The CEO scam (scam where someone poses as a CEO or other high-ranking company executive) occurs when a manager or an employee authorised to make payments is tricked into paying a false invoice or making an unauthorised money transfer from the company account.
How does the CEO scam work?
The scam relies on an employee's willingness to quickly act on requests from senior management. The scammers will have a good knowledge of the company's organisational structure, and their emails appear very convincing.
A scammer calls or sends an email posing as a high-ranking company executive (such as the CEO or CFO).
They will have a good knowledge of the company’s organisational structure.
They ask that an urgent payment be made.
They use expressions such as: “Confidentiality”, “The company is relying on you”, “I’m not reachable at the moment”.
They talk about a sensitive matter (e.g. a tax audit, a merger or an acquisition).
The employee is required to not follow the usual authorisation procedures.
Instructions on how to proceed may be provided later, by a third person or by email.
The employee transfers funds to an account controlled by the scammer.
Often, the request is for an international payment to a bank outside of Europe.
- Direct contact from a senior manager by email or an unexpected call.
- Need for absolute confidentiality.
- Pressure and a sense of urgency.
- Unusual request that does not follow internal procedures.
- Threats or unusual flattery and/or promises of reward.
What can a company do?
- Be aware of the risks and make sure that your employees are informed.
- Advise staff to exercise caution when dealing with requests for payment.
- Implement internal protocols for payments.
- Implement a procedure to verify the legitimacy of payment requests received by email.
- Establish a reporting process for fraud management.
- Review the information published on your company website, limit their disclosure and be especially careful on social media.
- Increase security for technological devices and keep them updated.
- Always contact the police when fraud attempts occur, even if you haven't fallen victim to the fraud.
What can an employee do?
- Rigorously apply current security procedures for payments. Do not skip any steps and do not give in to pressure.
- Always carefully check email addresses when it comes to sensitive information or money transfers. Scammers often use email addresses that differ from the original by only one character.
- If you have doubts about a transfer order, ask for advice from a qualified colleague even if you have been required to exercise discretion.
- Never open suspicious links or attachments received by email. Be especially careful when you check your personal email on the company computer.
- Limit publicly available information and exercise caution on social media.
- Avoid sharing information about the company’s internal structure, safety regulations or procedures.
- If you receive a suspicious email or call, always inform your IT department.