Payments fraud: An email from ‘your CEO’ could cost your company millions

CEO fraud is the fastest growing form of fraud in the UK and US, according to Jim Wadsworth, managing director of Accura, a division of VocaLink.

CEO fraud entails criminals tricking employees into transferring money into a fraudster’s bank account by posing as a company executive. It is not as common as some other forms of fraud, but “has by far the greatest financial impact on corporate customers”, according to a survey by VocaLink.

The largest reported incidence of CEO fraud in the UK saw £18.5 million stolen in July 2016. A recent report from the City of London Police’s National Fraud Intelligence Bureau shows that more than £32 million was reportedly lost from January 2015 until January 2016 as a result of CEO fraud.

Criminals increasingly see attacking businesses as more lucrative than targeting individuals.

In February 2016, hackers gained access to the codes for the Bangladesh central bank on Swift – the financial messaging service provider – and attempted to transfer $951 million from its accounts at the US Federal Reserve. While they only succeeded in stealing $101 million – some 45% of which has since been recovered – that far exceeds what can be taken from most individuals.

Simon Dukes, chief executive of Cifas – the UK’s fraud prevention service – says: “Criminals are business people, as well, and they’re always going to be looking at ways to maximize returns for the least risk. 

“And actually if you want to carry out a crime with high returns and low risk, then you’re going to carry out fraud, or cyber fraud, or cybercrime, because the chances of getting caught are very low indeed compared to other types of crime.”

The increasing diversification of customer interface channels, such as internet and mobile banking, is providing criminals with new lines of attack, and making it harder for all corporates, but especially small and medium-sized enterprises (SMEs), to keep up.

There are many variations on the theme, including invoice fraud, where an employee is tricked into amending an invoice so funds are diverted to a criminal’s bank account. Mandate fraud is similar, but entails a recurring payment, meaning relatively small amounts can add up over time.

Chris Greany, police national coordinator for economic crime and lead for identity crime, cyber protection and counterfeit currency at the National Police Chiefs’ Council (NPCC), says: “Although we’re not seeing a lot of it currently, I think insider fraud [fraud instigated or enabled by company employees] will become a risk for businesses as they get better at protecting their external defences from outside computer-based attacks.” 

However, attacking individuals remains easy pickings for criminals, and malware fraud remains the most widespread form of reported fraud. It is also the hardest to identify and counteract, according to half of the respondents to VocaLink’s survey.

In all, Financial Fraud Action UK (FFA UK) reported that more than a million incidents of financial fraud had been reported in the UK in the first half of 2016, an increase of 53% year on year. That means an incident of fraud occurred every second between January and June, says VocaLink.

And the situation in the UK is the same all over the world, says Colin Clark, operations manager for EMEA at Payment Software Company (PSC). “People are gullible everywhere,” he says. “There might be a few cultural adjustments, but basically the approach is the same.”

Treasury and Home Office figures estimate that the social and economic costs of fraud to the UK economy is £8.9 billion per year. And faster payments is making the problem worse by narrowing the window in which a fraudulent payment can be identified and stopped.

According to Katy Worobec, a director at FFA UK, speaking to VocaLink, £6 in every £10 of attempted fraud is prevented, demonstrating the scale of the assault on individuals and corporates around the world.

Amid this escalating problem, more than two thirds of respondents to VocaLink’s survey said they doubted law enforcement agencies are adequately trained or resourced to prosecute financial fraud. It found that 80% of UK financial institutions believe improved collaboration between financial institutions, businesses and law enforcement is the best way to reduce fraud.

For corporates, and especially smaller corporates, the problem is exacerbated by the lack of experts in the field available for them to employ. The onus is therefore on them to provide better training for existing employees.

VocaLink’s survey found that businesses should focus specifically on guarding against sensitive information becoming public, and improving their education and training of staff about fraud.

PSC’s Clark agrees with this assessment, adding: “Companies adhering to the Payment Card Industry standard are required to provide security awareness training to anyone handling credit cards every year. I think that training should be provided to far more people.”

Such training is necessary to help employees keep pace with criminals that are ever-more sophisticated.

They are increasingly using psychological and behavioural techniques to build up trust and confidence before they attempt any attacks, Alex Grant, a managing director for global fraud risk management at Barclays UK, told VocaLink.

However, the defence against fraud does not need to be as sophisticated as the attack. Employees must be diligent about checking the authenticity of all payment instructions, even if it appears to come from a trusted source.

By targeting companies during busy periods, criminals know employees might not have the time to conduct the required diligence to ensure payments are legitimate. Attacking companies on Fridays is also popular as it means there is a good chance the crime will not be detected until Monday, leaving the maximum amount of time for money to be laundered.

Criminals tailor their attacks depending on the intended victim.

Clark says: “Older people are more likely to be targeted on the phone because they are less likely to use things like email and Facebook. Younger people are easy to target online, they have grown up with email and don’t think about the risks. They might use 10 different social media platforms – you can bet they don’t have 10 different passwords.”

Employees and individuals must be particularly on guard against phishing scams, says Greany.

“The use of computers by criminals will increase and we need to be implementing, particularly at SME and business level, better protections for our clients and our employees from being victims of phishing emails and ransomware,” he says.

PSC’s Clark argues that, for all the increasing sophistication and frequency of the attacks, the best protection is diligence.

“When it comes to payments, most breaches I see are the result of sloppiness,” he says. “Businesses are essentially leaving their doors open.”