Cyber security

Increase of CEO fraud

  • Share

9 May 2016

Companies are facing a new kind of threat where fraudsters can steal large sums of money by posing as an executive of the company. This type of fraud is known as "CEO fraud" or "whaling" and is something which government authorities are very concerned about and which is on the increase.

What is CEO fraud?

CEO fraud typically occurs in the following way: an employee receives an email, apparently from the company’s CEO or CFO, requesting him/her to transfer a large amount of money on behalf of the company. The scammers are well prepared; the transaction is of an urgent matter, very important and extremely confidential. The email is credible and well-articulated, and the sender falsified to appear to be a senior level employee with the necessary authorization. Fraudsters also use Skype, with a falsified (spoofed) signature and a picture of the senior level employee. In some cases, the fraudster puts the victim in contact with a fictional attorney who, for example, is about to acquire a company. The "attorney" puts extra pressure on the victim by phoning and emphasizing the urgency of the transfer.

It is difficult for most employees to detect this type of fraud. By the time the fraud is revealed, the money has already been transferred to a foreign bank account from which it has been withdrawn. In such cases, suspicion typically falls on the "victim," who may be accused of disloyalty to their own company.

Scale of the fraud

The FBI estimates that these scams have cost organizations more than US$2.3 billion in losses over the past three years. The scale of this type of fraud in the Nordic countries is unclear. The first Norwegian case was reported to the police in July 2015, and in 2016 the Norwegian National Security Authority (NSM) and police are receiving inquiries almost daily about this type of fraud. The Danish police have recently received reports of CEO fraud from two Danish companies for more than US$ 21 million. The hidden figures for these scams appear to be large.

What can companies do?

Some organizations are starting to ask staff to implement extra internal checks to try to manage the risk of CEO fraud, such as

  • Checking amount payable against authorised limits
  • Ensuring normal payment approval procedures are followed for all payments
  • Checking the language of payment requests as compared to normal
  • Checking the sender address holding the cursor over the sender's email address to see if an unknown address pops up)

Some are also implementing procedures which require approval of all large payments through means other than email and systematic training of employees on information security. Employee awareness of the general and specific threats and knowledge about how to protect their own and the company’s information and assets is also critical. Finance employees authorized to pay out large amounts of money are particularly targeted for training and awareness of the risk of CEO fraud.

In addition, established reporting procedures for scams and employees awareness of how they should report and handle such incidents is important, including a central point of contact for reporting who can inform the authorities.  Finally, realistic and regular testing helps assess whether controls are sufficient to handle the threat.

Threats are changing all the time, and companies should be prepared for digital fraud attempts.

EY contact

Tone Bakås, Senior Manager, Advisory