- Italien
Digital fraud: the fake CEO of the international group
24 April 2024
- Bankwesen
Summary: Corporate fraud has taken new and insidious forms in the digital age. One of these puts multinational groups in the crosshairs: it is the so-called „CEO Fraud.“ This type of fraud is based on the fraudulent use of the identity of top corporate figures, such as CEOs or board chairmen. The modus operandi is devious: the fraudsters pose as the CEO or a senior executive of the multinational group and directly contact the Chief Financial Officers (CFOs) of the subsidiaries or affiliates, simulating a nonexistent confidential investment transaction to induce them to make urgent transfers to foreign bank accounts.
Background and dynamics of the CEO Fraud
CEO Fraud is a form of scam in which criminals impersonate senior management figures to trick employees, usually CFOs, into transferring funds into bank accounts controlled by the fraudsters. The choice to use the identities of apex figures such as CEOs lies in their perceived authority and ability to order even large payments, requested urgently and with instructions for strict confidentiality, without raising immediate suspicion.
Fraudsters adopt various communication tools to make their fraud attempts credible: at the starting point is usually a data breach, which allows criminals to gain access to the contact details of the CEO or CFO (email, landline phone number, cell phone number, whatsapp or social media accounts) or other people within the administrative office with operational powers over bank accounts.
Sometimes knowledge of this information does not even require illegitimate access to the company’s computer systems because those targeted by the scam spontaneously make this information public, for example, by indicating it on their profiles on the company website or by publicly displaying contacts on profiles in social media accounts (LinkedIn, Facebook, etc.) or even on presentations, business cards and company brochures in the context of public meetings.
Still other times, scammers do not even need to appropriate all the data of the CEO they want to impersonate, but only the recipient’s, and then claim that they are using a personal account with a different number or email address than those usually attributable to the real CEO.
Contacts are typically made as follows:
- WhatsApp and SMS: The use of messages allows for immediate and personal communication, often perceived as legitimate by recipients. The fake CEO sends a message to the CFO using a cell phone number from the country where the parent company is based (e.g., +34 in the case of Spain), writing that it is his personal phone number and using a portrait photo of the real CEO in the WhatsApp profile, which reinforces the perception that the fraudster is the real CEO.
- Phone calls: after the initial contact via text message, a phone call often follows, which may be either directly from the fake CEO or from a self-styled lawyer or consultant instructed by the CEO to give the CFO the necessary information about the fake investment transaction and instructions to proceed with the urgent payment.
- Email: as an alternative to or in addition to texts and phone calls, communications may also go through emails, often indistinguishable from authentic ones, in which text formats, company logos, signatures, etc. are scrupulously replicated.
This is possible through various email spoofing techniques in which the sender’s email address is altered to appear as if the rightful owner sent the email. Basically, it is like someone sending a postal letter by putting a different address on the back of the envelope to disguise the true origin of the missive. In our case, this means that the CFO receives an email that-at first glance-appears to come from the CEO and not the scammer.
We also cannot rule out the possibility of fraudsters taking advantage of security holes in corporate systems, such as directly accessing internal chats within the organization.
In addition, the increasing popularity of morphing tools (i.e., creating images with human likenesses that can be traced back to real people) may make it even more difficult to unmask the scammer: to messages and phone calls we could, in fact, add video messages or even video lectures apparently given by the real CEO.
The (fake) takeover of a competitor company in Europe
Let us look at a real-life example of CEO Fraud to illustrate the practical ways in which these frauds are organized.
Scammers create a fake WhatsApp profile of the self-styled CEO of a multinational group based in Spain, using a Spanish phone number and reproducing the profile photo of the authentic CEO.
A message is sent through the fake account to the CFO of a subsidiary in Italy, announcing that a confidential investment transaction is underway to acquire a company in Portugal. This will require transferring a large sum to a Portuguese company the following day at a local bank.
