How FIs Can Put CEO Fraud Out of Business

A company employee falls for a CEO fraud scam in which a fraudster pretends to be their boss

The golden rule for any modern worker boils down to four words: keep the boss happy. Fraudsters understand the power of this mantra all too well - and have exploited it to capitalize on CEO fraud - with disturbingly successful results.

CEO fraud was traditionally a business email compromise (BEC) in which fraudsters target a company’s employees with sophisticated email impersonation tactics. In recent years, fraudsters have expanded their tactics to include fraudulent SMS and text messages. Fraudsters send phishing emails or texts from an account with the name of the CEO or other high level executives. The messages may request the employee to approve a payment to a new vendor or to buy gift cards for other employees and share the numbers and security codes.

Fraudsters are counting on employees to see their boss’ name in the email address or in their text messages and respond before they can think about their actions. If this pans out, employees may unwittingly disclose sensitive information like company bank account details or approve wire transfers to the fraudster.

This raises an important question for banks: how can banks protect customers when the customers themselves are the weakest link?

What’s driving the rise in CEO fraud scams?

The latest figures from the UK Finance Annual Fraud Report found CEO fraud rose a shocking 165% last year, one of the most significant jumps among all fraud types. What’s behind this staggering increase in CEO fraud?

Three key factors are driving the success of this troubling type of social engineering fraud:

Employees are naturally eager to please the boss. If you’re like most people, you spring to attention when you get a message from your boss. This is the one person who we all aim to please and no employee in their right mind wants to get on their boss’ bad side. Fraudsters understand this attitude and are weaponizing against unsuspecting employees with high-pressure tactics.
Remote workers are easy fraud targets. Remember when in-person work was the norm? In those days, if an employee received a suspicious email or text they could simply walk to their supervisor’s office and ask if the message was legitimate. One global pandemic later, large swaths of employees work remotely on a full-time basis. In this new normal of remote work, calling the boss often feels uncomfortable. After all, who wants to call their boss every time they are asked to do something?
Commercial bank accounts are top CEO fraud targets. Banks typically have more retail customers than commercial customers. But while there are fewer commercial accounts for fraudsters to target, these accounts transact in much higher values. This means fraudsters can see much larger profits from this type of cybercrime. What’s more, CEO fraud requires little effort on the fraudsters’ part to send a few hundred emails or text messages. If even one employee falls for the scam, the fraudsters realize a high reward for minimal labor.

How Fraud Impacts Employees, Businesses, and Bosses

If the fraudsters’ efforts are successful, the consequences can be far-reaching for both the company itself and the employee who executes the scam.

The company: CEO fraud can be game-changing for the targeted company. After losing money to fraud, a business may be forced to delay any expansion plans it once had or even trigger layoffs. These outcomes are also highly damaging to the company’s public image.
The employee: Fraud and scams take an emotional toll on victims. The same holds true for employees tricked by phishing attacks. Imagine how you would feel if you approved a fake invoice that cost your company money? Many workers will feel humiliated by the deception and alienated by their coworkers. They will also fear for their future with the company.
The CEO: The CEO at the center of the fraud will also have to deal with tough questions beyond the financial losses. For example, how can they trust their employees if a fraud is successful? It also raises serious questions over whether the CEO can trust the bank that permitted the transaction. If the CEO feels their bank isn’t doing enough to protect the company, they’ll consider switching to a different one.

3 Steps to Stop CEO Fraud Attacks

By now it should be clear that banks are affected by CEO fraud losses. The best move for banks and FIs is to do everything in their power to keep their commercial clients safe.

1. Teach Company Employees How to Detect Red Flags

Education is the cornerstone of any good fraud prevention strategy. Banks should step up their efforts to help company employees spot and prevent CEO fraud before it causes any damage. Some banks have posted their advice for employees online. These tips guide company employees how to review email account and text information for suspicious patterns, verify new payment information, and put proper checks on outgoing payments. Banks can also advise company employees how to improve email and text message security awareness and watch for malware so they can protect themselves and their company more effectively. Businesses should also consider hiding customer testimonials on social media or details that reveal their suppliers and partners.

2. Perform Transaction Analysis to Know Commercial Customers

Banks must familiarize themselves with normal payment patterns for business customers. Consider how much money the company normally pays a supplier or vendor, which employees are typically involved in the payment process, and how recent transactions have changed. Building a holistic view of the business’ patterns makes it easier to detect when the company’s payment patterns suddenly change.

3. Monitor Both Ends of the Payment

Banks should consider the profile of the payment recipient. Look at the age of the recipient’s bank account and whether they are making outgoing payments or simply accepting payments. These are warning signs of a mule account, and a chance to stop a suspicious transaction. Inbound payment monitoring is just as important a step as outgoing payment monitoring for banks to protect their customers.

It’s important to keep the boss happy. But no boss will be happy if they learn their employees are responsible for a scam that cost the company money. Banks have a special role to play in protecting their clients. Done correctly, banks will make many bosses happy by putting the perpetrators of CEO fraud out of business.

Do you want to protect your commercial bank customers from scams and fraud? Schedule a demo with our team today to learn how our fraud prevention solutions keep bank customers safe.

Daniel Holmes

Dan Holmes is a fraud prevention subject matter expert at Feedzai. He has worked in the fraud domain for over 10 years and strategizes product direction in line with future market trends and collaborates globally with banks on a variety of fraud challenges. Dan covers a wide range of topics, including fraud risks, fraud technology, and shifting regulations.