It’s a horror story for any CEO or MD. The very thought can bring beads of nervous sweat to the forehead of any CFO or FD. You come back to your office to find out that millions have been wired from your company to an unknown account on the ‘urgent instructions of the CEO.’ That’s you, right? Wrong.
This nightmare scenario has played out too many times over the last few years, destroying careers and wounding businesses. Variously known as the CEO fraud email scam, bogus email scam, CEO email scam, business email scam and the boss email scam, this method of fraud is lethal in its simplicity. The Financial Times notes that:
“A scam in which criminals impersonate the email accounts of chief executives has cost businesses around the globe more than $2bn in little over two years, according to the US Federal Bureau of Investigation. The FBI has seen a sharp increase in “business email crime,” a simple scam that is also known as “CEO fraud”, with more than 12,000 victims affected globally.”
Email scam stories
A typical case in point is the story of Carole Gratzmuller, the Chief Executive of a medium-sized French company named Etna Industrie. Her accountant got a call on a Friday with instructions to conduct a very confidential transaction based on an email that she would get from the President of the company.
The email to the accountant said that she would get the instructions to wire the money from a consultant working with the lawyer, and that she was to keep the transaction confidential. The urgency around the whole exercise forced the accountant to move quickly – without thinking – and she transferred 500,000 euros to foreign bank accounts. While three of the banks held up the transfers, 100,000 euros had already gone. The bank that let that money go was found at fault, so Etna Industrie might get their money back, but only after a court battle.
Another frightening example is a ‘boss email’ scam that cost the Australian aerospace parts maker FACC 47 million euros. The fraudsters used the common technique of establishing a bogus email in the name of the CEO and instructing a subordinate in the finance department through emails to wire €52.8 million over a number of transactions. Not only did this made the company’s stocks plunge by 38%, but it also led to the sacking of the Financial Officer. A few weeks later, Walter Stephan, the CEO who had led the company for over 17 years was also fired – although his fault in the whole fiasco was not outlined.
What can accounts departments do to beat the fraudsters?
Accounting departments cannot afford to make a single mistake – just one can be more than enough to do irreparable damage. The first step in inching closer towards 100% security is to understand how email scams work. Let’s take a close look at the most common and successful email scam methods and identify ways of blunting the sharpest tricks in the fraudsters’ bag.
- The fraudster creates a fake email address in the name of the CEO, or any other member of the organisation who is authorised to demand transfer of funds to a new bank account. Often, they may ask the accountant to keep the transaction confidential.
- Someone claims to be from the IT department and says that they want you to make a test transfer – they are not IT and it is not a test!
- Fraudsters email or call, posing as a supplier asking for payment of outstanding invoices and instructing to transfer the fund to a new bank account – with the sort code and account number given in the email.
- The emails may not necessarily demand payment – some may just be fishing for confidential information. They gather information regarding the authorised personnel and accountants. This information can be used at a later date to commit an email fraud.
- Phishing attacks can take place when accounting employees click on email links that lead to the installation of malware.
Here’s how you can fight email fraud
A well-trained accounts staff that is aware of the techniques deployed by the fraudsters is in a strong position to detect and avoid fraud. Along with awareness, training in fraud prevention techniques is also essential. Here are some of the preventive measures we take to avoid fraud (these are to be used in combination with the other security measures that the organisation has in place):
- Check the authenticity of the email. For e.g., ABC Ltd is our client, John Brown is an authorised person, his email address is John.Brown@abc.com and his email name is reflected as John Brown. Now, if we receive an email where the name is reflected as John Brown but the email address is firstname.lastname@example.org, then consider it a forged email address.
- The accountant must report such instances to the manager or process head and not execute the actions requested through such emails.
- In response to emails from suppliers or other entities requesting changes in records or requesting information, do not hit ‘Reply.’ Forward the email using the correct address of the recipient – the one already present in the records.
- Always be careful while executing change of bank account details and scrutinise the request closely. In addition to contacting the creditors or suppliers using original contact details (as opposed to hitting ‘Reply’ to an email), the accountant must take confirmation from a known contact in the supplier organisation.
- In the case of a CHAPS payment of a larger amount (for example, more than £5,000), take additional confirmation on a call. Exceptions to be agreed upon, as per the process requirements in the process documentation.
- In the case of any specific and unusual request demanding cash on an urgent basis, be alert and don’t execute the transaction in a rush. Proceed only after confirmation.
- Ensure that the operating software is up to date, with necessary controls in place.
- Change the password regularly. Use strong or complex passwords.
- Ensure that adequate firewalls are installed and the anti-virus software is up to date.
- Do not click on links from emails that originate from unknown addresses. In case any employee detects any suspicious activity on the system, he/she must contact IT immediately.
In order to take the above steps and become more effective at fraud prevention, you need to answer the following questions:
- Do you have a list of authorised persons from the client with names, email addresses and contact numbers?
- Do you have an approval limit and the scenarios where you need to take joint approval in the case of a request for larger amounts?
- Is the list updated and confirmed with the client at every point of change?
- Has an employee on notice period handed over all controls and access of bank login ids and passwords?
- Is there any duplicate payment? In the case of an unusual duplicate payment, a proper escalation process must be followed.
By training our staff in fraud awareness and preventive techniques, we have been able to provide highly reliable and secure accounting services to a wide range of clients spread across geographies since 2004. While fraud prevention training and measures demand extra effort from accounts departments, their importance cannot be overstated.
We hope that this article will also help you strengthen your fraud prevention measures. Be on your guard and stay safe!