CEO Scam: You’re a target. Don’t become a victim.
It’s 4 p.m. on Friday and you receive an email from your company’s CEO. He explains that you, as a Controller, were chosen to carry out a confidential and important task which involves completing a transaction by sending an urgent bank transfer to a foreign bank account. You were chosen specifically because you are someone he can trust and the transaction is extremely important for the company. Of course, he is counting on your discretion since the transaction is confidential.
Right after you receive this email, you get a call from a lawyer providing all the necessary details and instructions for making the transfer. You are flattered that the CEO chose you for this all-important task and follow the instructions to send the transfer.
Your life has just been turned upside down: you have just become a victim of a CEO scam.
International wire transfer scams
CEO scams – also known as Business Email Compromise (BEC) attacks – are one type of fraud where the objective is to initiate an unauthorized transfer of funds. A fake executive asks his victim to send an urgent international wire transfer. A so-called lawyer identified in the fraudulent email then takes over to provide additional instructions to the victim.
Fraudsters also use other scams to trigger unauthorized international wire transfers.
The bank technician
The fraudster introduces himself as a bank technician who must test a wire transfer. He assures the victim that the transactions being carried out are totally fictitious and provides specific instructions. Guided by the fraudster, the victim unwittingly triggers a real bank transfer or provides access to information that will be used by the criminals to steal from the company.
The change in a supplier account
The scam artist claims that he is the new accountant for one of the company’s suppliers and asks the victim to change his banking information. The amounts transferred to the new bank accounts will never make it to the supplier, instead winding up in the fraudster’s pockets.
More often than not, these frauds are committed with a targeted email message sent to the victim, followed by a call made to pressure the person. Before launching their offensive, the fraudsters study their target, sometimes over a period of several months. Social media research, telephone calls, survey requests and targeted emails are techniques used to gather as much information as possible on a company, its executives, and their habits.
And with advancements in artificial intelligence, deep fakes and voice cloning software, it’s becoming all the more difficult to decipher the real from the scam.
Fraud is on the rise
A report by the FBI noted that email compromise scams were up 65% from 2016 to 2021, and accounted for $43 billion in losses worldwide.[1]
In the United States, the Federal Trade Commission reports that imposter scams amounted to $2.6 billion in reported losses in 2022. This is up from $2.4 billion in 2021.[2] According to the FBI’s Internet Crime Complaint Center (IC3), scams have been reported in all U.S. states and in 177 countries.[3]
In Canada, the Canadian Anti-Fraud Centre (CAFC) notes that BECs and other spear-phishing continues to be one of the top reported scams, with almost $26 million in losses in the beginning of 2021 alone.[4]
It’s not just large companies that are targets. Although scammers have hit the likes of Google, Facebook, and Toyota with attacks totally in the hundreds of millions of dollars, smaller and local companies, government agencies, and non-profits can all become victims.[5]
The consequences go beyond numbers
These acts of fraud often have major consequences. Bankruptcy, major layoffs, drops in share prices, just to name a few. But moreover, employees who have been the direct victims of a scam are often psychologically scarred, in addition to the fallout for their careers (e.g., loss of trust, dismissals, lengthy periods of unemployment).
There is little recourse available
In rare cases, it was possible to recover the money. Sometimes, bank employees become suspicious about the number of transfers, the size of amount or the unusual destination and are able to block the transaction in time. A quick check with the company’s accountant can also make it possible to detect the fraud quickly. If the fraudulent transaction is reported within 24 to 48 hours, the bank may be able to recover the amount transferred.
If it is too late to prevent the fraud, you must contact your insurance company since general fraud insurance coverage may apply. You can also try to sue your financial institution if it did not complete all the necessary security checks. However, companies that are compensated by their bank represent only a small minority of victims.
Finally, it is extremely important to file a complaint with the Sûreté du Québec or the RCMP.
Fraud that is easy to commit…
Everything seems to suggest that the number of CEO scams could increase in the years to come. This is a way for scam artists to steal large amounts of money with few risks. Moreover, it is generally very difficult to trace the criminals and, given that these crimes involve no physical violence, people face limited penalties if they get caught.
Moreover, international wire transfer scams can be committed with the technology at everyone’s disposal. To commit this type of fraud, all that is needed is:
- A local telephone number;
- An e-mail similar to that of the victim’s CEO, law firm, accounting firm, etc.;
- Information on the organization, its executives, their travel plans, their friends, their interests, etc.;
- A foreign bank account.
All of this is either very common or easily obtained with current technologies and social networking sites, which are packed with information that can be used by scam artists.
…and that exploits a company’s security weaknesses
If the number of cases of fraud involving international wire transfer scams is on the rise, this is mainly because too many companies have major security weaknesses. In fact, this type of fraud can only be committed in an environment where the internal control systems are deficient. Very often, a company’s IT security is insufficient, which opens the door to fraudsters.
The lack of awareness of fraud risks and unfamiliarity with the most common fraud mechanisms used by scam artists are also major weaknesses in a company’s risk management infrastructure. Unfortunately, too many companies still operate with the idea that “it won’t happen to us” which explains the lack of attention focused on fraud prevention measures.
