CEO/CFO Fraud – is this happening to you?

How sure are you that your CEO or CFO is not being hacked right now?

Are your 100% sure of that?

Organisations are often vulnerable to hacking not because they haven’t got good anti-virus or anti-malware protections in place but simply because hackers and fraudsters are so determined to infiltrate their systems and carry out cyber-criminal activity.

One of the ways they will try to achieve this aim and benefit financially in the process is through what’s known as CEO/CFO Fraud.

How does it work?

The first thing a criminal will do when committing a CEO/CFO Fraud attack is gain access to your business’ IT system one way or another.  That could mean by targeting a member of staff with a piece of email that has a malware link in it. Or it could be that they will leave a USB memory stick by the front door hoping that someone will pick it up and plug it into their laptop or computer. Or it could even be that they’ve compromised a trusted employee’s home computer in the hope that when they connect to the office that malware will be transferred.

Once the criminal in this scenario gains access to your computer network they will start monitoring and they will play a patient game. What they are actually after are emails moving backwards and forwards. Typically, they will monitor all the email accounts to start with but then they will pick their target and that would usually be the account of a CEO or a CFO. They will probably also monitor the email accounts of your purchasing department’s staff or the people responsible for raising purchasing orders or settling payments.

The waiting game

The next step for a CEO/CFO Fraud attacker is to start gathering and intercepting emails and then repurposing them to access potentially valuable information. The most common strategy is to use domain names which are very similar to yours so that if your domain name is the attacker might register or, for example.

They will then tamper with one of the emails or create a new one in a similar vein and send that email to the CEO or CFO saying that a particular payment is required. Now, invariably, the premise for that payment will be against a supplier’s product which is commonly bought and familiar to the relevant parties. The email will look plausible with the only tell-tale signs being that the domain name will be slightly different and the email will most likely ask for direct payment.

Alternatively, the email may be headed up as if it is coming from the CEO or CFO and it will then typically be sent to the purchasing or accounts department instructing them to raise a payment but the payment details in the email will be the bank details of the fraudsters.

Remarkably, even if there is a phone number to verify the contents of the email in the event of a query you will find that the phone number is in fact the number of the fraudsters. The whole aim is to make it all appear plausible but there might be an added sense of urgency within the fraudulent emails because the attackers want to conclude the process as quickly as they possibly can. What’s worse for the victims in these instances though is that they often find themselves not only being defrauded but also still owing money to real suppliers who the fraudsters have effectively impersonated.


Protecting your business

The only effective way to protect against a CEO or CFO Fraud attack is through education and vigilance.

First of all when you set up a new account with a supplier you should get account information and they should be verified by telephone using the numbers that you already have and that information should be logged somewhere and it should be understood by all concerned that this is then the only method of payment that can be used.

Remember these fraudsters can take a genuine email or invoice that comes in from your supplier and then go into the pdf and surgically change the bank account details before they resend the email.

It’s very difficult sometimes to tell the fake from the real. The whole email can look very genuine apart from the fact that the bank account details will not be the ones you have on file and the domain name of the sender will not be correct.

Remember that the aim of these attacks is not to empty the entire contents of your bank account but can be to dupe your company into sending significant amounts of money that might still slip in under the radar. One of the reasons why these frauds are so successful is that the emails involved can end up with the purchasing department and appear to have come straight from the most senior people within a given company in the CEO or the CFO.

Specific steps to take

To avoid falling victim to a CEO/CFO Fraud attack then the details relating to all your company’s new electronic payments need to be subject to a rigid set of procedures and checks. This would typically be a set of questions you would ask yourself followed by a manual check. For example:

  • Is the payment expected?
  • Is this someone we’ve dealt with before?
  • Have any of the details changed?
  • Look for signs that might suggest an email has not come from the CEO or CFO as is being claimed – hover over email address and read the popup box to make sure it is legitimate.
  • Set a threshold (typically by £ amount) where all requested transactions have to have a second check – i.e. no one person is responsible for a large transaction

When you set up a supplier as a new ‘payee’ on an online banking system then their information will usually be retained ready for use again in future. So it is when new payees are being added that extra care and attention really needs to be paid.

It is very difficult to put in place an automatic process or system that fends off these types of fraud attacks as a matter of course but that doesn’t mean that they are not preventable. In fact, they can be protected against but it involves an awareness initially that these types of attack are happening and that the consequences can be significant. Certainly, when it comes to making online payments to suppliers it is always better for businesses to be safe than to be sorry and to make sure that they aren’t unwittingly making payments to unknown fraudsters.

Leave a Reply