CEO fraud: Using the “grandparent scam” in business
Executive Education / 3 March 2023
  • Share

  • 3110

  • 0

  • Print
Patrick Müller ist Diplom Wirtschaftsinformatiker und war als forensischer Datenanalyst in der Beratung sowie als Data Scientist in der Industrie tätig. Seit 2020 ist er selbstständig mit Beratungsschwerpunkt auf Vorbereitung und Implementierung von Datenanalyse Projekten. Er ist Dozent der Zertifikatsstudiengänge "Certified Fraud Manager" und "Certified Audit Data Scientist" an der Frankfurt School. Seine berufliche Leidenschaft ist „Turn Fraud into value und Insights into EBIT“.

To Author's Page

More Blog Posts
Auditing with intelligent co-pilots: Generative Artificial Intelligence in Audit
Agile Transformation: Nachhaltige Integration einer agilen Kultur in Unternehmen
Digital Society – Buzzword oder bald Realität?

The experience of auditors over the last few years shows that new ways of committing fraud are becoming increasingly commonplace, impacting companies via two key vectors: social media and their employees. Typically, fraudsters pose as members of the company’s senior or top management and instruct employees to carry out certain actions. This scamming method is known as “CEO fraud” or sometimes as the “corporate grandparent scam”.

Understanding CEO fraud

For their attacks, fraudsters make initial contact by either using e-mails that look genuine but are actually fake, or hacking senior managers’ e-mail accounts, or making phone calls. More recently, scammers have started putting together more complex attack scenarios of which multiple employees are either the victims, or worse, unwitting accomplices.

Planning and carrying out CEO fraud

CEO fraud is typically characterised by two features: the initial preparation is time-consuming and meticulous, but the actual execution is very rapid and highly targeted.

During the preparatory phase, the researchers focus primarily on the individuals authorised to access company systems and bank accounts. Business-friendly social networks such as Xing, LinkedIn and Polywork are especially useful sources of relevant information. Once the scammers have identified the person in the company who will make the best target, the actual procedural or systems-related part of the CEO fraud scenario is very straightforward. It is simply a matter of persuading the unwitting accomplice to set up a manual outpayment in the company’s accounting or ERP system and then initiate a special payment run – or even make a direct transfer via the online banking system.

A more thoroughly prepared scam may involve making initial contact with the targeted personnel several weeks in advance. The aim is to familiarise them with and build their trust in the fraudster. This can be done by asking them simple questions about genuine business transactions or engaging them in short conversations, ostensibly to congratulate them on a birthday, company anniversary or promotion.

At the same time, the fraudsters are carrying out research into the interests and schedules of the managers whose identities they will later be faking. The main priority is to identify absences or periods of unavailability. This will dictate the timing of the crime. The lack of availability and the reason for it will then be incorporated into the story which the victims will be fooled into believing. This is because simple cross-checks will come back positive. For example, the manager’s secretary will confirm that “yes, XY is indeed at this conference or on that long-haul flight”. The actual crime involves either making phone calls or sending fake e-mails to the meticulously researched employee(s) – with an emphasis on confidentiality and discretion. It is also quite usual to apply (fictitious) time pressure. Both these gambits are designed to minimise any consultation or discussion of the transaction with colleagues.

The invented stories mostly concern special transactions such as (fictitious) corporate acquisitions or other lucrative purchases of, for example, patent rights, real estate, or machinery. As part of the story, (invented) reasons are given for transferring a large sum of money to a foreign bank account. Increasingly, fraudsters also use domestic bank accounts which they are able to access thanks to another fraud scenario, and from which they can then transfer the money overseas.

Fraudsters obtain information via social engineering and hacking

In addition to easily accessible public sources such as the Bundesanzeiger (Federal Gazette) and German commercial register, criminals use two rather more digital approaches: social engineering and hacking. Social engineering involves, among other things, spying out employees’ personal details on social networks to find out more about their jobs, professional interests, CVs, attendance at conferences, and further training courses – and to identify their contacts.

Knowing this information enables the crooks to make precisely targeted, confidence-inspiring contact with their potential victims by phone or e-mail. In addition to direct hacking, they also take advantage of information leaks resulting from over-liberal settings in widely used communication software such as Microsoft Teams, Skype, Slack and similar apps, that release details of employees’ availability or out-of-office status to third parties.

Selected prophylactic recommendations – prioritising prevention rather than reaction

  • Test, adjust and secure business processes – and provide employees with full training.
  • Use data analytics to continuously detect and eliminate attempts to bypass or deviate from corporate processes.
  • Give employees (especially those involved in risk management, internal audit and management, or any employee with access to highly sensitive information, or with high-level authorisations) specific training in cybercrime and social engineering.
  • Make senior and top management aware of how much easier it is to engage in identity theft when employees are given permission to bypass corporate processes.
  • Activate IT mechanisms that make it easy for users to identify external content.
  • Review all corporate information published or released externally, especially details of employees’ availability or absences.
  • Set up regular training courses covering attacks; this should include an emergency routine similar to those used for annual fire drills, or for testing spam e-mail.

Bottom line

It is important to realise that prevention of the latest scams and frauds is becoming increasingly complex. To cope with this complexity, companies must implement an interlocking web of interdisciplinary preventive measures. In addition to conventional process controls, preventive (data) analytics, a supporting IT infrastructure, and appropriate organisational changes, preventive training courses in risk management or internal audit/fraud management are also highly advisable. These courses educate participants in the details of data and information security, social engineering attacks, false identities, forgery detection and forensic data analytics, as well as making them aware of data-focused screening and audit procedures.


To make this text easier to read, it uses the masculine form to represent all genders.