Action Fraud is warning businesses to be on high alert after increasing reports about financial losses arising from CEO fraud. A recent document issued by the City of London Police’s National Fraud Intelligence Bureau (NFIB) shows that over £32 million has been reported as lost by businesses as a direct result of CEO fraud.
From July 2015 until January this year there was a marked increase in CEO fraud, with a total of 994 reports being made to Action Fraud.
CEO fraud will typically start with an e-mail being sent from a fraudster to a member of staff working in a company’s Finance Department. The member of staff will be told by the fraudster, who’s purporting to be a company director or CEO, that they need to quickly transfer money to a certain bank account for a specific reason. The member of staff will then do as their manager has instructed, only to find that they’ve sent money to a fraudster’s bank account.
The fraudster will normally redistribute this money into other mule accounts and then close down the bank account as swiftly as possible in order to render it untraceable.
Out of the £32 million reported to be lost by businesses to CEO fraud, only £1 million has been recovered for the victims. This is due to businesses taking too long to discover that they’ve been the victim of fraud and the lost money already being moved by fraudsters into the aforementioned mule accounts.
Most businesses reported initial contact being made via e-mails with gmail.com and yahoo.com suffixes.
Defrauded out of £18.5 million
The largest reported amount of money given by a member of staff to a fraudster was £18.5 million. Typically, the average amount is somewhere around the £35,000 mark, but this can vary.
The company which lost £18.5 million is a producer of healthcare products and operates from offices worldwide. In July last year, a man purporting to be a senior member of staff telephoned a female financial controller who was based in one of the company’s Scottish offices and asked the woman to transfer money to accounts in Hong Kong, China and Tunisia.
The financial controller believed the man to be a senior member of staff and exchanged several calls with him as well as e-mail communications. The man convinced her to transfer money into three foreign bank accounts which then resulted in the company losing £18.5 million.
The fact that one company lost over £18 million while most others lose approximately £35,000 suggests that there may well be two tiers of CEO fraud currently being committed, with some fraudsters aiming to obtain millions of pounds while others target a number of businesses when attempting to receive lesser amounts.
Education of staff
Limited companies tend to be the most targeted type of organisation, with 52% of reports involving suspected fraud coming from this type of business. 22% of reports have emanated from businesses within London, in turn suggesting that this problem is particularly affecting the capital.
Steve Proffitt, deputy head of Action Fraud, told Risk UK: “It’s important that all businesses are made aware of this type of fraud. We encourage companies to educate their staff in order to prevent themselves from becoming the next victim. Employees should be encouraged to double-check everything they do, and never be rushed into transferring large amounts of money even if they do think that it’s an important task given to them by their CEO. An increased awareness of this type of fraud among businesses will no doubt make it far harder for the fraudsters to succeed.”
How can businesses protect themselves?
*Ensure that all members of staff, and not just those within finance teams, know about this type of fraud
*Have a system in place which allows members of staff to properly verify contact from their CEO or senior members of staff. For example, organise two points of contact such that members of staff can check the instruction(s) they’ve received from their CEO is legitimate or otherwise
*Always review financial transactions in detail to check for inconsistencies/errors, such as a misspelling within the company’s name
*Consider what information is publicly available about the business and whether or not it really needs to be public
*Ensure that computer systems are secure at all times and that anti-virus software is always up-to-date