In recent months, there has been a significant increase in a specific type of fraud used to embezzle money from companies of all sizes.
It's called CEO fraud and it has already cost some organisations over £3,000,000.
How Fraudsters are Extorting Funds via Email
A member of an organisation's finance team will be sitting at their desk, when they receive an (apparently) personal email from the managing director or CEO of their company.
The email will specify that funds must be released to finalise a huge international takeover or some other major deal. The email will address the employee directly and ask them to carry out a sensitive business transaction, possibly referencing FCA regulations and the need for complete discretion.
Phone Calls may also be Used to add "legitimacy"
In some cases, the email will mention that a representative of an intermediary body will be getting in contact by phone with details of the transfer. Once the employee replies to the email, the fraudster calls the individual, posing as the person mentioned in the email who supposedly works for a professional services firm like PWC.
The employee feels flattered that they have been trusted by the CEO and carries out the transaction swiftly to impress their boss.
At some point in the near future, the large and unrecognised transaction will be scrutinised, it turns out there was no big deal, and the firm realises they have lost a large amount of money.
Examples to be wary of
So far, the following domain names have been used by the fraudsters to impersonate an intermediary for the deal. If any emails come from these, they are not legtimiate and not associated with Pricewaterhouse Coopers or PwC Legal:
@pwc-ukglobal.com and @pwc-office.com
This is by no means exhaustive, and the fraudsters may choose to impersonate another firm who will be assisting with the "deal" such as Deloitte or KPMG.
The fraudsters may not even use this approach, and the crime may be completely carried out using the first email posing as the CEO. In this case the sender name will be that of the CEO, but the email account will usually be from something unfamiliar, or a yahoo or gmail account (so they can receive the replies).
In an increasingly technological age, we can't forget about old fashioned fraud
Awareness of cyber crime is at an all time high. Therefore the potential exists for us to forget about traditional methods of fraud. Whilst this method uses technology (email, phone), there is no hacking going on, and the criminals are not doing anything technical to extract funds - only tricking people.
Vast amounts of data exists online for anyone to view
Don't assume legitimacy if someone calls or emails you directly, using your first name and appearing to know about you. Anyone can find out company details such as employee names, departments they work in, managing director's names (even email addresses) and financial information that can inform them to request a realistic some of money.
It is also possible to appear as anyone you want online, even over email. You don't need to have access to an email account to appear to send from it. Many email programs allow you to customise the sender name, and also the reply-to address.
People are the weakest link in your security network
Fraudsters are able to get the information they need to infiltrate a company by scouring the company website, organisation charts and social media accounts. Using this information, they can correctly identify and target the relevant person who is authorised to transfer large sums of money by impersonating the CEO with a fake email address. If they can manipulate this person, no amount of security hardware or software will keep business funds safe.
Technological defences are necessary to protect from cyber-attack, but they're only half of the puzzle. How's your "human firewall"? Download this template to develop your own IT Security policy to employ in your business.
How to prevent this from happening to you
- Make people in your company aware of this problem.
- CEOs/Managing directors: Speak to people who have access to company funds directly and assure them that you, and other members of management, will never use email to request a funds transfer.
- Set an amount that cannot be exceeded for one-off transfers without going through a proper procedure.