A recent report from the City of London Police’s National Fraud Intelligence Bureau (NFIB) shows that over £32 million has been reported to be lost as a result of CEO fraud.
From July 2015 until January 2016 there was a marked increase in CEO fraud with a total of 994 reports being made to Action Fraud.
How does this scam work?
CEO fraud will typically start with an email being sent from a fraudster to a member of staff in a company’s finance department. The member of staff will be told by the fraudster who is purporting to be a company director or CEO that they need to quickly transfer money to a certain bank account for a specific reason. The member of staff will do as their boss has instructed, only to find that they have sent money to a fraudster’s bank account.
The fraudster will normally redistribute this money into other mule accounts and then close down the bank account to make it untraceable. Out of the £32 million reported to be lost by businesses to CEO fraud only £1 million has been able to be recovered by the victims. This is due to businesses taking too long to discover that they have been the victim of fraud and the lost money already being moved by fraudsters into mule accounts. Most businesses reported initially being contacted via emails with gmail.com and yahoo.com suffixes.
One company defrauded out of £18.5 million
The largest reported amount of money given by a member of staff to a fraudster was £18.5 million which is an unusually large amount to be given. Typically the average amount given to a fraudster is £35,000 but this can vary.
The company which lost £18.5 million is a producer of healthcare products and has offices globally. In July last year a man who purported to be a senior member of staff, phoned a female Financial Controller who was based in one of the company’s Scottish offices and asked her to transfer money to accounts in Hong Kong, China and Tunisia. The Financial Controller believed the man to genuinely be a senior member of staff and exchanged several calls with him as well as emails. The man convinced her to transfer money into three foreign bank accounts which resulted in the company losing £18.5 million.
The fact that one company lost over £18 million whilst most others lose approximately £35,000 suggests that there may be two tiers of CEO fraud currently being committed, with some fraudsters aiming to obtain millions of pounds whilst others targeting a number of businesses attempting to receive lesser amounts.
Businesses should educate their staff
Limited companies tend to be the most targeted type of company with 52% of reports coming from this business type. 22% of reports have come from businesses within London suggesting that this problem is particularly affecting the capital.
Deputy Head of Action Fraud, Steve Proffitt said: “It is important that all businesses are made aware of this type of fraud. We encourage businesses to educate their staff about this type of fraud in order to prevent themselves from becoming the next victim. Employees should be encouraged to double check everything they do and never be rushed into transferring large amounts of money even if they do think that it’s an important task given to them by their CEO. An increased awareness of this type of fraud amongst businesses will no doubt make it far harder for fraudsters to succeed “.
How can businesses protect themselves:
- Ensure all staff, not just finance teams, and know about this fraud.
- Have a system in place which allows staff to properly verify contact from their CEO or senior members of staff; for example having two points of contact so that the staff can check that the instruction which they have received from their CEO is legitimate.
- Always review financial transactions to check for inconsistencies/errors, such as a misspelt company name.
- Consider what information is publicly available about the business and whether it needs to be public.
- Ensure computer systems are secure and that antivirus software is up to date.
To report a fraud and receive a police crime reference number, call Action Fraud on 0300 123 2040 or use our online fraud reporting tool.
If you want to learn about Cyber Security, check out our new Cyber Security & Protection Essentials course below.
Thanks to the Gloucestershire Police for alerting us to this information.
Action Fraud is the UK’s national fraud and internet crime reporting centre, providing a central point of contact for information about fraud and financially motivated internet crime