). Would you hire a controller who was responsible for large amounts of money being lost in a scam?

There is little recourse available

In rare cases, it was possible to recover the money. Sometimes, bank employees become suspicious given the number of transfers, the size of amount or the unusual destination and were able to block the transaction in time. A quick check with the company’s accountant can also make it possible to detect the fraud quickly. If the fraudulent transaction is reported within 24 to 48 hours, the bank may be able to recover the amount transferred.

If it is too late to prevent the fraud, you must contact your insurance company since general fraud insurance coverage may apply. You can also try to sue your financial institution if it did not complete all the necessary security checks. Two French banks were found guilty of negligence and ordered to pay compensation to the victims of the fraud. However, companies that are compensated by their bank represent only a small minority of victims.

Moreover, if you represent a public company, the fraud must very likely be disclosed to the public since it shows that the company’s internal control measures failed. For instance, U.S. companies such as Ubiquiti Networks and Xoom Corp had to disclose material internal control weaknesses after being defrauded out of $47 million and $31 million respectively.

Finally, it is extremely important to file a complaint with the Sûreté du Québec or the RCMP.

Fraud that is easy to commit...

Everything seems to suggest that the number of CEO scams could increase in the years to come. This is a way for scam artists to steal large amounts of money with few risks. It is generally very difficult to trace the criminals and, given that these crimes involve no physical violence, people face limited penalties if they get caught. Furthermore, international wire transfer scams can be committed with the technology at everyone’s disposal. To commit this type of fraud, all that is needed is:

  • A local telephone number;
  • An e-mail similar to that of the victim’s CEO, law firm, accounting firm, etc.;
  • Information on the organization, its executives, their travel plans, their friends, their interests, etc.;
  • A foreign bank account.

All of this is either very common or easily obtained with current technologies and social networking sites, which are packed with information that can be used by scam artists.

…and that exploits a company’s security weaknesses

If the number of cases of fraud involving international wire transfer scams is on the rise, this is mainly because too many companies have major security weaknesses. In fact, this type of fraud can only be committed in an environment where the internal control systems are deficient. Very often, a company’s IT security is insufficient, which opens the door to fraudsters.

The lack of awareness of fraud risks and unfamiliarity with the most common fraud mechanisms used by scam artists are also major weaknesses in a company’s risk management infrastructure. Unfortunately, too many companies still operate with the idea that “it won’t happen to us” which explains the lack of attention focused on fraud prevention measures.

The CEO’s responsibility

A company’s CEO is responsible for implementing controls to prevent international wire transfer scams. It is up to this person to personally ensure that prevention measures are in place and being applied. Such measures include an ongoing awareness campaign, IT security tools and robust internal controls.

Awareness is important

An adequate, ongoing fraud risk awareness campaign is the first preventive measure that should be adopted. The CEO should take charge of this personally to clearly show all employees the importance that senior management places on this problem. The campaign should focus particularly on persons at risk, i.e. those individuals having access to company funds or having the requisite authority to send transfers.

The CEO should send this message to all personnel: if you receive an urgent and confidential request from me, make me wait and validate the authenticity of the request!

The primary objective of a fraud risk awareness campaign is to develop the organization’s ability to recognize potentially problematic situations. Thus, awareness campaigns should provide examples of fraudulent scenarios and emphasize what to look for to recognize them. Strategies include urgent requests (especially coming from senior management), requests made by executives using their personal email accounts and email addresses or domain names that are slightly different from those of the company (e.g., a letter added to the executive’s name, “abe.com” rather than “abc.com” used as a domain name).

The second objective of an awareness campaign is to encourage employees to develop the right reflexes in the event of suspicious circumstances. The most important reflex is never agreeing to make a transfer, to disclose information or to change banking information without double-checking by methods other than email. A simple phone call usually suffices as long as the numbers provided in the suspicious emails are not used and that a reliable source is used to confirm the person’s information. This simple reflex could enable your company to avoid fraud.

It is also crucial to make all employees aware of the hazards of releasing confidential information. For example, the CEO’s travel plans should never be made public. In many cases of fraud, the criminals used such information to steal from the company, knowing that the CEO could not be reached through normal channels of communication.

Effective IT security tools

A number of IT security tools exist to protect you against fraud attempts. Although no tool can provide guarantees against fraudulent attacks, their combined use makes it possible to erect barriers that are difficult for fraudsters to overcome.

Your company’s wire transfer system must be protected with a two-factor authentication (2FA) process, which generally consists in combining a username or password held by one person and a temporary code managed by a physical object (cell phone, authentication token, USB key, etc.) held by a second person. This type of authentication minimizes the risks of a hacker being able to trigger an unauthorized transfer.

Email authentication and filtering technology also contributes to IT security by preventing a number of potential threats. This technology flags external emails, identifies those using domain names similar to that of the company and generates black lists to block dangerous emails that can get through the spam filter.

Some of the best practices include installing an intrusion detection system and activating security logs on your servers. This will help you identify suspicious activities on your network and to gather data on hacking attempts involving your company. If a hacker is successful, security logs will be critical for the investigation, more specifically, by ensuring that the cyber-attack was not carried out with the help of someone within the organization.

Robust internal controls

Strengthening internal controls is the most important part of a fraud prevention strategy. It may be important for you to completely overhaul your company’s fraud prevention program to assess the risks of CEO fraud and implement the appropriate controls.

It is also important to pay especially close attention to your company’s policies for managing wire transfers, as well as the security of your wire transfer system. The following must be examined:

  • Who has access to the system used to make transfers?
  • Can transfers be made by only one person?
  • Are transfer limits too high?
  • Are transfer system’ passwords secure (length, changes made, complexity, automatic deactivation, etc.)?
  • Is two-factor authentication used?

It is also important to assess your company’s overall IT security. Such an analysis will allow you to determine whether hackers are already operating in your IT environment, whether you are being or have already been targeted for a cyber-attack and whether you have sufficient human and physical resources to detect and ward off an attack.

Your bank may be a key ally in your fraud prevention strategy. It is important that, together, you ensure that the controls in place are well designed to prevent this type of fraud. You are also strongly advised to ask that enhanced controls be implemented for unusual transfers, such as verifying transactions by telephone and confirming the person’s identity.

Ensure long-term security

Once enhanced internal controls are in place, it is crucial that control procedures be validated regularly. This will ensure that these controls are being applied properly and are operating correctly. Regularly assessing your control procedures will also allow you to update these procedures to deal with new threats that will surely arise in the years to come.

The only way to ensure your company’s long-term security is to use a holistic strategy to manage fraud risks. Only this type of strategy will enable you to identify the greatest fraud risks, to put in place appropriate controls for each scenario and to assess the measures in place.

Fight on equal terms

Make no mistake: scammers who are targeting you are part of well-structured criminal organizations. They use sophisticated knowledge and state-of-the-art technology to achieve their goal. Can you say the same about your organization?

Few companies can claim that they are able to fight on equal terms with professional scam artists. As a result, expert advice for combatting fraud is crucial in ensuring that your operations are secure. You are a target. Do not risk becoming a victim.

Register to our publications

About Richter : Founded in Montreal in 1926, Richter is a licensed public accounting firm that provides assurance, tax and wealth management services, as well as financial advisory services in the areas of organizational restructuring and insolvency, business valuation, corporate finance, litigation support, and forensic accounting. Our commitment to excellence, our in-depth understanding of financial issues and our practical problem-solving methods have positioned us as one of the most important independent accounting, organizational advisory and consulting firms in the country. Richter has offices in both Toronto and Montreal. Follow us on LinkedIn, Facebook, and Twitter.

Expert Showcase