You are here:
  1. Home
  2. News
  3. Blog
  4. How fraudsters almost extorted €500,000, using only emails and phone calls

How fraudsters almost extorted €500,000, using only emails and phone calls

28 November 2017
by 

"Criminals have access to your calendar, to all kinds of different information and you have no clue that this is happening." Carole Gratzmuller, company president, was out of the office on the Friday morning her accountant’s phone rang. 


The call was from a fraudster, saying that Carole Gratzmuller was about to make a confidential transaction and that Gratzmuller herself would soon email with further instructions.

The call seemed shrouded in secrecy but, sure enough, Gratzmuller emailed shortly after the call explaining the situation. The email was written in Gratzmuller’s usual manner and explained that Gratzmuller’s company, Etna Industrie, planned to buy a company later that day. The accountant was instructed to wire €500,000 to a Cyprus-based account to ensure the deal could go ahead.

The accountant recognised the request as unusual and responded with scepticism. But the emails seemed to be legitimate. After several more emails and phone calls, the accountant duly wired €500,000 of Etna Industrie’s money via four individual transactions. Three were held up by banks but one went through, making Etna Industrie the latest victim of a scam known as CEO fraud.

Stalking CEOs on social media

Although Etna Industrie is not a legal practice, CEO fraud is a scam that plagues the legal industry. Disturbingly, the scam requires little more than the collation of publicly available information and human error to defraud organisations of hundreds of thousands of pounds.

CEO fraud first sees criminals studying CEOs, partners and company directors. By trawling social media profiles, LinkedIn accounts and publicly available information, scammers build up profiles of the people they wish to impersonate. They make a note of their new avatar’s job title and the names of relevant friends, associates and employees. Hobbies and interests are also of use. And then they wait.

Eventually, a social post reveals the person they’ve been studying is out of the office. The post might be from the company, wishing the CEO or partner luck at an overseas speaking arrangement. It could be from a conference welcoming delegates. Either way, the post signals it’s time for the scammers to move on to phase two. They hijack or mimic their subject’s email account and make contact with someone back at the office.

Hijacking emails is part of CEO fraud in the legal sector

Victims of CEO fraud are (understandably) reluctant to announce their misfortune to the world, but we do know it happens. The SRA recently stated the crime had netted criminals “millions of pounds”  , while the FBI estimate nearly 18,000 victims have lost more than $2bn to CEO fraud in the past three years.  

A recently reported case tells of how one law firm announced a senior partner’s business trip on Twitter. Seeing the post, opportunistic criminals set up a near-duplicate email address to that of the partner. They then emailed the accounts department and, posing as the exec, demanded a large invoice to be settled immediately. Over a period of less than five hours, the fraudsters convinced the accounts department to part with £35,000. The emails were written in the same nuanced language used across the firm’s social media and blog posts, at one point even commenting on the weather.

How to minimise the risks

If there’s one upside to CEO fraud, it’s that it typically relies on the fusion of two independent threats to succeed. Even if the criminals manage to build an accurate CEO profile, they still need someone to fall for a phishing scam to succeed. By the same token, failure to build an accurate CEO or partner profile prevents an attack from ever being launched in the first place.

Preventing criminals from building an accurate CEO profile is easier said than done. After all, a strong social media presence usually makes good business sense. To minimise risks, it’s worth people pausing for thought before sharing company updates. Revealing personal information is often unnecessary and the potential benefits rarely outweigh the overall risks. As a general rule, it’s worth assuming everything posted can be seen by a criminal who might one day attempt to cause personal or professional damage.

The second key to the scam is spear-phishing, which sees criminals sending fraudulent emails requesting staff wire funds somewhere untoward. Again, combating these is easier said than done. The emails almost always appear to come from a trusted source, frequently referencing details that verify the source’s authenticity and are often received when the real sender is travelling.

Pick up the phone and check it’s really your boss / partner or CEO

In such cases, it’s best practice to verify the sender is indeed who they say they are via an independent communication channel. Calling them on a genuine telephone number – or better still via video call – will usually reveal the fraudulent nature of the request.

