Home Page Navigation Contents Contact Sitemap Search
HomeTips for SMEsCEO Fraud

CEO Fraud

So-called "CEO fraud" is an unscrupu­lous scam tactic. It involves com­pany employees with direct pay­ment authority receiving an e-mail from one of their supe­riors asking them to ini­tiate a pay­ment to a cer­tain recip­ient as soon as pos­sible. In reality though, the sender address is faked, with a fraud­ster hiding behind it.

The most impor­tant points for employees to remember:

  • Do not dis­close any infor­ma­tion if you are con­tacted in an unusual or dubious way, and do not follow any instruc­tions, even if you are put under pressure.
  • Before exe­cuting any such pay­ment requests, imme­di­ately ask your supe­rior via another channel (in person or by tele­phone) to con­firm them.
  • Look out for any missing or incor­rect secu­rity ele­ments such as e-mail sig­na­tures.

The most impor­tant points for com­pa­nies to remember:

  • Ensure your employees are aware of this type of fraud.
  • Check what kind of infor­ma­tion is avail­able about your com­pany online, and limit this where pos­sible and expedient.
  • Define and imple­ment a pay­ment release process involving double checks and joint signatures.
  • You should also report any such attempts at fraud to the police.
  • Check that advanced secu­rity ele­ments such as e-mail sig­na­tures are imple­mented in crit­ical busi­ness processes (pay­ment process).

Secure employee behaviour

If one of your super­vi­sors sends you an e-mail asking you to ini­tiate an imme­diate pay­ment which has not been dis­cussed in advance or was pre­vi­ously unknown to you, you should be extra careful. In such unusual cases, it is advis­able to clarify the legit­i­macy of such an order more thor­oughly, for instance by checking any secu­rity ele­ments like e-mail sig­na­tures (dig­ital sig­na­tures) are in place. You should cer­tainly always con­tact that super­visor directly (in person or at least via tele­phone) and con­firm whether this pay­ment is actu­ally to go ahead.

Take pre­cau­tions as a company

Sen­si­tising employees

Tech­nical means only help to curb the dis­tri­b­u­tion of such fraud­u­lent e-mails to a cer­tain extent, but can never com­pletely pre­vent it. Fraud­sters are con­stantly changing their addresses, con­cealing their iden­tify and origin this way. In addi­tion, they also some­times manage to abuse a superior’s authentic e-mail account for their purposes.

The most impor­tant pre­ven­tion mea­sure is there­fore sen­si­tising your employees working in all depart­ments most sus­cep­tible to this kind of fraud, for instance in your accounts department.

Online infor­ma­tion

To ini­tiate a "CEO fraud", the first thing an attacker needs is infor­ma­tion about a com­pany and its employees. A com­pany web­site or the trade reg­ister often pro­vide suf­fi­cient infor­ma­tion of this kind. In addi­tion, social net­works (such as LinkedIn or Xing) are of interest to fraud­sters, since they con­tain infor­ma­tion about busi­ness rela­tions or employee iden­tity and roles. You should there­fore check what kind of infor­ma­tion is avail­able about your com­pany online, and limit this where pos­sible and expedient.

Pay­ment release process

The actual fraud involves the remit­tance of a pay­ment. This usu­ally has a for­eign bank account as the recip­ient. From there, the funds are then promptly trans­ferred to yet other accounts. To pre­vent such incor­rect pay­ments, it is advis­able to estab­lish a strict pay­ment release process com­plete with check­points - with the best method being a system of double checks and joint sig­na­tures. This way, there is a con­sid­er­ably higher chance of one of the two people releasing a pay­ment recog­nising a fraud for what it is and thus pre­venting it.

Using e-mail signatures

"CEO fraud" manip­u­lates the pay­ment process by faking a legit­i­mate sender of a pay­ment order (so-called e-mail spoofing).

The sim­plest vari­a­tion of this is to fake the e-mail sender’s address. An e-mail sig­na­ture (dig­ital sig­na­ture), which can only be inserted cor­rectly by an authentic sender, pro­vides good pro­tec­tion against this. How­ever, this kind of pro­ce­dure is rel­a­tively dif­fi­cult to imple­ment and also makes it nec­es­sary for the recip­ient to prop­erly check this signature.

More serious is the abuse of an authentic (hacked) e-mail account of the sender, for instance in con­se­quence of a phishing attack car­ried out before­hand. This even enables fraud­sters to abuse the e-mail sig­na­ture fea­ture. In such cases, the only remedy is a strict pay­ment release process, and to sen­si­tise all people involved.

With the "CEO fraud" scam (also called Super­visor fraud), attackers pre­tend to be a company’s CEO (com­pany head) and ask employees with pay­ment authority to ini­tiate a remit­tance of a large sum of money.

"CEO" stands for Chief Exec­u­tive Officer, "fraud" is self-explana­tory here.

You might also be interested in these articles:

What else would you like to learn about security when e-banking?

Reg­ister for a course now
and learn more:

Basic course

Find out about cur­rent Internet threats and some easy pro­tec­tive mea­sures, and how to securely use e-banking.

fur­ther information

Online course mobile banking/payments

Find out about mobile banking, mobile pay­ments and how to securely use these apps.

fur­ther information

Online course for the under-30s

Learn how to use your smart­phone securely. Next to basics, we will show you what you should know about social media, clouds, mobile banking and mobile payments.

fur­ther information

Course for SMEs

Is your organ­i­sa­tion suf­fi­ciently secure? Learn which mea­sures you can take to sig­nif­i­cantly strengthen your organisation’s IT security.

fur­ther information