Upsurge in Fraud
Just one of those things, a sign of our times or an extra risk for treasurers?
by François Masquelier, Head of Corporate Finance and Treasury, RTL Group, and Honorary Chairman of the European Association of Treasurers
Over the last few months we have seen a worrying increase in the number of attempted frauds, including the famous CEO impersonation fraud. Large groups, SMEs and especially finance departments are being targeted by phishing attacks. How do we explain all these types of scam; how can we counter them effectively; where do we currently stand; these are the questions that we will try to answer. A treasurer on guard is worth two, so let us be on our guard.
Security is the biggest challenge for businesses in adopting mobile technologies, cloud and the internet of things. Around 23% of companies surveyed said they have suffered a security breach in the past 12 months.
Source: The Technology Industry Outlook Survey 2015, AFP
Why are there more scams today than before?
We are sticking our necks out in daring to claim that there is more fraud today than there used to be. However, that does actually seem to us to be the case. So what should we be doing about this new threat? The difficult economic environment, the global financial crisis and its traumatic aftermath explain this upsurge in fraud. This makes an ideal breeding ground for scams of this type. The emergence of new methods of payment also opens up new vulnerabilities, at least at the start, with areas of insecurity, lack of knowledge and possible flaws. It gives those wretched computer nerds just the sort of opportunity that they are likely to grab with both hands. So what do we do about it? As always, unfortunately, if one fraud succeeds many others follow, and creativity is not always directed to good causes, far from it. It is therefore this particular climate and these economic difficulties that explain the new situation of increased risk. We need to keep this in mind and redouble our vigilance. It is often in adversity that we are able to put ourselves to the test, to improve our internal control procedures and to ‘sell’ security projects, particularly in IT. Bandy about the spectre of the risk of fraud, and you will find the whole of C-level management listening to you, ready to allocate budget to prevent it.
Wolf in sheep’s clothing
France and other countries have recently seen a renewed upsurge in attempted scams of the ‘CEO impersonation fraud’ type. This type of fraud is a very special variant of phishing which is targeted at large and small groups indiscriminately, and particularly at their finance departments. The fraudsters try it on over and over again to increase their chances of hooking a victim. Statistically this works well, and sooner or later a company that is not careful enough will be caught out. Police criminal investigation departments in various EU countries show that millions of euros have been lost. These techniques need patience, conviction, acting talent, IT skills, and careful prior research together with a great deal of brass neck. All these elements in combination can lead to large losses.
CEO impersonation fraud is a specialist type of fraud based on the workings of our social structure. The fraudsters delve into the environment and innermost recesses of the target company and go through them with a fine tooth comb, and then do the same for the company’s people. They take in internal communications, official job functions, bank accounts, organisation charts, AGM minutes and the minutes of various committees. In short, anything that might be of use is collected and put together to set the trap. Even though statistically only 1% of scams work, that is enough to make it worth turning them into a business. Success and practice help make the scenarios more credible.
The idea is to tap into the business’s philosophy, its language and its codes to make the fraud look credible. The principle of this fraud, totally and completely stupid though it may be, lies in the fraudsters successfully passing themselves off as the CEO of a company to persuade employees to act in a way that runs counter to best practice and internal procedures because of exceptional circumstances. They might imitate voices, signatures or gestures, come up with an unnervingly plausible set of background details that lulls the victim into a false sense of security (for example the CEO’s mobile number will display on the employee’s screen, the CEO’s voice is imitated perfectly, he tells you he is at a place that you have officially been told he is at, to raise doubts in the mind of the person he is speaking to, etc.). The aim is to have an urgent funds transfer to an unknown foreign beneficiary approved, with the CEO providing the required documentation for the transaction in the near future. It is based on psychological pressure deriving from the hierarchical relationship. And unfortunately, sometimes it works and some people fall into the net.