CEO fraud is another version of "social engineering" in which the perpetrators target the often weakest link in the IT security chain: The people. It has become harder to obtain confidential information by "classic" means, such as hacking, as a result of ever-improving technical protection measures, ranging from a simple firewall to encryption methods. Thanks to freely available data on websites or career portals, cybercriminals are increasingly using social manipulation to obtain the desired data.
So what does the term "CEO fraud", also known as the boss trick, actually mean? This is an internet fraud scheme in which the perpetrators use a false identity, for example that of the CEO, to trick company employees into disclosing information and, in particular, to manipulate them into conducting financial transactions for the benefit of the perpetrators. Perpetrators try to get the respective employee to transfer a large amount of money to accounts in Asian or Eastern European countries by misrepresenting the facts. Classic examples are the claim that the account details have changed and the money from the company account must now be transferred to the new account or the perpetrator pretends to be a system administrator and claims to need the employee's password due to a system error. Another conceivable approach is for the perpetrators to pretend that they are a lawyer at the law firm working for the company - the possible scenarios are almost endless.
Contact is usually established by telephone or email. The latter particularly means, thanks to modern technical possibilities, that differences between the original email address, including signature and company logo, and the forgery are hardly recognisable. Laypersons often underestimate how easy these forgeries are as well as how well prepared the perpetrators are. Weeks of research enable the perpetrators to obtain comprehensive information about the internal procedures as well as the target persons. The perpetrators usually obtain the respective information, especially contact data, through freely accessible information on the website of the companies or the corresponding entries in the commercial register. Career sites such as LinkedIn are also a popular source, especially with regard to identity theft. Such a perfidious and ingenious approach usually results in the scam only being noticed when it is already too late.
This phenomenon, however, is by no means new. As early as the 1960s, notorious con artist Frank Abagnale used the manipulation methods provided by social engineering. What already worked back then has now become even easier thanks to digitalisation and global networking.
Especially now, in times of Covid-19, it is a red-hot topic again. This is because working predominantly in a home office requires per se a considerable change in the processes and procedures established in the office, not to mention IT security aspects, which are unfortunately often disregarded for reasons of practicality.
In 2016, the Federal Office for Information Security (BSI), which is responsible for IT security, first warned about the then still quite unknown phenomenon of the grandparent scams 2.0 (see, among others, the annual report of 2016, available .For 2016 and 2017 the nationwide damage is estimated at around 55 million Euro, according to the representative study "Economic Protection in the Digital World" by the digital association Bitkom. A 2020 study by audit firm PricewaterhouseCoopers (PwC's "Global Economic Crime and Fraud Survey 2020", available estimates that between 2018 and 2020 almost half of the world's companies have already been affected by possible cyber/economic crimes - estimated damage: 42 billion USD.
While originally only large corporations were targeted by the perpetrators, in recent years it is mainly small and medium-sized companies with high turnover that have been affected. Unlike the big players, smaller companies often lack appropriate compliance systems and other protective mechanisms. Like the MDAX-listed Nuremberg automotive supplier Leoni: The company fell victim to the boss scam in summer 2016 - and fell for it. A total of EUR 40 million was transferred to 50 accounts in China and Hong Kong. The perpetrators were so skilled that this only became apparent after 3 weeks. They posed as high-ranking managers and directed the transfers by mail, usually a single-digit million amount.
How, though, is it possible to recognise such an attempt at fraud? And how do you protect yourself and the company from becoming a victim of such a crime?
Since perpetrators in the field of social engineering rely on the human weakness of company employees, creating awareness and employee training should be a top priority.
But this also requires the corresponding corporate culture. Not only is a functioning compliance system essential, but also an open approach to employees and colleagues. Queries should not lead the employee feeling embarrassed about raising the question, but should be taken seriously. The vigilance of the colleague should be appreciated and communicated even in the case of a false alarm. Only such a working climate, when employees also dare to communicate their doubts to the right place, can criminal acts such as CEO fraud be prevented and risks minimised.