You are here:
  1. Home
  2. News
  3. Blog
  4. How fraudsters almost extorted €500,000, using only emails and phone calls

How fraudsters almost extorted €500,000, using only emails and phone calls

28 November 2017

"Criminals have access to your calendar, to all kinds of different information and you have no clue that this is happening." Carole Gratzmuller, company president, was out of the office on the Friday morning her accountant’s phone rang. 

The call was from a fraudster, saying that Carole Gratzmuller was about to make a confidential transaction and that Gratzmuller herself would soon email with further instructions.

The call seemed shrouded in secrecy but, sure enough, Gratzmuller emailed shortly after the call explaining the situation. The email was written in Gratzmuller’s usual manner and explained that Gratzmuller’s company, Etna Industrie, planned to buy a company later that day. The accountant was instructed to wire €500,000 to a Cyprus-based account to ensure the deal could go ahead.

The accountant recognised the request as unusual and responded with scepticism. But the emails seemed to be legitimate. After several more emails and phone calls, the accountant duly wired €500,000 of Etna Industrie’s money via four individual transactions. Three were held up by banks but one went through, making Etna Industrie the latest victim of a scam known as CEO fraud.

Stalking CEOs on social media

Although Etna Industrie is not a legal practice, CEO fraud is a scam that plagues the legal industry. Disturbingly, the scam requires little more than the collation of publicly available information and human error to defraud organisations of hundreds of thousands of pounds.

CEO fraud first sees criminals studying CEOs, partners and company directors. By trawling social media profiles, LinkedIn accounts and publicly available information, scammers build up profiles of the people they wish to impersonate. They make a note of their new avatar’s job title and the names of relevant friends, associates and employees. Hobbies and interests are also of use. And then they wait.

Eventually, a social post reveals the person they’ve been studying is out of the office. The post might be from the company, wishing the CEO or partner luck at an overseas speaking arrangement. It could be from a conference welcoming delegates. Either way, the post signals it’s time for the scammers to move on to phase two. They hijack or mimic their subject’s email account and make contact with someone back at the office.

Hijacking emails is part of CEO fraud in the legal sector

Victims of CEO fraud are (understandably) reluctant to announce their misfortune to the world, but we do know it happens. The SRA recently stated the crime had netted criminals “millions of pounds”  , while the FBI estimate nearly 18,000 victims have lost more than $2bn to CEO fraud in the past three years.  

A recently reported case tells of how one law firm announced a senior partner’s business trip on Twitter. Seeing the post, opportunistic criminals set up a near-duplicate email address to that of the partner. They then emailed the accounts department and, posing as the exec, demanded a large invoice to be settled immediately. Over a period of less than five hours, the fraudsters convinced the accounts department to part with £35,000. The emails were written in the same nuanced language used across the firm’s social media and blog posts, at one point even commenting on the weather.

How to minimise the risks

If there’s one upside to CEO fraud, it’s that it typically relies on the fusion of two independent threats to succeed. Even if the criminals manage to build an accurate CEO profile, they still need someone to fall for a phishing scam to succeed. By the same token, failure to build an accurate CEO or partner profile prevents an attack from ever being launched in the first place.

Preventing criminals from building an accurate CEO profile is easier said than done. After all, a strong social media presence usually makes good business sense. To minimise risks, it’s worth people pausing for thought before sharing company updates. Revealing personal information is often unnecessary and the potential benefits rarely outweigh the overall risks. As a general rule, it’s worth assuming everything posted can be seen by a criminal who might one day attempt to cause personal or professional damage.

The second key to the scam is spear-phishing, which sees criminals sending fraudulent emails requesting staff wire funds somewhere untoward. Again, combating these is easier said than done. The emails almost always appear to come from a trusted source, frequently referencing details that verify the source’s authenticity and are often received when the real sender is travelling.

Pick up the phone and check it’s really your boss / partner or CEO

In such cases, it’s best practice to verify the sender is indeed who they say they are via an independent communication channel. Calling them on a genuine telephone number – or better still via video call – will usually reveal the fraudulent nature of the request.

