It sounds like a preposterous scenario. A member of the company’s finance team transfers several million dollars to an unknown firm for a transaction no one in the company has ever heard of, based solely on confidential orders from the company’s CEO or CFO sent by email.
Preposterous or not, it happens more often than most people would believe. Fake CEO/CFO scams are such a serious problem that the FBI last year issued a special warning about them.
“Victims range from large corporations to tech companies to small businesses to non-profit organizations,” the FBI said. “Many times, the fraud targets businesses that work with foreign suppliers or regularly perform wire transfer payments.”
The FBI said law enforcement authorities have received complaints from victims in every U.S. state and in at least 79 countries. From October 2013 through February 2016, agencies received reports from 17,642 victims. The victims lost more than $2.3 billion.
In Germany where I’m based, the losses suffered by companies as a result of this scam amount to millions of euros a year. In most cases, despite the authorities’ best efforts, only a fraction of the money is recovered.
How does it work? There are several versions of the scam. Usually the scammers pose as the CEO or CFO of a company, or even as one of the company lawyers. Sometimes they use company or personnel information they obtained through phishing schemes against people inside the company, or they simply call the company switchboard and ask innocent sounding questions. They then use information they collect to make their emails appear legitimate.
The scammers eventually order the victim inside the company to wire-transfer funds to an outside account, while telling the victim to maintain strict confidentiality about the transfer.
The harm to a company is bad enough; the harm to the employee making the transfer can be devastating and permanent. These victims have often been with the company for years and enjoy a high level of trust by their managers. After a fake-CEO loss, that trust is often damaged beyond recovery. Victims frequently experience strong feelings of self-doubt, guilt and shame; many leave the company soon after the incident.
The fraudsters don’t succeed most of the time. But they keep trying and eventually they find a victim. When that happens, it is often due to a combination of factors, including:
- The real CEO or CFO is out of office or hard to reach on the day in question
- The corporate culture discourages staff from questioning instructions by senior-level managers
- No systematic pre-employment checks of new staff take place to deter accomplices of the fraudsters from trying to infiltrate the business to collect information
- The IT system does not flag emails from unusual or excessively long external domains
- A strong belief in maintaining confidentiality hinders an open exchange with colleagues, which otherwise might quickly reveal the instructions received to be bogus
- The finance employee is flattered by the supposed CEO or CFO confiding in him or her; constant praise during the scam reinforces the effect
- The finance employee is one of a pair of individuals authorized to sign off transactions under the ‘four-eyes’ principle
- The internal controls applicable to transfers can be circumvented through the unwitting cooperation of a finance team member (usually the key to success in this scam)
Robust technical and organizational processes can help to protect a company from fake-CEO/CFO fraud. However, in our experience, even the best internal controls are undermined time and again by the human factor.
In fact, the most effective and also simplest way to combat this kind of fraud is training. Employees who know how the scam works are much more likely to recognize it when it happens.
Senior managers should also foster a culture in which employees are encouraged to contact them directly in case of doubt or questions concerning transfer instructions.
The effort required for such measures is small compared to the losses usually suffered when the fraud is successful. And companies in Germany and elsewhere shouldn’t doubt that sooner or later the fraudsters will target them.