I. Meaning and typical procedure
CEO fraud is another version of “social engineering” in which the perpetrators target the often weakest link in the IT security chain: The people. It has become harder to obtain confidential information by “classic” means, such as hacking, as a result of ever-improving technical protection measures, ranging from a simple firewall to encryption methods. Thanks to freely available data on websites or career portals, cybercriminals are increasingly using social manipulation to obtain the desired data.
So what does the term “CEO fraud”, also known as the boss trick, actually mean? This is an internet fraud scheme in which the perpetrators use a false identity, for example that of the CEO, to trick company employees into disclosing information and, in particular, to manipulate them into conducting financial transactions for the benefit of the perpetrators. Perpetrators try to get the respective employee to transfer a large amount of money to accounts in Asian or Eastern European countries by misrepresenting the facts. Classic examples are the claim that the account details have changed and the money from the company account must now be transferred to the new account or the perpetrator pretends to be a system administrator and claims to need the employee’s password due to a system error. Another conceivable approach is for the perpetrators to pretend that they are a lawyer at the law firm working for the company – the possible scenarios are almost endless.
Contact is usually established by telephone or email. The latter particularly means, thanks to modern technical possibilities, that differences between the original email address, including signature and company logo, and the forgery are hardly recognisable. Laypersons often underestimate how easy these forgeries are as well as how well prepared the perpetrators are. Weeks of research enable the perpetrators to obtain comprehensive information about the internal procedures as well as the target persons. The perpetrators usually obtain the respective information, especially contact data, through freely accessible information on the website of the companies or the corresponding entries in the commercial register. Career sites such as LinkedIn are also a popular source, especially with regard to identity theft. Such a perfidious and ingenious approach usually results in the scam only being noticed when it is already too late.
This phenomenon, however, is by no means new. As early as the 1960s, notorious con artist Frank Abagnale used the manipulation methods provided by social engineering. What already worked back then has now become even easier thanks to digitalisation and global networking.
Especially now, in times of Covid-19, it is a red-hot topic again. This is because working predominantly in a home office requires per se a considerable change in the processes and procedures established in the office, not to mention IT security aspects, which are unfortunately often disregarded for reasons of practicality.
In 2016, the Federal Office for Information Security (BSI), which is responsible for IT security, first warned about the then still quite unknown phenomenon of the grandparent scams 2.0 (see, among others, the annual report of 2016, available at www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2016.html). For 2016 and 2017 the nationwide damage is estimated at around 55 million Euro, according to the representative study “Economic Protection in the Digital World” by the digital association Bitkom. A 2020 study by audit firm PricewaterhouseCoopers (PwC’s “Global Economic Crime and Fraud Survey 2020”, available at www.pwc.de/de/consulting/forensic-services/wirtschaftskriminalitaet-ein-niemals-endender-kampf.pdf) estimates that between 2018 and 2020 almost half of the world’s companies have already been affected by possible cyber/economic crimes – estimated damage: 42 billion USD.
While originally only large corporations were targeted by the perpetrators, in recent years it is mainly small and medium-sized companies with high turnover that have been affected. Unlike the big players, smaller companies often lack appropriate compliance systems and other protective mechanisms. Like the MDAX-listed Nuremberg automotive supplier Leoni: The company fell victim to the boss scam in summer 2016 – and fell for it. A total of EUR 40 million was transferred to 50 accounts in China and Hong Kong. The perpetrators were so skilled that this only became apparent after 3 weeks. They posed as high-ranking managers and directed the transfers by mail, usually a single-digit million amount.
How, though, is it possible to recognise such an attempt at fraud? And how do you protect yourself and the company from becoming a victim of such a crime?
- Sensitising employees
The biggest factor of uncertainty is the human being. The deceptively genuine-looking emails make a fraudulent scheme hardly noticeable at first glance. Also, the fact that identities of real existing employees are used makes it extremely difficult to detect such an attempted crime. In addition, victims are usually put under additional time pressure and/or asked to maintain confidentiality with claims along the lines of it being a confidential project. These practices aim to exploit human qualities such as helpfulness, trust or respect for authority.
This quickly creates a gateway for the perpetrator’s criminal schemes. If and when the fraud is discovered, it is usually already too late. The most effective way is therefore to raise awareness among employees. It is important to instil a certain awareness of danger in the employees. Challenging unusual transactions is the best prevention to expose fraudulent actions in time.
It is therefore essential to provide special training for employees in order to create an appropriate awareness of such fraud schemes. Every individual employee counts, regardless of the hierarchical level in the company. Employees need to be trained to pay attention to even supposedly minor details, such as the exact address of the sender. In addition, it is worth emphasising that such acts of fraud are often prepared over a period of weeks and begin initially with spying.
- Technical and organisational precautions
Alongside staff training, IT security is also an important component in protecting against crime. A comprehensive analysis of the internal reconciliation and payment processes is first necessary in order to identify and subsequently eliminate potential weak points. An audit of the company’s processes is also essential from a data protection perspective in order to develop a compliance system which complies with GDPR. This is because the resulting damage due to a CEO fraud is usually not only of a financial nature – the perpetrators often also gain access to employee or customer data, which as personal data is subject to the special protection of the GDPR. In this context, it is important to point out the consequences of such a data breach, namely the obligation to report it to the respective competent supervisory authority as well as the risk of possibly being sanctioned with a substantial fine.The second step should be to develop internal control measures, requiring at least two employees to be involved in important decisions, as well as clear rules on absences – after all, the clearer the guidelines, the less likely the perpetrators are to succeed with their scam. It is advisable to establish a release concept in the form of two-factor authentication for transactions above a certain amount, for example a call to the CEO regarding the email with the payment instruction.Finally, public disclosure of company information should be carefully considered, both by the company and by individual employees. The less information is publicly available, the less attractive the respective company is to scammers. It is therefore important to restrict the data to the bare minimum in order to make it as difficult as possible for the perpetrators to obtain access.
Since perpetrators in the field of social engineering rely on the human weakness of company employees, creating awareness and employee training should be a top priority.
But this also requires the corresponding corporate culture. Not only is a functioning compliance system essential, but also an open approach to employees and colleagues. Queries should not lead the employee feeling embarrassed about raising the question, but should be taken seriously. The vigilance of the colleague should be appreciated and communicated even in the case of a false alarm. Only such a working climate, when employees also dare to communicate their doubts to the right place, can criminal acts such as CEO fraud be prevented and risks minimised.