How to reduce CxO fraud risk?
Social engineering is used to profile your company, so the fraudster can plausibly pose as a senior manager (someone of the C-suite, hence “CxO Fraud”) or a third party acting on behalf of senior management and manipulate employees into executing payment transactions or divulging confidential information.
- Fraudsters will contact your company by e-mail or phone, acting as auditors, chartered accountants or even a government department undertaking an investigation. By these means, they gather information on your company's internal payment procedures as well as the people who make them. Also, information on social media (LinkedIn, Facebook) might help fraudsters to identify employees involved in payment procedures.
- Next they contact company employees with rights to make large payments posing as the CEO, CFO or other senior manager by referring to a decision to possibly take over a foreign rival, or other event requiring a major transaction.
- It is common in these scenarios that the fraudster explicitly stipulates that the transaction must be executed urgently and with the utmost secrecy.
- The fraudsters may even call on an external consultancy (whose identity they have stolen) to make the operation more credible. The consultancy then contacts the target employee to confirm the transaction and reiterate the secrecy and urgency of the payment to be made. If the employee hesitates, the fraudsters will use several tricks such as name dropping top executives in the company, flattery or even threats.
Variants of such fraud
Several varieties exist, such as fraudsters posing as lawyers, notaries, police officers, helpdesk, etc.
What safeguards to take?
- Always be cautious when funds are asked to be transferred urgently and secretly.
- In the event of an urgent request, always call the person who made the request back on a known, previously verified phone number or verify with a trusted party within the company.
- Implement segregation of duties like dual sign permissions, where at least two separate people have to sign payments.
- Do not allow people to share authorisation devices (e.g. cards and PIN numbers).
- Ask employees to limit the level of detail in their social media expressions on the role they occupy within the organisation (e.g. LinkedIn, Facebook and Instagram).
- Appoint a reference (who is neither the CEO nor the CFO) who must be contacted when a confidential or urgent transaction is requested. That person can contact the company director personally to check the authenticity of the request. Caution, this must not be known outside your company.
The information on this page is provided to you solely for informational purposes in order to make you aware of the most frequent cases of fraud and provide you with recommendations to protect yourself against it. This information does not ensure that your company, acting upon these recommendations is or will be protected against any occurrence of fraud detailed on this website. No rights can be derived from the use of and reliance on the safeguards you take by following up these recommendations. ING does not accept any responsibility or liability with respect to your reliance on and the actions you take as a result of these recommendations. This disclaimer is governed by Dutch law.