This can sometimes be hard if you are essentially questioning the judgement of ‘your boss’. But for the sake of a few five minute phone calls now and then, they will definitely thank you if you happen to save their business the financial cost and embarrassment of transferring several thousand pounds to a criminal. The truth is, if all requests for money transfer were checked, this type of fraud would disappear overnight.

Put it in policy

Additionally, if you are a CEO and you know that you would never make a request like this of your staff...tell them! Enshrine it in to policy, foster a culture of understanding, and make sure they realise that you don’t mind them coming to you to check.

As a rule of thumb, journalists never publish a story without two independent sources. When it comes to wiring money, it’s a handy rule to bear in mind.

Explore our cybersecurity and scam prevention resources

Stay up to date with our cybersecurity practice notes

Tags: cyber security

About the author

Oz Alashe MBE is CEO and founder of CybSafe. A former British Army and Special Forces Lieutenant Colonel, Oz has a successful track record of developing and leading the specialist application of intelligence, cyber and risk management capability to tackle sensitive challenges in business and government.

Follow Oz on Twitter 

  • Share this page:

Adam Johnson | Adele Edwin-Lamerton | Ahmed Aydeed | Alex Barr | Alex Heshmaty | Alexa Lemzy | Alexandra Cardenas | Amanda Adeola | Amanda Carpenter | Amanda Jardine Viner | Amy Bell | Amy Heading | an anonymous sole practitioner | Andrew Kidd | Andrew McWhir | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Morris | Anne Waldron | anonymous female solicitor | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bhavisha Mistry | Bob Nightingale | Bridget Garrood | Caroline Marlow | Caroline Roddis | Caroline Sorbier | Carolyn Pepper | Catherine Dixon | Chris Claxton-Shirley | Christina Blacklaws | Ciaran Fenton | CV Library | Daniel Matchett | Daphne Perry | David Gilroy | David Yeoward | Douglas McPherson | Duncan Wood | Elijah Granet | Elizabeth Rimmer | Emily Miller | Emily Powell | Emma Maule | Floyd Porter | Gary Richards | Gary Rycroft | Graham Murphy | Gustavo Bussmann | Hayley Stewart | Hilda-Georgina Kwafo-Akoto | Ignasi Guardans | James Castro Edwards | Jane Cassell | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Jonathon Bray | Julian Hall | Julie Ashdown | Julie Nicholds | June Venters | Justin Rourke | Karen Jackson | Kate Adam | Katherine Cousins | Kaweh Beheshtizadeh | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Hood | Kevin Poulter | Larry Cattle | Laura Bee | Laura Devine | Laura Uberoi | Leah Glover and Julie Ashdown | Leanne Yendell | Lee Moore | LHS Solicitors | Linden Thomas | Lucy Parker | Maria Shahid | Marjorie Creek | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Mary Doyle | Matt Oliver | Matthew Still | Max Rossiter | Melissa Hardee | Michael Henson-Webb | Neil Ford | Nick Denys | Nick O'Neill | Nick Podd | Nikki Alderson | Oz Alashe | Patrick Wolfe | Paul Rogerson | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Prof Sylvie Delacroix | Rachel Brushfield | Rafie Faruq | Ranjit Uppal | Ravi Naik | Remy Mohamed | Richard Collier | Richard Coulthard | Richard Heinrich | Richard Mabey | Richard Messingham | Richard Miller | Richard Roberts | Rita Gupta | Rob Cope | Robert Bourns | Robin Charrot | Rosa Coleman | Rosy Rourke | Sachin Nair | Saida Bello | Sally Azarmi | Sally Woolston | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Shirin Marker | Siddique Patel | Simon Day | Sofia Olhede | Sonia Aman | Sophia Adams Bhatti | Sophie O'Neill-Hanson | Steve Deutsch | Steve Thompson | Stuart Poole-Robb | Sue James | Susan Kench | Suzanne Gallagher | The Law Society Digital and Brand team | Tom Chapman | Tom Ellen | Tony Roe | Tracey Calvert | Umar Kankiya | Vanessa Friend | Vicki Butler | Vidisha Joshi | William Li | William McSweeney