How does CEO fraud work and how can you protect your business?
2 min
CEO fraud is a technique used by cybercriminals to extort money from businesses. Scammers specifically target employees who are authorised to make large payments and use psychological manipulation techniques to bypass internal procedures.
In this article, we look at how these scammers operate and provide tips on how to avoid falling into their trap.
The exploratory phase: meticulous preparation by cybercriminals
Before taking action, cybercriminals conduct a thorough investigation to gather as much information as possible about their target. To do this, they pose as auditors, investigators or other authority figures and approach employees via email or telephone. Their goal is to identify vulnerabilities in the company’s internal processes.
The information they seek includes:
- The identity of employees authorised to make large payments
- Payment procedures, including account numbers and financial information
- The names of suppliers or clients, which are often easily found online
- Dates when key personnel are absent
Scammers use fake email addresses, hide their phone numbers and conduct online research to obtain crucial details. Their methodical approach is reminiscent of a burglar casing a house before breaking in.
The execution phase: major psychological manipulation
Once they have the information they need, the scammers strike.
- They pose as an authority figure: the scammer contacts an employee, posing as a CEO, CFO or an external professional such as a lawyer or the chair of a board of directors).
- They present the request as important, urgent and confidential: the aim is to pressurise the victim to bypass internal procedures and process the request quickly and in secret.
- They exert psychological pressure: if the employee hesitates, the scammers use authority or flattery, or cite influential names to convince them.
- The scam is complete: once the employee is convinced that the request is genuine, they make the transfer directly to the scammer’s account.
How can you protect your business against CEO fraud?
To reduce the risk of fraud, a proactive approach is essential. Here are some preventative measures.
- Strengthen internal processes:
- Limit individual signing powers and require multiple signatures for large amounts
- Apply strict controls before any transfer request is validated
- Check all transfer requests using a known phone number
- Consult the Safeonwebatwork website
- Be vigilant when faced with suspicious approaches:
- Never respond to questions from strangers about internal processes or authorised employees
- Be extra cautious when working remotely, because the risk of falling for a scam increases if you’re working in isolation
- Raise awareness among your teams:
- Inform your employees of the risks through internal campaigns
- Use tools like the Cyber Security KIT from Belgium’s Cyber Security Coalition – which includes posters, presentations and examples of fraudulent emails – to reinforce vigilance among your staff
- Recommend that all staff exercise caution when posting information on social media
- Centralise incident reporting :
- Create a dedicated point of contact where your teams can report suspicious emails or calls.
Have you been the victim of fraud?
Immediately alert your bank to try to block the funds before they disappear. Don’t wait, because the longer you wait, the lower the chances of recovering the money that’s been stolen.
You may have to complete other formalities with the authorities, such as filing a complaint with the police and reporting the incident to your point of contact.
Given the growing threat of CEO fraud, businesses must take a proactive approach to their financial security. Prevention, detection and a rapid response are essential if you want to minimise the risks and protect your company’s assets. To protect yourself from phishing and fraud, read our tips and advice via the link below.