A clever yet strikingly simple idea, CEO fraud is a relatively new scam which only works when people have no idea it exists.
Also known as president fraud, a con artist pretends to be a top executive to request payments to be made by bank transfer and asks a person in accounts for a bank transfer of less than £10,000 to be made immediately as payment for an important item or deal.
The con works via email with HMA (Hide My Ass) VPN software being used to make the email look like it comes from the executive, through hacking into the email system or by phone, with a scammer imitating someone’s voice.
The CEO can also be a lawyer or accountant. Financial services firm Deloitte is one which has warned that scammers pose as its staff.
Another common scam, mandate fraud, convinces accounts staff to change payments to a fraudster’s account by sharing knowledge about the firm, relationship or goods or service involved. In both cases con artists use information about the firm and people involved gleaned from a company’s website and social media to convince staff the request is from a real person they trust.
The City of London Police’s National Fraud Intelligence Bureau said that more than £32m had been reported lost to CEO fraud with a marked increase in complaints in the second half of 2016. Companies typically lose £35,000 in the scam but only around £1m has so far been recovered.
Deputy Head of Action Fraud, the UK’s national fraud and cyber crime reporting centre Steve Proffitt says: “We started to see it 18 months ago and it’s becoming more prevalent. We’re starting to see a phishing version now, using information from the dark web. These fraudsters know no international borders, whatever they can try they will try in any jurisdiction. With the power of the internet now and electronic banking it’s very easy to move funds anywhere.”
Speedscreen Creative Print Solutions lost £20,0000 to the scam in two payments to legitimate Halifax and Yorkshire Bank accounts while managing director Tim Hill was away on business.
Hill came to PrintWeek to spread the word, saying: “My bank said lots of customers have succumbed. It’s very clever. If I can help prevent it for one other company it’s worth shouting about.”
Just a few weeks after hitting Speedscreen, The Prime Group was targeted.
Managing director Jon Tolley says his accounts team paid £9,800 to the scammers but questioned the transaction when he was back in the office. The ruse was uncovered quickly enough for Prime Group to alert its bank, HSBC, which had been suspicious and held the payment for 24 hours.
“We were lucky we got it back. The email looked like it was from me, it was in my tone.
“They’ve since tried to do it again, this time we’ve put the policies in place to stop it happening again. We’re super aware.”
Like the conned Speedscreen staffer, Tolley’s colleague was horrified she had been duped.
“Her face just dropped, she was devastated, really upset that she didn’t pick up the phone,” Tolley said. “Now we’ve got the rule that you have to speak to the person face-to-face.”
He said in a way it was reassuring to read that Speedscreen had fallen for the same scam but added: “I was really gutted for him, it’s just horrible. We work bloody hard as it is to maintain a level of profitability. It’s hard-earned cash.”
Rapidity was also hit. “Our financial director came into my office and asked where I wanted the money sent,” says managing director Paul Manning.
“I would never ask for something like that. We’re not Wolf of Wall Street for God’s sake. What was mad about it was the way they sent it she totally believed it was from me. It’s one of the cleverest ones we’ve had. If someone transfers money out you wouldn’t blame them really.”
Precision Printing has seen “four or five attempts” at the scam giving the company “a bit of a spook” chief executive Gary Peeling says.
“I think ownership makes a difference, if you’ve got two guys at the top of your business the processes have got to be robust. I can’t just go out and order a Maserati. Some people at the top of their business can go out and order pretty much what they want.”
Manning warns printers, especially in wide-format, to watch out for the ‘fake shipping scam’. The fraudster puts through an order and offer to pay by credit card, and at the last minute adds extra for the supplier to pay for shipping. The credit card is stolen and the business is left with wasted product and out of pocket for the delivery costs.
“We had one the other day, looked legit, for a banner to be sent to Bermuda,” he said. “We quoted it. They sent through artwork, you’ve got a doubt at the back of your mind but you think if you get payment up front you’re okay.”
“We’ve had that a couple of times now. They’re clever, well-targeted scams. The days of the African king and the broken English are over.”
And Tolley, whose company spends “tens of thousands of pounds” to keep on top of IT security, warns companies to be guard against ‘ransomware’, a new type of computer virus that, once in a company’s IT system drops a code that locks all files until the desperate company pays a ransom to free them.
As for Hill, he says it was easy to see where his firm went wrong in hindsight and warns printers to overhaul their procedures. “Some simple precautions will make all the difference,” he says.
To report a fraud, call Action Fraud on 0300 123 2040 or use its online fraud reporting tool.
OPINION
We need to be less trusting of hotspots and networks
Steve Proffitt, deputy head of Action Fraud
Many of these frauds, including CEO fraud and mandate fraud use information gleaned about you and your business using malware.
If you don’t have robust security around your IT and you don’t have strict compliance to not click links in emails and not open attachments, you are at risk.
Also if someone in the organisation looks at dodgy sites or porn sites. That’s where the malware is hidden and possibly where the malware gets in.
If you think about email chains, it can be at any time that the email chain becomes compromised. For example, if the chief executive or the PA was sending emails home to work on, the compromise can be at home.
Using Wi-Fi hotspots is another risk. Don’t do it. If you think about it, if you get access to that hotspot hub you can monitor everything that goes through it.
How confident are you about the individual that manages that hub in that establishment? They could be a 16-year-old computer hacker for all you know. You run the risk of your data being compromised. Frankly I don’t understand it as most phone contracts are unlimited data now so why take the risk?
I think as a nation we are just too trusting and we need to develop a less trusting character. It’s not detrimental to business, it just makes good sense. If someone approaches you for information, put the phone down and check. If we did that more often there would be far less fraud in business. It’s very important not to take anything at face value. With CEO or mandate fraud, if you smell a rat tell the bank as soon as possible so they are able to stop that mandate. In any event you need to do more reconciliation. Don’t gloss over the smaller amounts. If you make one payment, they have your details and can keep charging you. If you don’t reconcile the smaller stuff you’ll never notice it.
READER REACTION
Has your company been the target of a fraudster?
Lynn Brazier, joint managing director, One Digital
“I’ve heard about CEO fraud. Someone I know got caught out by it, she had this request which she thought was from her boss and paid it. It was £55,000. She suddenly realised, got on to the bank and they did manage to recoup some of the money. It’s also scary how they get in through email. When you’re reading 100 emails a day there’s a risk you get caught out and click on a virus. Touch wood we haven’t been scammed. You’d think people with that much intelligence would put their intelligence to good use.“
Mark Hetem, sales director, Opus Trust Marketing
“We’ve intercepted a number of cons where a client gets a change of bank details from a finance person at the supplier. Some our our clients have been diligent and contacted us directly. I think there have been two or three attempts at CEO fraud too during a short period of time. I don’t think that people here would necessarily follow the orders of one email without getting into a discussion about it. I think it’s important to look at procedures if your current procedures might put you at risk.”
Kirk Galloway, managing director, Buxton Press
“Tim Hill of Speedscreen Creative Print Solutions should be well applauded for his courage - and selflessness - in flagging up his misfortunes for the benefit of others. It is a very brave thing to use his situation to warn others and has put us - and I am sure many other readers of PrintWeek - on increased guard.”