This can sometimes be hard if you are essentially questioning the judgement of ‘your boss’. But for the sake of a few five minute phone calls now and then, they will definitely thank you if you happen to save their business the financial cost and embarrassment of transferring several thousand pounds to a criminal. The truth is, if all requests for money transfer were checked, this type of fraud would disappear overnight.

Put it in policy

Additionally, if you are a CEO and you know that you would never make a request like this of your staff...tell them! Enshrine it in to policy, foster a culture of understanding, and make sure they realise that you don’t mind them coming to you to check.

As a rule of thumb, journalists never publish a story without two independent sources. When it comes to wiring money, it’s a handy rule to bear in mind.

Explore our cybersecurity and scam prevention resources

Stay up to date with our cybersecurity practice notes

See how cybersecurity partner Cybsafe can help you keep your firm safe from cyber attacks (10 per cent discount)

Tags: cyber security

About the author

Oz Alashe MBE is CEO and founder of CybSafe. A former British Army and Special Forces Lieutenant Colonel, Oz has a successful track record of developing and leading the specialist application of intelligence, cyber and risk management capability to tackle sensitive challenges in business and government.

Follow Oz on Twitter 

  • Share this page:
Authors

Adam Johnson | Adele Edwin-Lamerton | Ahmed Aydeed | Alex Barr | Alex Heshmaty | Alexandra Cardenas | Amanda Carpenter | Amanda Jardine Viner | Amy Heading | Andrew Kidd | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Waldron | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bob Nightingale | Caroline Roddis | Caroline Sorbier | Catherine Dixon | Christina Blacklaws | Ciaran Fenton | David Gilroy | David Yeoward | Douglas McPherson | Dr Sylvie Delacroix | Duncan Wood | Eduardo Reyes | Elizabeth Rimmer | Emily Miller | Emma Maule | Gary Richards | Gary Rycroft | Graham Murphy | Hayley Stewart | Ignasi Guardans | James Castro Edwards | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Julian Hall | Julie Ashdown | Julie Nicholds | Justin Rourke | Karen Jackson | Kate Adam | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Poulter | Larry Cattle | Laura Devine | Leah Glover and Julie Ashdown | LHS Solicitors | Lucy Parker | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Matthew Still | Meena Toor | Melissa Hardee | Neil Ford | Nick Denys | Nick Podd | Oz Alashe | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Rachel Brushfield | Ranjit Uppal | Richard Coulthard | Richard Heinrich | Richard Messingham | Richard Miller | Richard Roberts | Rita Oscar | Rob Cope | Robert Bourns | Robin Charrot | Rosy Rourke | Saida Bello | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Sophia Adams Bhatti | Steve Deutsch | Steve Deutsche | Stuart Poole-Robb | Susan Kench | Suzanne Gallagher | Tom Ellen | Tony Roe Solicitors | Vanessa Friend

Tags

access to justice | anti-money laundering | apprenticeships | archive | artificial intelligence | Autumn Statement | bid process | brand | Brexit | British Bill of Rights | Budget | business | careers | centenary | charity | city | communication | Conservatives | conveyancing | court closures | court fees | courts | CPD | criminal legal aid | cyber security | David Cameron | development | Diversity Access Scheme | diversity and inclusion | education and training | elderly people | emotional resilience | employment law | equality | European Union | Excellence Awards | finance | George Osborne | human rights | human trafficking | immigration | in-house | International Womens Day | Investigatory Powers Bill | IT | Jeremy Corbyn | justice | knowledge management | Labour | law management | Law Society | leadership | legal aid | legal professional privilege | LGBT | Liberal Democrats | library | Liz Truss | Magna Carta | mass data retention | mediation | members | mention | mentoring | merger | modern slavery | morale | National Pro Bono Week | Parliament | party conferences | personal injury | Pii | politics | president | pro bono | productivity | professional indemnity insurance | represent | retweet | risk | rule of law | security | social media | social mobility | SRA | staff | strategy | stress | talent | tax | tax credits | team | technology | Theresa May | Time capture | training | Twitter | UKIP | value proposition | website | wellbeing | Westminster weekly update | wills