How fraudsters almost extorted €500,000, using only emails and phone calls
"Criminals have access to your calendar, to all kinds of different information and you have no clue that this is happening." Carole Gratzmuller, company president, was out of the office on the Friday morning her accountant’s phone rang.
The call was from a fraudster, saying that Carole Gratzmuller was about to make a confidential transaction and that Gratzmuller herself would soon email with further instructions.
The call seemed shrouded in secrecy but, sure enough, Gratzmuller emailed shortly after the call explaining the situation. The email was written in Gratzmuller’s usual manner and explained that Gratzmuller’s company, Etna Industrie, planned to buy a company later that day. The accountant was instructed to wire €500,000 to a Cyprus-based account to ensure the deal could go ahead.
The accountant recognised the request as unusual and responded with scepticism. But the emails seemed to be legitimate. After several more emails and phone calls, the accountant duly wired €500,000 of Etna Industrie’s money via four individual transactions. Three were held up by banks but one went through, making Etna Industrie the latest victim of a scam known as CEO fraud.
Stalking CEOs on social media
Although Etna Industrie is not a legal practice, CEO fraud is a scam that plagues the legal industry. Disturbingly, the scam requires little more than the collation of publicly available information and human error to defraud organisations of hundreds of thousands of pounds.
CEO fraud first sees criminals studying CEOs, partners and company directors. By trawling social media profiles, LinkedIn accounts and publicly available information, scammers build up profiles of the people they wish to impersonate. They make a note of their new avatar’s job title and the names of relevant friends, associates and employees. Hobbies and interests are also of use. And then they wait.
Eventually, a social post reveals the person they’ve been studying is out of the office. The post might be from the company, wishing the CEO or partner luck at an overseas speaking arrangement. It could be from a conference welcoming delegates. Either way, the post signals it’s time for the scammers to move on to phase two. They hijack or mimic their subject’s email account and make contact with someone back at the office.
Hijacking emails is part of CEO fraud in the legal sector
Victims of CEO fraud are (understandably) reluctant to announce their misfortune to the world, but we do know it happens. The SRA recently stated the crime had netted criminals “millions of pounds” , while the FBI estimate nearly 18,000 victims have lost more than $2bn to CEO fraud in the past three years.
A recently reported case tells of how one law firm announced a senior partner’s business trip on Twitter. Seeing the post, opportunistic criminals set up a near-duplicate email address to that of the partner. They then emailed the accounts department and, posing as the exec, demanded a large invoice to be settled immediately. Over a period of less than five hours, the fraudsters convinced the accounts department to part with £35,000. The emails were written in the same nuanced language used across the firm’s social media and blog posts, at one point even commenting on the weather.
How to minimise the risks
If there’s one upside to CEO fraud, it’s that it typically relies on the fusion of two independent threats to succeed. Even if the criminals manage to build an accurate CEO profile, they still need someone to fall for a phishing scam to succeed. By the same token, failure to build an accurate CEO or partner profile prevents an attack from ever being launched in the first place.
Preventing criminals from building an accurate CEO profile is easier said than done. After all, a strong social media presence usually makes good business sense. To minimise risks, it’s worth people pausing for thought before sharing company updates. Revealing personal information is often unnecessary and the potential benefits rarely outweigh the overall risks. As a general rule, it’s worth assuming everything posted can be seen by a criminal who might one day attempt to cause personal or professional damage.
The second key to the scam is spear-phishing, which sees criminals sending fraudulent emails requesting staff wire funds somewhere untoward. Again, combating these is easier said than done. The emails almost always appear to come from a trusted source, frequently referencing details that verify the source’s authenticity and are often received when the real sender is travelling.
Pick up the phone and check it’s really your boss/partner or CEO
In such cases, it’s best practice to verify the sender is indeed who they say they are via an independent communication channel. Calling them on a genuine telephone number – or better still via video call – will usually reveal the fraudulent nature of the request.
This can sometimes be hard if you are essentially questioning the judgement of ‘your boss’. But for the sake of a few five minute phone calls now and then, they will definitely thank you if you happen to save their business the financial cost and embarrassment of transferring several thousand pounds to a criminal. The truth is, if all requests for money transfer were checked, this type of fraud would disappear overnight.
Put it in policy
Additionally, if you are a CEO and you know that you would never make a request like this of your staff...tell them! Enshrine it in to policy, foster a culture of understanding, and make sure they realise that you don’t mind them coming to you to check.
As a rule of thumb, journalists never publish a story without two independent sources. When it comes to wiring money, it’s a handy rule to bear in mind.