Can You Trust Your Emails? CEO Fraud

Can You Trust Your Emails? CEO Fraud

Over the past few years small businesses have had to face a rise in many different forms of fraud. Whether a scam relies on human error, social engineering or opening an unsolicited email, there are lots of fronts to protect yourself from, with new threats arising every day.

What is CEO fraud?

Where once upon a time attempts at email fraud were crude, included plenty of spelling mistakes and normally centred around a Nigerian prince, modern tactics are far more sophisticated. Current CEO fraud is a variant on phishing, whereby unsolicited individuals pose as organisations or individuals in an attempt to convince a user to enter their personal information on a fake website. This compromises the account in question and allows the fraudster to access funds or further sensitive information that is valuable on the black market.

In this specific instance, CEO fraud is the practice of posing as a key decision maker within an organisation that has the authority to instruct payments. The rise of social media and the connected world means that criminal syndicates can trawl through vast amounts of data to understand and identify key players within an organisation, as well as mimic the syntax and grammar used by these individuals. Armed with only this information, hackers can then pose as a senior executive in order to divert payments for goods and services into a fraudulent bank account.

Fraudsters will typically target a company’s financial department either via email or over the telephone. As the procurement of goods and services can involve multiple staff members across a number of departments, the risk for confusion and therefore fraudulent activity is high.

How common is CEO fraud?

CEO fraud is a very real risk to small businesses, with some reports indicating that the practice has increased by 2370% between January 2015 and December 2016 alone. Procurement fraud is costing UK business around £120bn every year and these occurrences are still increasing.

It is said that up to 25% of small firms are hit every year by this type of fraud and scarily, 47% of businesses have made no changes to their processes in order to protect themselves.

How is it done?

CEO or procurement fraud is more often conducted by sophisticated criminal parties opposed to individuals that are just trying their luck. As we mentioned above, it’s very common for a syndicate to spend months researching a target, building up a significant picture of how a company operates and identifying the key individuals responsible for authorising payments and those that will process them.

Following these people on social media gives fraudsters a fantastic insight into when senior staff are out of the office and therefore the best time to strike. In some instances these criminals will gain access to internal mail servers through malware, allowing them to understand internal processes.

What can you do to protect your business from CEO fraud?

There are a number of ways that businesses can protect themselves from this particular fraud.

1. Require more than one instruction for processing payments

The simplest way to protect your business is to require multiple instructions for processing payments rather than relying solely on an email. Once an email instruction is received, ensure that your finance department will not process any payments until confirmation can be confirmed via text or a phone call to a particular telephone number.

2. Consider who is sending an email

Does your CEO regularly require money to be wire transferred at short notice? We doubt it. Was the email sent to your entire department or just one person? Scammers like to target individual staff members to minimise the risk of being uncovered. Be critical when receiving emails at short notice, as this is normally the best way to determine whether the request is credible.

3. Analyse the email address

A lot of the success of CEO fraud relies on a deceptive email address. You’ve probably received fake personal emails from what looks like a PayPal or HMRC email address, however when you click on the display name you see that the email isn’t from these organisations at all. The same applies in this instance – ignore the display name and double/triple check the email. You’ll notice that it is probably coming from a different domain (e.g.

4. Just ask!

The last step is simply to ask your boss whether this email was sent from them or not. If they are on annual leave, wait until they’re back. It’s much better to be safe than sorry.