Such measures to prevent or prepare company employees to spot scams include an ongoing awareness campaign, IT security tools, and robust internal controls..
How companies can prepare
Awareness is important
An adequate, ongoing fraud risk awareness campaign is the first preventive measure that should be adopted. The campaign should focus particularly on persons at risk, i.e. those individuals having access to company funds or having the requisite authority to send transfers.
The CEO should send a message to all personnel to the tune of: if you receive an urgent and confidential request from me, make me wait and validate the authenticity of the request!
HELP YOUR EMPLOYEES HELP YOU
The first objective of a fraud awareness campaign is to develop the organization’s ability to recognize potentially problematic situations. Thus, awareness campaigns should provide examples of fraudulent scenarios and emphasize what to look for to recognize them. Strategies include urgent requests (especially coming from senior management), requests made by executives using their personal email accounts and email addresses or domain names that are slightly different from those of the company (e.g., a letter added to the executive’s name, “abe.com” rather than “abc.com” used as a domain name).
The second objective of an awareness campaign is to encourage employees to develop the right reflexes in the event of suspicious circumstances. The most important reflex is never agreeing to make a transfer, to disclose information or to change banking information without double-checking by methods other than email. A simple phone call usually suffices as long as the numbers provided in the suspicious emails are not used and that a reliable source is used to confirm the person’s information. This simple reflex could enable your company to avoid fraud.
It is also crucial to make all employees aware of the hazards of releasing confidential information. For example, the CEO’s travel plans should never be made public. In many cases of fraud, the criminals used such information to steal from the company, knowing that the CEO could not be reached through normal channels of communication.
Effective IT security tools
A number of IT security tools exist to protect you against fraud attempts. Although no tool can provide guarantees against fraudulent attacks, their combined use makes it possible to erect barriers that are difficult for fraudsters to overcome.
Your company’s wire transfer system must be protected with a two-factor authentication (2FA) process, which generally consists in combining a username or password held by one person and a temporary code managed by a physical object (cell phone, authentication token, USB key, etc.) held by a second person. This type of authentication minimizes the risks of a hacker being able to trigger an unauthorized transfer.
Email authentication and filtering technology also contributes to IT security by preventing a number of potential threats. This technology flags external emails, identifies those using domain names similar to that of the company and generates black lists to block dangerous emails that can get through the spam filter.
Some of the best practices include installing an intrusion detection system and activating security logs on your servers. This will help you identify suspicious activities on your network and to gather data on hacking attempts involving your company. If a hacker is successful, security logs will be critical for the investigation, more specifically, by ensuring that the cyber-attack was not carried out with the help of someone within the organization.
Robust internal controls
Strengthening internal controls is the most important part of a fraud prevention strategy. It may be important for you to completely overhaul your company’s fraud prevention program to assess the risks of CEO fraud and implement the appropriate controls.
It is also important to pay especially close attention to your company’s policies for managing wire transfers, as well as the security of your wire transfer system. The following must be examined:
- Who has access to the system used to make transfers?
- Can transfers be made by only one person?
- Are transfer limits too high?
- Are transfer system’ passwords secure (length, changes made, complexity, automatic deactivation, etc.)?
- Is two-factor authentication used?
It is also important to assess your company’s overall IT security. Such an analysis will allow you to determine whether hackers are already operating in your IT environment, whether you are being or have already been targeted for a cyber-attack and whether you have sufficient human and physical resources to detect and ward off an attack.
Your bank may be a key ally in your fraud prevention strategy. It is important that, together, you ensure that the controls in place are well designed to prevent this type of fraud. You are also strongly advised to ask that enhanced controls be implemented for unusual transfers, such as verifying transactions by telephone and confirming the person’s identity.
Ensure long-term security
Once enhanced internal controls are in place, it is crucial that control procedures be validated regularly. This will ensure that these controls are being applied properly and are operating correctly. Regularly assessing your control procedures will also allow you to update these procedures to deal with new threats that will surely arise in the years to come.
The only way to ensure your company’s long-term security is to use a holistic strategy to manage fraud risks. Only this type of strategy will enable you to identify the greatest fraud risks, to put in place appropriate controls for each scenario and to assess the measures in place.
Fight on equal terms
Make no mistake: scammers targeting you are likely part of well-structured criminal organizations. They use sophisticated knowledge and state-of-the-art technology to achieve their goals. Can you say the same about your organization?
Few companies can claim that they are able to fight on equal terms with professional scam artists. As a result, expert advice for combatting fraud is crucial in ensuring that your operations are secure. You are a target. Do not risk becoming a victim.
Our areas of expertise in Cybersecurity
Cyber Risk Management Support – Virtual CISO (vCISO)
Cyber threats on are on the rise. Threat actors are no longer harmless kids trying to gain notoriety for beating the system. Threats are arising from organized criminals, state actors, and hactivist groups.
VAPT (Vulnerability Assessment/Penetration Testing)
Tabletop Exercises
Threat and Risk Assessments