Have you ever received an email message from your company’s CEO asking you to perform a task that seemed reasonable, but perhaps a little out of the ordinary? Maybe the message asked you to urgently pay an invoice or transfer money to a certain account. But when you followed up with your CEO directly, she said she had made no such request.
If this scenario sounds familiar, you’ve been hit with CEO fraud.
CEO fraud is a business email compromise scam. In these phishing schemes, cybercriminals pretend to be a company’s CEO or another high-ranking executive by creating a look-alike email address. They then use their sham email account to contact employees and ask them to perform certain tasks that compromise security, such as transferring funds or paying a fake invoice.
Unfortunately, CEO fraud is a widespread problem. In a recent survey, 65% of organizations reported experiencing payment fraud attacks or attempts — and 71% of those attacks used business email compromise scams.
Though CEO fraud is a persistent threat, businesses have many tools at their disposal to keep their financial and other valuable information safe, from robust employee training to advanced AP automation solutions.
An Overview of CEO Fraud & Cybersecurity Today
Cyber security is a critical issue in financial services. Today’s cyber threat environment is constantly changing, and using increasingly sophisticated methods hackers can gain login credentials, sensitive data or – worse yet – money from their victims.
Cyber theft is no longer the sole responsibility of an IT department – finance and accounting professionals have to be just as wary of potential threats. According to BC Krishna, there are many tactics hackers use to target a finance department, a popular one being the fake invoice scam. These bogus invoices could seemingly come from a real vendor submitting invoices for services never delivered, or a con artist assuming the identity of a real vendor.
These types of scams are a serious problem. The FBI has issued a warnings about business e-mail compromise (BEC) scams – also known as “CEO fraud”. It’s estimated that 400 firms are targeted via CEO fraid a day, resulting in $3 billion lost in revenue.
CEO fraud is a type of phishing scheme where fraudsters impersonate high-ranking executives within the target’s company to deceive employees into performing actions that compromise security. These actions often involve transferring funds to the attackers’ accounts or sharing sensitive information with them. In essence, CEO fraud exploits the trust and authority vested in executives to manipulate employees into taking actions that harm the organization.
While fake invoices or CEO fraud can be easy schemes for fraudsters to pull off, they can be just as easy to protect against. From an accounting perspective, a slight procedural change to how payments are approved could go a long way towards ensuring that your company – or in the case of an accounting firm, your client – is not the next victim.
Why AP Teams Are at Higher Risk
Money flows out of a company through the accounts payable (AP) department, which makes AP teams a prime target for CEO fraud. Cybercriminals attempt to exploit the pivotal role that AP teams play in processing invoices, managing vendor relationships, and disbursing payments. With access to financial transactions and the authority to initiate fund transfers, these teams become an attractive entry point for fraudsters aiming to deceive employees and manipulate the organization’s financial processes. Therefore, it’s imperative for businesses to fortify their defenses and equip AP teams with the knowledge and tools needed to identify and thwart CEO fraud attempts.
Types of Executive Fraudulent Activity
Cybercriminals use several CEO fraud tractics to exploit employees, including:
Email Phishing
In email phishing scams, cybercriminals craft convincing emails that appear to come from company executives or trusted sources. These emails often request urgent action, such as transferring funds or disclosing sensitive information.
Spoofing Emails
Spoofing emails involve attackers using a fake email address that closely resembles a legitimate one to deceive employees into believing they are communicating with an internal user. For example, a spoofed email may use a slightly different spelling or configuration, such as swapping lowercase Ls for 1s.
Social Engineering
Social engineering techniques manipulate individuals into divulging confidential information by exploiting psychological triggers, such as a sense of urgency or authority. Email-based social engineering attacks increased by a staggering 464% in 2023, indicating organizations have no time to lose in training employees to spot fraudulent emails.
How to Spot CEO Fraud and Phishing Attacks
Phishing attacks are growing more sophisticated all the time, but there are still some tell-tale signs that indicate suspicious activity. Be vigilant when it comes to the following indicators:
Money Requests
Be cautious of any emails from executives that urgently request funds transfers, especially if they involve unusual or unverified payment methods. Cybercriminals often craft these emails with a sense of urgency, aiming to create pressure that bypasses regular verification procedures. It’s important to take a moment to verify the legitimacy of unusual requests through established communication channels, like phone or instant message.
False Vendor Information
A CEO fraud emails may request payment on behalf of a vendor whose name you recognize. However, always compare vendor information in emails with the information on file. Discrepancies could indicate a fraudulent email. Pay close attention to details such as the vendor’s name, contact information, and payment instructions. Verify any deviations from the established vendor profile by contacting the vendor directly through established channels.
