How does CEO fraud work?

28 October 2020 by National Bank
CEO Fraud

Imagine you’re at work. You receive an email from your boss. He’s on a business trip abroad. He has just acquired a company and asks you to send him an emergency bank transfer. He adds that he trusts your discretion about the matter completely. It’s flattering, but watch out. It’s possible you’re being targeted by a scammer.

More and more companies are falling victim to CEO fraud (or fake president scam), a type of targeted email fraud that uses human vulnerability to effect a bank transfer. “There’s a surge going on at the moment because it works, actually—companies and their employees are not sensitized to it,” explains Tony Fachaux, an expert in cybersecurity awareness at National Bank. Discover how you could be targeted, and how you can protect yourself.

What is CEO fraud?

The CEO fraud is a phishing scam based on feeling privileged to have been chosen to perform a task by the president or another superior, whose email address is spoofed. The scammer tries to earn the victim’s trust by sending them an email from the president or another executive, asking for money to be quickly transferred online. And the employee is not randomly chosen: “It’s someone who is able to make payments in the company’s name,” explains Fachaux. “Otherwise the scam wouldn’t make any sense.”

But how do the scammers know who to choose? They’re able to identify the key players in an organization through social engineering. “They search the web and social media,” continues the expert. “Sometimes, they can even go as far as contacting the person first on social media, chatting with them and gathering information to make their phishing email as believable as possible.” Also based on information available on the internet, a very refined scenario is put into play in order to have the transfer made as quickly as possible without any suspicion of fraud.

Ways to protect yourself from fraud

Regular virtual conversations and sensitive data that may circulate online are making companies increasingly vulnerable. To evade this type of phishing, you must remain vigilant and aware. Here’s how.

1. Be ready

Tightening up your internal processes by adding authentication measures for transfers, for example, is always a good idea. However, scammers often encourage their targets to not follow normal procedures for effecting the payment.

Technological mechanisms can also be established in advance to detect when an email address is being spoofed. “Scammers always find ways of getting around technology,” says the expert. “But if an organization has the right tools, it can block a large majority of these fraudulent emails. For any that get through the spam filters, that’s where employees step in. People are basically your company’s best defence.”

2. Be careful

For Fachaux, “the key to protecting yourself from fraud is to stop, analyze and question. Don’t ever be afraid to question! We’re always in autopilot mode when we’re in front of the computer. In general, it’s where we perform tasks without thinking, and where we make mistakes.”

The very nature of the swindle is to pass off a fraudulent transaction as an everyday request, which makes it especially hard to recognize. Does the request seem unusual? Does your boss sound different than usual? If you have the slightest doubt, don’t perform the transfer before receiving verbal confirmation of its necessity.

3. Go beyond the email and validate

For every situation, the expert insists, “You must never perform an action based solely on an email.” In other words, you must contact the supposed receiving party by a means other than email, through the intermediary of a discussion platform used by the company or using a phone number you have on hand, for example. “Scammers are smart,” he adds . “They will leave a phone number in the email, in case you have questions. But obviously, this number belongs to the scammer.”

Instructions on how to proceed to make the payment can also be sent in a second email, coming from a lawyer, for example. This once again is part of the scammer’s deception, which aims to legitimize the transfer.

What should you do if you’re a victim?

Once completed, this type of scam is irreversible. In the vast majority of cases, recuperating the amount will not be possible and the money is lost. But once the transfer is made, you should still contact your bank without delay. “Sometimes there is a possibility of blocking the funds before they are delivered to the scammer,” explains Fachaux. “But you have to act fast.” Meaning this is a question of minutes, and the chance of a successful recovery process is slim.

In order to contribute to efforts to raise awareness about this type of scam, you should also file a complaint with the police. And if the scammers are identified, you will have the right to legal recourse. “But in general, these scammers execute their transfers internationally, in a country where it’s often very hard to get the money back,” explains the expert.

To ensure it has every chance of success, a company should arm itself against fraud beforehand. Prevention remains the best strategy for avoiding deceit.

Need more tips for ensuring your online security?

Legal disclaimer

Any reproduction, in whole or in part, is strictly prohibited without the prior written consent of National Bank of Canada.

The articles and information on this website are protected by the copyright laws in effect in Canada or other countries, as applicable. The copyrights on the articles and information belong to the National Bank of Canada or other persons. Any reproduction, redistribution, electronic communication, including indirectly via a hyperlink, in whole or in part, of these articles and information and any other use thereof that is not explicitly authorized is prohibited without the prior written consent of the copyright owner.

The contents of this website must not be interpreted, considered or used as if it were financial, legal, fiscal, or other advice. National Bank and its partners in contents will not be liable for any damages that you may incur from such use.

This article is provided by National Bank, its subsidiaries and group entities for information purposes only, and creates no legal or contractual obligation for National Bank, its subsidiaries and group entities. The details of this service offering and the conditions herein are subject to change.

The hyperlinks in this article may redirect to external websites not administered by National Bank. The Bank cannot be held liable for the content of external websites or any damages caused by their use.

Views expressed in this article are those of the person being interviewed. They do not necessarily reflect the opinions of National Bank or its subsidiaries. For financial or business advice, please consult your National Bank advisor, financial planner or an industry professional (e.g., accountant, tax specialist or lawyer).