According to a 2018 survey by Lloyds Bank, CEO fraud (also known as impersonation fraud) is on the rise, with more than half a million businesses falling foul of the scam in that year. 53% of the respondents to the survey said that they had experienced scammers posing as their boss, whilst 52% had experienced invoice fraud, where fraudsters pose as legitimate suppliers to scam money from businesses.
How does CEO fraud work?
CEO fraud is a brazen and sophisticated scam wherein a scammer poses as a senior company executive to convince a company’s finance department to transfer funds direct to one of their accounts. This may happen over one email or series of emails, or may even be conducted over the phone, making it important for accounts staff to remain vigilant at all times.
The CEO fraud process tends to follow the following steps:
Step 1. Scammers identify the email address of someone in senior management, either via malware or other methods. They use this email address to create one which is virtually identical. For example, if the email address of the genuine executive is firstname.lastname@example.org the scammer will create an address email@example.com
Step 2. Using this email address they will contact the company’s finance department and instruct them to make a large payment to a third party. This third party account will be controlled by the scammer.
Step 3. The business makes the payment, because the scammer has set it as an urgent request that looks legitimate – ostensibly to a supplier or other party which the finance department are familiar with.
Often, fraudsters have targeted the business over a long period of time, getting to know the people that work in the business and different departments. They will understand reporting lines within the company and who is responsible for making payments. They may even know when certain staff members are on holiday thus making it easier for the fraud to go unnoticed for longer.
How does invoice fraud work?
Invoice fraud cost businesses almost £93m in 2018, with over 3,280 cases recorded and an average loss per case of more than £28,000.
Invoice fraud works best on companies with vulnerabilities in their accounts payable processes, as it requires departments not to be paying close attention to how, where and when their invoices are paid. The scammer will find out which suppliers the company is using (cleaning companies, stationery suppliers etc), and a fake invoice is sent out from an email address that appears to be the supplier demanding payment for these services.
As with CEO fraud, the email will often have a sense of urgency, saying that the amount is very overdue or threatening legal action, to try to prompt the accounts department to quickly pay the invoice blindly. Invoice scams may also include emails apparently from legitimate suppliers informing the company that their bank details have changed, and providing details of the scammers’ own bank accounts.
Whilst CEO scams often try to take large sums all at once, invoice scams will keep the amount low so as to avoid suspicion, as this way they can often get away with it for longer undetected.
How to prevent invoice fraud
Invoice fraud can be tricky to spot if you aren’t paying close attention to your payment processes, which is why it is critical to get a secure payment process in place and make sure that all areas of your company are in communication.
- Three way matching is a good way to ensure that all payments are properly validated, as it involves matching an invoice with the purchase order and the receipt of goods.
- Removing testimonials from yours and your suppliers’ websites can help to avoid invoice fraud, as this information being readily available online makes it easy for fraudsters to find out who your suppliers are.
- Dedicate one single point of contact with any businesses that you pay regularly, so that this person is your only trusted contact for invoices and payments.
- Contact your supplier on a verified phone number if you spot a difference between past and current invoices to confirm that it was sent by them.
- Streamline your accounts payable with real time AP reporting and visibility so that you can watch your supplier accounts and be aware if any payments are behind.
How to prevent CEO fraud
Talk to your employees about CEO fraud, what it means and how to spot the signs. Staff who are aware of what to look out for are likely to be more savvy when it comes to these more sophisticated types of fraud.
Be careful with the information that you reveal to the general public.
Many people don’t think about the dangers of letting their social media followers know who is on holiday or what events are coming up, but this is a classic time for fraudsters to strike. If they know who is away and when, or when the company is likely to be distracted, it is much easier for them to plan their attack. This also goes for automatic out-of-office replies.
Use an alternative form of communication to double check that any unusual financial requests are legitimate. If the person is on holiday and you can’t check with them outside of emails, go to their saved contact on the system and respond to them this way rather than replying to the email.
A common tactic, as mentioned above, is to place time sensitivity on the task and thus pressuring the team to make a decision. Employers will never fault staff for taking time to confirm details before making a large financial transaction, so informing colleagues that being diligent when dealing with customer funds is something that will gain them positive recognition.
Regularly conducting audits on your accounts to keep track of what is going where, who approved payments and investigating discrepancies is also a proven proactive technique that helps in the fight against fraud.
Fraud is a common issue that SMEs deal with and can cost individual companies thousands if they are not careful. The trick to avoiding falling foul of fraudsters is to really know your company and suppliers, and to do your due diligence using a risk-based system that helps you to identify security breaches before they can hurt you.
Talk to TFMC today
TFMC work with businesses of all sizes and can help you implement proven systems and strategies that will protect your company from the risk of fraudulent transaction. TFMC’s helpful advice team can assist you in making this choice so why no call us today to find out about the ways we can help you. Contact us on 0800 470 4820 or email firstname.lastname@example.org.