How does CEO fraud work?
The fraudster contacts a manager, a member of the accounts department or any other employee that could be of value to them, either by telephone or by email, and asks the employee to make an urgent, confidential payment. This payment is typically made to a beneficiary abroad, making it harder to trace the payment. In many cases, fraudsters even mention a non-existent third party that can be contacted to ensure the payment is correct. This fraudulent or non-existent third party may be presented as a ‘law firm’ that the employee can call to confirm the payment.
The payment is, of course, carried out at the instruction of the fraudster, not the company. As the payment is sent by an authorised employee from your organisation, this type of fraud is difficult to intercept. Moreover, banks and insurers do not provide any compensation for the amount stolen.
Fraudsters sometimes spend months on preparations. They obtain information by purchasing data on illegal black markets, or by visiting your company’s website or the LinkedIn pages of your employees, or simply by asking questions by email or by telephone. Another approach that criminals take is to hack the company’s email so that they know exactly who to approach and which persons normally give instructions to make payments.