A Sense of Urgency
Cybercriminals exploit the psychological tendency to act swiftly in high-pressure situations, which can lead to overlooking potential warning signs. If an email conveys an imminent deadline or an urgent need for immediate action, exercise caution and resist the urge to hastily comply. Always take a moment to verify requests, especially if they appear rushed.
Confidentiality
Emails requesting employees take a particular action and keep it confidential should immediately raise red flags. These phishing attempts typically urge the recipient to bypass regular protocols and keep the request discreet, under the pretext of dealing with sensitive or urgent matters. By insisting on secrecy, these malicious actors aim to isolate the target and prevent them from seeking verification from colleagues or superiors.
How to Prevent CEO Fraud
CEO fraud is a persistent, ever evolving threat. But with robust training, standardized procedures, and advanced automation solutions in place, your organization can successfully safeguard your funds and sensitive information.
Train Employees to Recognize Fraud
Cybercriminals continually adapt their tactics, making it essential for your workforce to stay informed about the latest phishing schemes and CEO fraud techniques. By investing in ongoing education, employees can become proficient at identifying suspicious elements within emails, such as unusual sender addresses, misspelled words, or grammatical errors. Moreover, training can instill a sense of skepticism and cautiousness when encountering requests for sensitive information or financial transactions.
Implement Strong Internal Controls
Internal controls for accounts payable transactions should encompass a range of security measures, from segregating duties within the AP team to conducting regular audits and reconciliations. By delineating responsibilities and requiring multiple individuals to review and authorize transactions, you create a system of checks and balances that minimizes the risk of unauthorized or fraudulent activities.
Require Two or Three Way Matching
Purchase order matching involves verifying the line-items of an invoice against the corresponding purchase order (PO) to ensure they match. MineralTree’s TotalAP solution is equipped with automated PO matching to streamline this process for your organization, ensuring suspicious POs are always flagged for review.
Contact the IT/Cybersecurity Team
Establishing a culture of vigilance and proactive communication is essential in combating CEO fraud and phishing attacks. Ensure that your workforce understands the importance of promptly reporting any emails that seem out of the ordinary, even if they are unsure about the legitimacy of the request. Having a well-defined process for reporting suspicious messages empowers your IT and cybersecurity experts to investigate, take swift action, and potentially thwart an ongoing attack.
Employ Automation
According to MineralTree’s 2022 State of AP Report, 71% of organizations currently automate accounts payable workflows — and that’s bad news for cybercriminals.
AP automation streamlines the accounts payable process by using advanced algorithms that cross-reference vendor details with your established records, flagging any inconsistencies for further review. As a result, it’s easy to validate vendor information and detect discrepancies in invoices, catching invoice fraud before it escalates.
How CEO Fraud Affects Companies
If all of this sounds hypothetical, think again. CEO fraud has resulted in significant financial and reputational damage for companies and their leaders. For example, Austrian aerospace company FACC fell victim to a cyber fraud scheme that led to the dismissal of its CEO. The scammer, posing as the CEO, pressured an employee to transfer money into an account for a secret acquisition project that turned out to be fraudulent. That transaction resulted in $47 million in losses for the company.
But other examples show how vigorous cybersecurity training pays off. CERN, the European Organization for Nuclear Research, faced repeated CEO fraud attempts over the span of several years. But in each case, employees grew suspicious of the email exchanges and alerted IT, which verified the emails were fraudulent before the attack could escalate.
Final Thoughts
By staying informed about CEO fraud and phishing schemes, educating employees, and implementing robust security measures, your organization can effectively mitigate these threats and safeguard your financial integrity and sensitive information.
And with AP teams at higher risk of exploitation, it’s imperative to incorporate fraud prevention measures into the AP workflow. With MineralTree’s AP automation capabilities, you can feel confident that PO and invoice discrepancies will always be flagged and verified before payment is issued.
Ready to strengthen your defenses against CEO fraud and other phishing schemes? Request a demo of MineralTree today.
Frequently Asked Questions
How Does CEO Fraud Happen?
CEO fraud involves cybercriminals impersonating high-level executives to manipulate employees into taking actions that compromise security. These actions typically include transferring money into the attackers’ bank accounts or disclosing sensitive information or intellectual property.
What is an Example of CEO Fraud?
A wire transfer scam is a classic example of CEO fraud. In this scheme, attackers send convincing emails that appear to come from CEOs or other top managers instructing employees to initiate wire transfers to accounts the attackers control. This is often done under the guise of confidential business deals or time-sensitive transactions.
Who Are the Common Targets of CEO Fraud?
Employees in finance, including accounts payable, are commonly targeted with CEO fraud phishing schemes due to their involvement in financial transactions and access to sensitive information.
Which Red Flags in an Email Can Indicate Email Fraud?
Red flags include urgency, secrecy, and instructions that go against typical operating procedures. Generic greetings and spelling or grammatical errors can also be signs that the sender is not legitimate.