How to Avoid the Fake CEO Scam

Published by Brendan Fitzpatrick

The US Treasury recently reported that Business Email Compromise (BEC) scams, sometimes referred to as “fake CEO scams, cost U.S. businesses an average of $300 million each month in 2018. These scams are on the rise; according to Trend Micro, the number of BEC attempts worldwide increased by ~28% between 2017 and 2018. We have found that many of our new customers are susceptible to at least one version of this scam, so we wanted to share our best practices and provide actionable steps to ensure that all organizations are aware of what they can do to minimize their exposure to this risk.

A Scam Targeting the Finance Department

In the common version of the scam, an employee in finance with wire transfer authority receives an email from a high-level executive (typically the CEO or CFO) asking for a significant amount of money to be wired to a specified bank account number. Unfortunately, the executive’s email account has been hacked, and the email has actually been sent by the scammer. The employee makes the transfer, and the money ends up in a fraudulent oversees account.

In one of the most well-known examples, a finance executive at toy maker Mattel received an email that appeared to be from the then new CEO, requesting a $3 million payment to a new vendor in China. The company’s protocol was that two high-ranking managers had to approve a request of that size, but since the finance executive and the CEO both qualified, the money was wired to the vendor’s (scammer’s) bank account in China. They realized what had happened hours later when the executive casually mentioned the payment to the CEO.

13 Financial Controls to Protect Your Business from Falling for Scams:

  • When an employee requests a funds transfer, the company always verifies the identity of the employee making the funds transfer request by calling a telephone number on record or emailing an address on file.
  • When an employee requests a funds transfer, the company requires at least two authorized signatures to approve such transfer, payment, or delivery of funds.
  • When a vendor requests a funds transfer, the company always confirms that the vendor is in fact owed the requested amount.
  • When a vendor requests a funds transfer, the company always verifies any change in the vendor’s bank account information by calling a telephone number on record or emailing an address on file.
  • When a vendor requests changes to its funds transfer instructions, the company always logs when the changes were confirmed with the vendor and who at the vendor confirmed the changes.
  • When a vendor requests a funds transfer, the company requires at least two authorized signatures to approve such transfer, payment, or delivery of funds.
  • There is a written process detailing how to complete a call back when a vendor requests a funds transfer (e.g., requiring that the wire instructions be conveyed orally, requiring verification of all wiring and account details, including the ABA number).
  • Financial controls, including the above described controls, are consistently deployed throughout all locations, including any non-US locations.
  • Any employees authorized to approve or execute funds transfer requests at the company shall not perform more than one of the following duties: requesting, initiating, recording, and reconciling.
  • The policies and procedures related to funds transfer requests are documented.
  • All employees that are authorized to approve or execute funds transfer requests are required to attest that they have read and understand the policies and procedures.
  • All employees have been made aware of, through training and awareness activities, the risks of fraudulently induced payment scams such as the fake CEO scam, “fake presidents,” business email compromise, fraudulent vendor invoices, and vendor payment diversion.
  • In the event that an unauthorized party initiates a funds transfer, requests a funds transfer, or makes or requests changes to funds-transfer instructions, the company’s employees know and understand how to escalate the situation appropriately.

Get started with an Axio360 demo today

Cyber risk is one of the greatest challenges of our generation. Despite the need, organizations struggle to get actionable visibility to their cyber risk. Protection technology has been the dominant focus thus far, but it’s not a silver bullet. Managing risk requires continuous evaluation across people, processes, financial controls, and technologies.

At Axio, we believe that every organization can have the means to solve their unique cyber risk challenges. We created the Axio360 platform to deliver on that belief. Our proprietary approach and insights give companies visibility to their cyber risk and enable them to prioritize investments to protect their business, customers, and employees.

Request an Axio360 demo, and see how our software can have an immediate and tangible impact on your business.

In November we wrote that Moody’s announcing it intended to consider cybersecurity and cyber risk in financial ratings was the Trifecta of Board of Director centric cybersecurity developments, with the first being CEO and CISO firings in the wake of high profile events of recent years, and the second being the SEC’s updated guidance on how…

Over the course of my career I’ve had the privilege to serve on numerous Boards of Directors of both public and private organizations. It’s a great honor to have the shareholders and stakeholders of an organization put trust in you, and fellow board members, to watch out for their interests as the highest stewards of…