When Your CEO Says Jump Do You Say How High?

28th January 2019

Jump? How High?

Criminals are using the CEO’s name to defraud business – If you received an email from your CEO requesting an immediate action, what’s your reaction?

For most people the CEO is a god like figure with the power to ruin or enhance a career, so for the most part you’d probably get onto it straight away and confirm the action to them once completed.

But what if the CEO wasn’t really the CEO, and instead a criminal set on defrauding your business.

Payroll, Finance and Human Resources departments are all at risk, under pressure in an ever-changing business situation, with multiple demands including payroll, expenses, international payments, and benefits. Criminal gangs are now using threat actors to breach organisational protocols using email or social engineering to divert these funds.

They seek to open a crack in the defences of a company, targeting individual weak links by assuming the identity of the CEO or other senior or influential employee within a company. What if your FD asked you to quickly do something over which you had financial control?

What’s the point?

Money. And lots of it. The threat actors aim is to convince you to divert a monthly salary payment or other funds to a bank account the criminals control.

How do they do it?

The criminals set up a temporary email account and change the display name to the name of your CEO or other high-ranking individual. The impersonation is now set. Once created they send emails to someone within payroll, finance or HR requesting a change to some payroll or account details or requesting details of a financial process. And it’s all time-driven. They’re seeking an expedited resolution.

The threat actors’ skill now comes into play as they manipulate the conversation to maintain the urgency of the request and try to avoid any red flags. Of course, if your payroll is handled by a professional outsourced payroll provider they cannot move forward, so the criminals aim is to control the situations in businesses where everything is controlled in house. And once controlled they get the unsuspecting employee to divert funds into an account they control. Depending on how bad systems are the criminals can be incredibly cheeky, coming back for more money until the scam is uncovered.

Malvertising, Spoofing, Vishing and Phishing – The facts

Malvertising – Criminals use ‘exploit kits’ on websites which contain code that will attack vulnerabilities within organisations. Most people are painfully aware of receiving emails or social messages with links or social messages with links that end up infecting and bringing down systems.The criminals just need you  to visit their site and once there they are able to gain entry and install or run their malicious software.

Spoofing – A type of scam where an intruder attempts to gain unauthorized access to a user’s system or information by pretending to be the user.

Vishing – Vishing is where a fraudster makes a telephone call posing as a bank representative to persuade the victim to hand over financial information.

Phishing – fraudsters seeking to obtain sensitive information such as passwords, usernames, bank details or other financial information by electronic means (including emails, pop ups or fake websites) from seemingly trustworthy sources.

So, what can be done regarding this new type of scam?

A simple re-evaluation of how current processes should be considered, checking the protocol for requests, and building in additional human intervention – a sort of human two factor authorisation before funds are transferred.

Carefully checking behind the email display name to see who the email is really from is a must. Often criminals obtain email addresses very similar to the current email – such is the sophistication of the scam.

Regular training of the employees who have access to funds transfer or bank account information should also be considered, to understand the types of threats currently emerging

Other things to consider to protect your business from payroll fraud

Payroll fraud continues to be high across all businesses, with criminals increasingly using sophisticated methods to fool your people into making a mistake.

1) Let everyone know what’s expected
Have clear guidelines, coaching and training on the impact of fraud in your organisation.

2) Bring fraud into the open and discuss it openly from the top down. Ask your employees to be vigilant, and let you know of any weaknesses in your systems – you may not have thought of all possible failures in your systems. Make sure your team update their personal laptops, PCs and other devices as soon as software and security updates are issued.

3) Take away the risk
Use an outsourced provider for your payroll and build your internal audit procedures and practices around that, ensuring anything handled internally carries dual signatories or ongoing audit checks. If you can grab extra time to spot fraud through outsourcing then you should take it.

4) Thoroughly check who you’re employing – both internally and externally
Comprehensive employee screening should be the norm internally. Ensure any outsourced payroll provider has ISO 27001 and Payroll Assurance Scheme accreditation so that you can be sure security is at the top of the agenda.

5) Know your team
Always be on the lookout for anomalies – e.g. employees with the same address, and thoroughly check employee expenses.

6) Never leave just one person in charge
It’s hard, especially in smaller charities, to have more than one person in charge of payroll, but it’s risky. If you cannot do that in your organisation then consider rotating roles on a regular basis or get someone independent to sign off payments.

7) Stay on top of leavers
Make sure your procedures when someone leaves are watertight. The Government and NCVO provide useful advice on fraud prevention, and a reputable payroll provider will give you the secure service you need to maintain your hard fought reputation.

And of course if you outsource your payroll or use external  payroll software make sure your supplier has all the necessary data security safeguards in place to protect your valuable employee data. With GDPR now in place across all businesses in the UK and across Europe, safeguarding your data has never been more important.