The experience of auditors over the last few years shows that new ways of committing fraud are becoming increasingly commonplace, impacting companies via two key vectors: social media and their employees. Typically, fraudsters pose as members of the company’s senior or top management and instruct employees to carry out certain actions. This scamming method is known as “CEO fraud” or sometimes as the “corporate grandparent scam”.
For their attacks, fraudsters make initial contact by either using e-mails that look genuine but are actually fake, or hacking senior managers’ e-mail accounts, or making phone calls. More recently, scammers have started putting together more complex attack scenarios of which multiple employees are either the victims, or worse, unwitting accomplices.
CEO fraud is typically characterised by two features: the initial preparation is time-consuming and meticulous, but the actual execution is very rapid and highly targeted.
During the preparatory phase, the researchers focus primarily on the individuals authorised to access company systems and bank accounts. Business-friendly social networks such as Xing, LinkedIn and Polywork are especially useful sources of relevant information. Once the scammers have identified the person in the company who will make the best target, the actual procedural or systems-related part of the CEO fraud scenario is very straightforward. It is simply a matter of persuading the unwitting accomplice to set up a manual outpayment in the company’s accounting or ERP system and then initiate a special payment run – or even make a direct transfer via the online banking system.
A more thoroughly prepared scam may involve making initial contact with the targeted personnel several weeks in advance. The aim is to familiarise them with and build their trust in the fraudster. This can be done by asking them simple questions about genuine business transactions or engaging them in short conversations, ostensibly to congratulate them on a birthday, company anniversary or promotion.
At the same time, the fraudsters are carrying out research into the interests and schedules of the managers whose identities they will later be faking. The main priority is to identify absences or periods of unavailability. This will dictate the timing of the crime. The lack of availability and the reason for it will then be incorporated into the story which the victims will be fooled into believing. This is because simple cross-checks will come back positive. For example, the manager’s secretary will confirm that “yes, XY is indeed at this conference or on that long-haul flight”. The actual crime involves either making phone calls or sending fake e-mails to the meticulously researched employee(s) – with an emphasis on confidentiality and discretion. It is also quite usual to apply (fictitious) time pressure. Both these gambits are designed to minimise any consultation or discussion of the transaction with colleagues.
The invented stories mostly concern special transactions such as (fictitious) corporate acquisitions or other lucrative purchases of, for example, patent rights, real estate, or machinery. As part of the story, (invented) reasons are given for transferring a large sum of money to a foreign bank account. Increasingly, fraudsters also use domestic bank accounts which they are able to access thanks to another fraud scenario, and from which they can then transfer the money overseas.
In addition to easily accessible public sources such as the Bundesanzeiger (Federal Gazette) and German commercial register, criminals use two rather more digital approaches: social engineering and hacking. Social engineering involves, among other things, spying out employees’ personal details on social networks to find out more about their jobs, professional interests, CVs, attendance at conferences, and further training courses – and to identify their contacts.
Knowing this information enables the crooks to make precisely targeted, confidence-inspiring contact with their potential victims by phone or e-mail. In addition to direct hacking, they also take advantage of information leaks resulting from over-liberal settings in widely used communication software such as Microsoft Teams, Skype, Slack and similar apps, that release details of employees’ availability or out-of-office status to third parties.
It is important to realise that prevention of the latest scams and frauds is becoming increasingly complex. To cope with this complexity, companies must implement an interlocking web of interdisciplinary preventive measures. In addition to conventional process controls, preventive (data) analytics, a supporting IT infrastructure, and appropriate organisational changes, preventive training courses in risk management or internal audit/fraud management are also highly advisable. These courses educate participants in the details of data and information security, social engineering attacks, false identities, forgery detection and forensic data analytics, as well as making them aware of data-focused screening and audit procedures.
To make this text easier to read, it uses the masculine form to represent all genders.