“The fraudsters pretending to be our CEO gets more sophisticated”

You may have heard about CEO fraud scams, or BEC (Business Email Compromise) scams. They are part of a rapidly growing category of frauds called social engineering. We meet with a person who frequently gets exposed for them. According to her, they are getting harder and harder to spot.

A CEO fraud is usually a fake email sent out from someone who is pretending to be a member of the management team. The receiver is headhunted carefully by the fraudster, identified as somebody who probably has access to the company’s finances. The person pretending to be the CEO or manager asks the employee to transfer a given number to a certain account – fast.

We sat down with a highly exalted woman at one of the largest companies in Sweden. She wants to be anonymous. Her view is that these kinds of frauds are becoming more and more refined.

– Fake emails aren’t news to me, I get them every now and then. I work very close to the management team and I am responsible for all of our payments, but I am not very visible outside the organization. Choosing me as the receiver is a sign that the fraudsters are being somewhat careful while researching, they are doing their homework. I recently got a fake email sent to me by, who seemed to be, our group CEO. He was asking me to transfer an amount of money to a British account. Until that point, the BEC scams have been very generic, but in this particular scam the sender had put some time into matching our actual CEO’s tonality and use of language. The person in question was almost on point, but our CEO would never ask me to send 100,000 pounds to Great Britain and not tell anyone. We don’t work that way.

She underlines that these kinds of scams are more problematic when sent to individuals who less often, or never, get a message of this importance.

– As an employee you want to do right, and that’s exactly what the fraudsters are harnessing. The most devoted and loyal employees can easily become the weakest link. They want to act accordingly when a superior instructs them to quickly transfer a sum of money. It is a mistake to believe that CEO frauds can’t or won’t be sent to someone in the organization who never even met the CEO. All employees needs training and support in regards of how to act on a malicious email.

Internal training and background checks

The company she works for are taking major responsibility in regards of educating the staff on social engineering. They are giving recurring lectures for the staff, where banks, insurance companies and safety experts are invited to spread light on the issue. The staff is reminded digitally, by emails sent out with scary examples.

– It’s all about being explicit and setting up strict regulations and processes. Though, we need to have the mindset that it is only a matter of time before we get exposed to fraud. If we relax and trust the regulations too much, we become vulnerable. Everyone can fall for a scam – no systems are perfect.  

All employees who handles payments are following clear instructions. Larger transactions are overseen by a total of four people. Even when the policy is followed, a safety risk can occur when the process is moving too fast.

– Vi are handling a lot of payments, that makes us exposed. A common way for fraudsters to act is by changing the instructions for the payment within a very short time span. The receiver is controlled, is connected to the account in question and the payment is being checked and approved. Just right before the last step, the fraudster is reaching out, from an email address that looks like it belongs to the receiver, asking to change the account. The risk lies within the fact that the employee wants to help out, quickly, and without understanding it wires the money to the criminal.

To create good pre-conditions for compliance, the company perform background checks as a part of every recruitment process.

– It is a given for us – we do background checks on everyone who is working for us. The background checks are a vital part of our risk assessment process. We need to know if the individual has a problematic track record, especially if it’s connected to economic challenges. With that said, we are never completely safe. An employee can be a subject of extortion, or conspire with criminals. Therefore it is a matter of safety, and extremely important, that we can assure every employee’s background. They can’t have any criminal tendencies in their past. Also, we need to have processes where more than one person is needed when it comes to payments.

A sceptical, fundamental attitude

Her advice to others is to continuously remind people internally about not letting your guard down.

– I am certain that the best protection is to be sceptical. Employees should be encouraged to be suspicious and to escalate the matter internally as soon as they see something suspect. As a leader you need to premier that behaviour. Think about the opposite situation – no employee wants to be responsible for interrupting a large deal, or for transferring money to criminals. It is up to the management team to create a culture where all employees can rely on clear instructions. Don’t isolate the staff, don’t put them into individual office spaces. Talk often and openly about the subject and make sure that the dialogue is ongoing. Don’t just examine the departments that aren’t going as good as they should, that’s a common mistake. Even the most profitable departments can be vulnerable.

The management team needs to be included into the regulations and no exemptions can be made, she states:

– It is of prime importance that the management team follows the process, otherwise the entire ‘why’ malfunctions. All instructions should be handed over, written down, and be inspected – for example by the employee calling up to double check the credibility. By being clear in regards of communication you are creating an internal environment where the employees, in regards of their position, dares to raise their voice if somebody from the management team should astray from the policy. Your employees need to know that they have the authority to say no and refer to the process. No-one should have to feel unsure of how a transfer should be handled.

So, how does the future look for social engineering and BEC scams?

– The frauds are getting more and more sophisticated. The development is rather quick. Not long ago, almost all CEO emails were written poorly, probably with a little help from Google Translate. Also, I can see a trend in regards of the sums – they are not high enough to raise concern, but are recurring. Smaller sums that are building up to a flow of payments. I heard of examples where transfers have been made again and again, under a long period of time, before being spotted. In the most advanced forms of BEC scams the individual succeeds to build a trustful relation with the employee, who can be tricked into believing that the fraudster is a highly ranked manager at one of the other offices. To prepare for this we all need to be more clear in our routines. That includes us too. There needs to be a formal process to rely on, that’s used for all kinds of payments – even the most odd ones. Find a golden mean between safety regulations and easy workflows. Call for critical thinking and skepticism, but remember that everyone can be tricked – talk openly about that.