CEO fraud, also known as Business Email Compromise (BEC), is a type of fraud that is enabled via social engineering. Social engineering is the manipulation of situations and people that results in the targeted individuals divulging conﬁdential information.
CEO fraud involves the impersonation of a senior figure (usually the Chief Executive Officer) with subsequent requests for transfers of funds.
How does CEO fraud happen?
CEO fraud is a request, often made via email, purporting to come from a senior person in the company, normally to the finance officer, requesting an urgent payment.
The request may outline that the transaction is conﬁdential and sensitive in order to discourage further veriﬁcation. The fraudster may pick occasions when the real CEO is out of the office, or on holiday, preventing the financial officer from checking the validity of the request.
How can I help to prevent CEO fraud? A checklist:
- Any payment requests with new or amended bank details received by email, letter or phone should be independently verified. This includes internal emails from senior management that contain payment requests. Fraudsters can spoof email addresses to make them appear to be from a genuine contact, including someone from your own organisation.
- Don’t be pressured by urgent requests, even if they appear to originate from someone senior – remember this is a common tactic adopted by fraudsters.
- Be cautious of how much information you reveal about your company and key officials via social media platforms and out-of-office automatic replies.
- Consider removing information such as testimonials from your own or your suppliers’ websites or social media channels that could lead fraudsters to knowing who your suppliers are.
- Regularly conduct audits on your accounts
- Make all staff aware of this type of fraud, particularly those that make payments.
- Ensure warning messages are understood and that appropriate checks, actions and processes are followed to ensure requests are genuine.
- Sensitive information you post publicly, or dispose of incorrectly, can be used by fraudsters to perpetrate fraud against you. The more information they have about you, the more convincingly they can purport to be one of your legitimate suppliers or employees. Always shred confidential documents before throwing them away
- If you believe you’ve fallen victim to a CEO fraud attack, contact your bank immediately. They will try to recover the money from the fraudster’s bank account. The quicker you alert your bank, the greater the chance of recovering the funds.
- Report it to ActionFraud – the police’s national fraud and cyber crime reporting centre. Even if you’ve not suffered any financial loss, this will allow the police to analyse trends and help them to prevent fraudsters exploiting other companies. You can file a report via their website at www.actionfraud.police.uk
- Charities affected by fraud should also report it to the Charity Commission as a serious incident.
- Where appropriate, the Charity Commission can also provide timely advice and guidance.