Action Fraud issues warning to business community following serious rise in reports of CEO fraud

Action Fraud is warning businesses to be on high alert after increasing reports about financial losses arising from CEO fraud. A recent document issued by the City of London Police’s National Fraud Intelligence Bureau (NFIB) shows that over £32 million has been reported as lost by businesses as a direct result of CEO fraud. 

From July 2015 until January this year there was a marked increase in CEO fraud, with a total of 994 reports being made to Action Fraud.

CEO fraud will typically start with an e-mail being sent from a fraudster to a member of staff working in a company’s Finance Department. The member of staff will be told by the fraudster, who’s purporting to be a company director or CEO, that they need to quickly transfer money to a certain bank account for a specific reason. The member of staff will then do as their manager has instructed, only to find that they’ve sent money to a fraudster’s bank account.

The fraudster will normally redistribute this money into other mule accounts and then close down the bank account as swiftly as possible in order to render it untraceable.

Out of the £32 million reported to be lost by businesses to CEO fraud, only £1 million has been recovered for the victims. This is due to businesses taking too long to discover that they’ve been the victim of fraud and the lost money already being moved by fraudsters into the aforementioned mule accounts.

Most businesses reported initial contact being made via e-mails with gmail.com and yahoo.com suffixes.

Defrauded out of £18.5 million

The largest reported amount of money given by a member of staff to a fraudster was £18.5 million. Typically, the average amount is somewhere around the £35,000 mark, but this can vary.

The company which lost £18.5 million is a producer of healthcare products and operates from offices worldwide. In July last year, a man purporting to be a senior member of staff telephoned a female financial controller who was based in one of the company’s Scottish offices and asked the woman to transfer money to accounts in Hong Kong, China and Tunisia.

The financial controller believed the man to be a senior member of staff and exchanged several calls with him as well as e-mail communications. The man convinced her to transfer money into three foreign bank accounts which then resulted in the company losing £18.5 million.

The fact that one company lost over £18 million while most others lose approximately £35,000 suggests that there may well be two tiers of CEO fraud currently being committed, with some fraudsters aiming to obtain millions of pounds while others target a number of businesses when attempting to receive lesser amounts.

Education of staff

Limited companies tend to be the most targeted type of organisation, with 52% of reports involving suspected fraud coming from this type of business. 22% of reports have emanated from businesses within London, in turn suggesting that this problem is particularly affecting the capital.

Steve Proffitt, deputy head of Action Fraud, told Risk UK: “It’s important that all businesses are made aware of this type of fraud. We encourage companies to educate their staff in order to prevent themselves from becoming the next victim. Employees should be encouraged to double-check everything they do, and never be rushed into transferring large amounts of money even if they do think that it’s an important task given to them by their CEO. An increased awareness of this type of fraud among businesses will no doubt make it far harder for the fraudsters to succeed.”

How can businesses protect themselves?

*Ensure that all members of staff, and not just those within finance teams, know about this type of fraud

*Have a system in place which allows members of staff to properly verify contact from their CEO or senior members of staff. For example, organise two points of contact such that members of staff can check the instruction(s) they’ve received from their CEO is legitimate or otherwise

*Always review financial transactions in detail to check for inconsistencies/errors, such as a misspelling within the company’s name

*Consider what information is publicly available about the business and whether or not it really needs to be public

*Ensure that computer systems are secure at all times and that anti-virus software is always up-to-date

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts