Compliance & Investigations

CEO fraud – don’t fall for it!

"CEO fraud" is the name usually given to a scam that is becoming increasingly widespread.

Experience

Just recently a well-known automotive supplier was relieved of a whopping EUR 40 million by fraudsters using this modus operandi. Some of our clients have also been targeted by the scammers – in one case we managed, thanks to the excellent cooperation of the banks involved (Commerzbank) and foreign lawyers at the destination of the fraudulent transfer (China), to secure the money and return it to the victim. However, success is not always guaranteed. The perpetrators are generally very well prepared, know a great deal about the company and often even know the exact names and positions of the employees who they target. In some cases they even manage to copy the communication style of the company and of the board member concerned with some accuracy.

Using texts that are badly translated with a computer program and that are riddled with spelling mistakes for these attacks is a thing of the past.

Recognise the scam

That said, the attacks tend to follow a pattern that can usually be exposed with a bit of background information and awareness of some security rules:

The fraudsters usually allege that they must urgently carry out an "important" transaction on behalf of management or the chairman of the management board and that a large sum of money must be transferred to the caller for this purpose. It is not unusual for the request for the transfer to be made in a fake e-mail, ostensibly coming from the CEO himself, or at least to be "set up" in this way.

Even if the e-mail from the "boss" is accompanied by telephone calls and enquiries from lawyers who are allegedly working on the transaction and the reason for the transfer is "highly confidential" or even "secret", asking to call the person back, verifying the legitimacy of the caller, including through internet searches, as well as the good old "four eyes principle" could help to prevent the worst from happening.

If it is really impossible to reach the CEO, talking to one of his secretaries could shed light on where he is and with whom he might be conducting "secret" discussions. The fake lawyers, transaction consultants or tax advisors who press for the said amount to be transferred quickly often cannot be found through a simple internet search – or the call back number given does not match the number on the website. A telephone call – obviously not using the telephone number given, but rather a number at the law firm (that might in fact turn out to be a real firm) that you've looked up yourself – can often also clarify the matter.

When answering the e-mail, you should also make sure that when you click on the "reply" button the same e-mail address appears as the one used for the incoming e-mail. If the CEO had sent the e-mail, this should be apparent from his mailbox (which can generally be accessed by his assistants) – this is usually not the case if a company has been attacked by someone from outside the company.

In-house communication

Clarifying the matter in-house is even more important: Can "we in the company" (the CEO, the CFO, the management board) really be working on such a project? If the answer is yes, there is nothing that is so secret that there won't be anyone else in the company who knows about the project and who can provide insight into whether the request is genuine or not. It should be a matter of course for you to contact and discuss the requested action with another employee in the company – something which the caller or sender of the e-mail will usually prohibit – who can verify the legitimacy of the request and ultimately help you make a decision about the transaction.

The fraudsters bank on intimidation, respect for the boss's "power" and a corporate culture that does not tolerate questions being asked or instructions being contradicted. The fact that the caller or sender of the e-mail will often insist on the urgency of the matter is another good indication of fraud: In the case of a genuine transaction, there will always be time to get confirmation from the CEO, whether by phone or e-mail.

We should not forget that these scammers play very clever psychological games and combined with a convincing story and pertinent background knowledge are able to sway employees very successfully.

Task for Compliance

It is only through clarification and an open compliance and communications culture that encourages employees to ask questions and get confirmation from superiors or if necessary even directly from the management board that these scams can be avoided. Nevertheless, there will always be some matters that constitute insider knowledge or is seen as such and to which only a few people in the company are privy. In such cases it should always be possible for employees not involved in the matter to talk to one of the people who is (and this is never just the CEO) and to verify the request.

The prevention of such criminal attacks is always a task for Compliance and one that must start with the company's internal processes. It is essential for breaches and inconsistencies in these processes to be identified and remedied or for suitable control processes to be implemented to make it more difficult for the fraudsters to play out their scams.

It is important to be aware of new scams and to be able to identify where your company is vulnerable to outside attacks. Providing employees now and then with training on and information about such scams and new MOs will also facilitate prevention and promote risk management.

Aftercare

If the damage has already been done, it is necessary to act quickly and decisively. Trying to clarify the matter and encouraging people to learn from their mistakes are far better than reproaching employees and intimidating them even more. The fact is that it is already bad enough for employees if they have fallen for such a scheme, so only a thorough and speedy clarification of the matter can possibly repair the damage.

Forward