How to Avoid the Fake CEO Scam

by | Jul 24, 2019

The US Treasury recently reported that Business Email Compromise (BEC) scams, sometimes referred to as “fake CEO scams, cost U.S. businesses an average of $300 million each month in 2018. These scams are on the rise; according to Trend Micro, the number of BEC attempts worldwide increased by ~28% between 2017 and 2018. We have found that many of our new customers are susceptible to at least one version of this scam, so we wanted to share our best practices and provide actionable steps to ensure that all organizations are aware of what they can do to minimize their exposure to this risk.

In the common version of the scam, an employee in finance with wire transfer authority receives an email from a high-level executive (typically the CEO or CFO) asking for a significant amount of money to be wired to a specified bank account number. Unfortunately, the executive’s email account has been hacked, and the email has actually been sent by the scammer. The employee makes the transfer, and the money ends up in a fraudulent oversees account.

In one of the most well-known examples, a finance executive at toy maker Mattel received an email that appeared to be from the then new CEO, requesting a $3 million payment to a new vendor in China. The company’s protocol was that two high-ranking managers had to approve a request of that size, but since the finance executive and the CEO both qualified, the money was wired to the vendor’s (scammer’s) bank account in China. They realized what had happened hours later when the executive casually mentioned the payment to the CEO.

Here are the 13 financial controls you should have in place to protect your business from falling for this or similar scams:

  • When an employee requests a funds transfer, the company always verifies the identity of the employee making the funds transfer request by calling a telephone number on record or emailing an address on file.
  • When an employee requests a funds transfer, the company requires at least two authorized signatures to approve such transfer, payment, or delivery of funds.
  • When a vendor requests a funds transfer, the company always confirms that the vendor is in fact owed the requested amount.
  • When a vendor requests a funds transfer, the company always verifies any change in the vendor’s bank account information by calling a telephone number on record or emailing an address on file.
  • When a vendor requests changes to its funds transfer instructions, the company always logs when the changes were confirmed with the vendor and who at the vendor confirmed the changes.
  • When a vendor requests a funds transfer, the company requires at least two authorized signatures to approve such transfer, payment, or delivery of funds.
  • There is a written process detailing how to complete a call back when a vendor requests a funds transfer (e.g., requiring that the wire instructions be conveyed orally, requiring verification of all wiring and account details, including the ABA number).
  • Financial controls, including the above described controls, are consistently deployed throughout all locations, including any non-US locations.
  • Any employees authorized to approve or execute funds transfer requests at the company shall not perform more than one of the following duties: requesting, initiating, recording, and reconciling.
  • The policies and procedures related to funds transfer requests are documented.
  • All employees that are authorized to approve or execute funds transfer requests are required to attest that they have read and understand the policies and procedures.
  • All employees have been made aware of, through training and awareness activities, the risks of fraudulently induced payment scams such as the fake CEO scam, “fake presidents,” business email compromise, fraudulent vendor invoices, and vendor payment diversion.
  • In the event that an unauthorized party initiates a funds transfer, requests a funds transfer, or makes or requests changes to funds-transfer instructions, the company’s employees know and understand how to escalate the situation appropriately.

Get started with an Axio360 demo today

Cyber risk is one of the greatest challenges of our generation. Despite the need, organizations struggle to get actionable visibility to their cyber risk. Protection technology has been the dominant focus thus far, but it’s not a silver bullet. Managing risk requires continuous evaluation across people, processes, financial controls, and technologies.

At Axio, we believe that every organization can have the means to solve their unique cyber risk challenges. We created the Axio360 platform to deliver on that belief. Our proprietary approach and insights give companies visibility to their cyber risk and enable them to prioritize investments to protect their business, customers, and employees.

Request an Axio360 demo, and see how our software can have an immediate and tangible impact on your business.