What you should know about CEO fraud
CEO fraud is a type of scam in which cybercriminals, posing as the CEO or financial executive of the business, ask the financial department to quickly make a large transfer. Often, the employee targeted makes that transfer.
Also in Belgium
CEO fraud has been around for a long time but has risen in recent years. For cybercriminals, it's quite an easy way of scamming businesses out of money and there’s a low risk of getting caught.
According to a study by BDO, CEO fraud accounts for 5% of all successful cases of financial fraud in Belgium. In 59% of cases, the financial damage is under 100,000 euro but it can sometimes be extremely high.
The most famous Belgian victim to date is Crelan bank, which was scammed out of 70 million euro in 2016. But SMEs are also targeted.
How does it work?
First, cybercriminals collect information about a business, such as the name of the CEO and financial executives, account numbers, and the main suppliers. Much of the information can also be found online, and criminals often contact the business directly by e-mail or phone.
The business is then contacted by the cybercriminal posing as the CEO or another decision-maker.
What follows is a story about an urgent payment that needs to be made immediately and for which the normal procedure can’t be followed.
Often, the story is so credible that the employee targeted carries out the payment in good faith.
How can you protect your business?
- CEO fraud is a type of "social engineering", an abuse of confidence. It can’t be prevented by a technical intervention, but it can be stopped through prevention and awareness.
- Make sure that payment procedures are firmly established in your business and that the rules are strictly followed. Keep these rules confidential so that they don't fall into the hands of cybercriminals.
- Inform your employees about the existence of CEO fraud and ask them to remain alert and to report suspicious e-mails and phone calls.
- In case of a clear attempt to commit fraud, notify the police and the federal Computer Emergency Response Team (CERT.be).
- Also, warn any persons or organizations whose identity was misused.
- If money was transferred, notify your financial institution immediately to stop the payment.
Read more on how to protect your company
Interested in sparring with us on how to establish a more pro-active & integrated approach to ICT Security?