The message stresses the importance of keeping the transaction strictly confidential, which is why the CFO cannot disclose the payment request to anyone: a confidentiality agreement from a (fake) law firm is even emailed before payment is made, which the CFO is persuaded to sign and return to the phantom lawyer in charge of the transaction.
Instructions for proceeding with the transfer are emailed to the CFO, again stressing the urgency of making the payment on the same day.
The day after arranging the transfer, having heard nothing more from the fake CEO, the CFO arranges to contact him at his corporate phone number and discovers the scam: by that time, however, it is too late because the sums have already been transferred by the criminals to one or more current accounts in foreign banks, making it very difficult, if not impossible, to trace the funds.
The main features of CEO fraud
- Persuasion: the fact that fraudsters impersonate apex figures and make the CFO feel invested in important duties generates in the victim a desire to please superiors and to let their guard down.
- Pressure: fraudsters instil a great sense of urgency, demanding payments extremely quickly and intimating secrecy about the transaction; this causes the victim to act without thinking, trying to be as efficient as possible.
- Speed: It is good to know that a request for an urgent wire transfer cannot be withdrawn, or can be withdrawn by recall only under extremely tight deadlines; fraudsters take advantage of this to pocket the sums at banks that are not too scrupulous or to move them elsewhere, at most within a few days.
How to prevent these scams
CEO Fraud schemes can be very sophisticated, but they often have signs that, if recognized, can stop a scam before it causes irreparable damage.
The main clues are the atypical modes of contact (whatsapp, phone calls, emails from the fake CEO’s personal accounts), the request for strict confidentiality about the transaction, the urgency with which large sums are requested, the fact that the transfer is to be made to banks abroad, and the involvement of companies or individuals never previously mentioned.
To prevent scams such as CEO Fraud, corporate training of employees on how to recognize and respond to scams is crucial; it is also essential to have robust internal security procedures in place.
- First, an essential and basic precaution is to adopt verification systems that scan e-mail messages for viruses and flag the origin of the e-mail from an account outside the corporate organization.
- Second, it is critical that companies implement clear processes for payments to third parties, especially if the arrangements are different from the company’s standard operations. One way to do this is to provide value limits on the powers of disposition over current account operations, beyond which dual signatures with another director are required.
- Finally, and generally, it is good to adopt all the rules of common sense and diligence in analyzing the case. Better to do one more internal check than one less; for example, in the case of a particularly realistic but nonetheless unusual request, forwarding the exchange with the alleged scammer to the address we believe to be real and asking for further confirmation in the forward email, rather than responding directly in the email loop, allows us to tell if the sender is bogus.
Legal actions to recover funds.
After the fraud is discovered, it is crucial to act quickly to increase the chances of recovering lost funds and prosecuting those responsible.
Possible Legal Actions
Prompt notification to the company’s bank to block or recall the wire payment, in addition to a timely criminal complaint in the country where the bank receiving the payment is based, are immediate steps that can help contain the damage and begin the recovery process.
In fact, in many countries, the pattern of CEO Fraud is well known, and specialized law enforcement units have the tools to move in a timely manner following a report of the crime.
Criminal investigations in the country of payment destination also allow for verification that they are the account holders and the people involved in the scam attempt, in some cases leading to the arrest of those responsible.
After attempting to obtain a freeze on the transfer or funds, it may then be possible to assess the behavior of the banking institutions involved in the affair, particularly to verify whether the beneficiary bank properly complied with its obligations under anti-money laundering regulations, which impose precise obligations to verify customers and the origin of funds.
Conclusions
CEO Fraud is a significant threat to companies of all sizes and industries, made possible and amplified by modern technologies and the globalization of financial markets. Companies must remain vigilant and proactive, continually updating their security procedures to keep pace with fraudsters‘ evolving techniques.
Investment in training, technology and consulting is not just a protective measure, but a strategic necessity for business operations.
Finally, if the scam is successfully carried out, it is crucial to take prompt action to try to block the funds before they are moved to bank accounts in other countries and thus made untraceable.