CEO FRAUD Prevention Manual

Introduction

It has ruined the careers of many executives and loyal employees. Successful CEOs have been fired because of it. Stock prices have collapsed. IPOs and mergers have been taken off the table. Known as CEO fraud or Business Email Compromise (BEC), the FBI reports that this type of cyber crime generated more than 23,000 complaints that were responsible for losses of more than $1.7 billion in 2019 alone. Between June 2016 and July 2019, the FBI reported that the total domestic and international exposed dollar loss was over $26 billion. (ref: https://www.ic3.gov/media/2019/190910.aspx#fn1 and https://www.fbi.gov/news/stories/2019-internet-crime-report-released-021120)

Despite these statistics, cyber-risk management remains a blind spot for most C-level executives. Therefore any organization led by its CEO must quickly learn to integrate these skills and technologies into day-to-day operations – or face the consequences.

This CEO Fraud Prevention Manual provides a thorough overview of how to deal with this exponentially growing wave of preventable cyber crime. Part I explains how top executives in finance are hoodwinked, how organizations are compromised, how millions are siphoned off by criminals, and how fiduciary responsibilities play a role. Part II covers how to prevent such an attack as well as what to do if you become the latest victim. This includes checklists of the key steps.

What is CEO Fraud?

The FBI calls it Business Email Compromise (BEC) or Email Account Compromise (EAC) and defines it as “a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests. The scam is frequently carried out when a subject compromises legitimate business or personal
email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds.” (ref: https://www.ic3.gov/media/2019/190910.aspx#fn1)

CEO fraud is another name for this type of scam and it usually involves tricking someone into making a large wire transfer into what turns out to be a bogus account, redirecting paycheck deposits or even requesting employees’ Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms. On a few occasions, however, checks are used instead of wire transfers. Between May 2018 and July 2019, the FBI reported a 100% increase in identified global exposed losses. Most victims are in the U.S. (all 50 states), but organizations in 177 other countries have also reported incidents. While the fraudulent transfers have been sent to at least 140 countries, most end up in China and Hong Kong. Unless the fraud is spotted within 24 hours, the chances of recovery are small. (ref: https://www.ic3.gov/media/2019/190910.aspx#fn1)

Certainly, large enterprises are a lucrative target. But small businesses are just as likely to be the mark. Other than being a business that engages in wire transfers, there is no discernible pattern in terms of a focus on a particular sector or type of business. The bad guys don’t discriminate.

Fortunately, organizations can learn/familiarize themselves with the methods in which these attacks are initiated.