What is CEO fraud?

CEO fraud, sometimes called Business Email Compromise, is a type of phishing attack whereby fraudsters impersonate a senior person in the company, ultimately to request funds are transferred. The attacks usually involve months of research into the company and its executives, to make the fraud appear as genuine as possible.

There were 461 CEO fraud cases in the UK in 2021, with losses increasing by 165% to £12.7 million compared to the previous year. (Source: UK Finance)

What does CEO fraud look like?

Fraudsters will impersonate senior executives (such as the CEO), creditors, contractors, or suppliers to a business, via email. It may start with a request for an urgent conversation but the email conversation will conclude with the request for funds to be sent, or gift cards or vouchers to be purchased urgently for this purpose, with emphasis on the confidentiality of the matter and the necessity for action to be taken at speed.

There will be an explanation as to why the CEO is communicating in this way, often by stating that the CEO is tied up in an urgent online meeting. The fraudsters in some of the most sophisticated scams have even researched when the CEO is due to be away from the office, and mentioned their holiday in the email, to discourage any requests for verification. The aim of the scam is to make the victim feel pressured, because of the supposed seniority of the person making the request, into sending funds quickly and without question.

How to protect your business from CEO fraud

1. Complete regular staff training, ensuring staff are aware that CEO fraud exists, and how it could look in the context of your business. Create a culture where employees are encouraged to regularly share anything that they think could be suspicious and immediately own up, without fear, if they think they have been scammed.
2. Implement verification processes – such as always requiring two forms of authentication or sign-off before any money can be transferred. For example, you could ensure that email requests to transfer funds are always confirmed verbally, or through a web portal.
3. Check email addresses – be careful to look for even the smallest of spelling variations (for example, two v’s next to each other to look like a ‘w’).
4. Ensure your business’s cyber security is up to date, with multiple layers of protection. (Check your knowledge in our cybersecurity resource hub – with blogs, downloadable guides, and quizzes)
5. If you receive an unexpected email requesting payment, do not reply to the initial email, or use any contact details stated within (such as a phone number). If you can, speak to the ‘sender’ in person, or over the telephone – but only using a phone number you know to be accurate.
6. Create Microsoft Exchange or Office 365 transport rules to clearly mark external senders in the subject line. You can add a rule which appends the subject line with ‘[External]’ if a message is sent from outside of the organisation. Though this can be quite intrusive in an email chain, it’s relatively simple to configure and you’ll add a layer of security in spotting external emails purporting to be internal. Read our guide on how to mark external senders.

What to do if you think you’ve fallen victim to CEO fraud

• Contact your bank immediately
• Report it to Action Fraud here https://www.actionfraud.police.uk/

Read next: Three ways to increase business resilience to data breaches