Original content provided by BDO United Kingdom
“Manipulation, fuelled with good intent, can be a blessing. But when used wickedly, it is the beginning of a magician's karmic calamity.” T.F. Hodge, From Within I Rise: Spiritual Triumph over Death and Conscious Encounters with "The Divine Presence"
A question to consider: You are working as a payments clerk and the CEO tells you to jump. Is your response to say:
“How high?”
or
”Why?”
Fraudsters trying to perpetrate the “Big Boss” scam (also known as CEO fraud) rather hope the answer is “how high” and rely on a culture of unquestioned authority to be successful.
The typical scenario in this type of fraud is that the fraudster poses as the boss (often a CEO or a CFO) and instructs staff by email to make a BACS transfer into the fraudster's account. The request is usually very urgent and the tone is very insistent. If the request is not complied with, a second, more insistent email is sent. And so on…
On the face of it the emails can be very convincing. The names of bosses and other key organisational data are captured from the internet and from social networks such as LinkedIn to make the emails appear genuine and to ensure the right names are used and the right people are targeted. The email address on the header is spoofed to look genuine.
Once the payment has been made into a bank account the fraudster will normally move these funds into ‘mule’ accounts - closing down the first bank account to make it untraceable.
Staff may be less likely to question instructions apparently from high up in the organisation and it’s this psychological manipulation, along with the sense of urgency that makes this relatively cheap, low-tech and simple fraud so successful. Even if only a tiny proportion of attempts are successful, they represent a great return on investment by the fraudster.
And overall these frauds have been successful. The BBC reported that in France businesses have lost an estimated €465m since 2010 with 15,000 firms falling victim to the scam – “"fraude au president” - including big names, such as Michelin, KPMG and Nestle. The same report states that in the US the FBI has estimated that "business email compromise" scams have affected about 7,000 companies that have been defrauded of more than $740m over the last two years.
In the UK, Action Fraud - the Fraud and Cyber Crime Reporting Centre received 994 reports of this type of fraud between July 2015 and January 2016 - a marked increase over previous periods.
And a recent report from the City of London Police’s National Fraud Intelligence Bureau (NFIB) states that in the UK over £32 million has been reported to be lost as a result of big boss fraud. Only £1m has been recovered for victims. This is often due to organisations taking too long to discover that they have been the defrauded with the result that their money has long since been moved into mule accounts.
So what can organisations do to protect themselves from this type of fraud?
Certainly controls that introduce and enforce a segregation of duties over who can initiate and approve BACS or CHAPS transfers may be effective; assuming the second individual in the process actually reviews the payment or is not also taken in by the fraud. We have seen this fraud being successful in clients who, on the face of it, have effective financial control environments because the fraudulent email was considered a bona-fide payment request and had an inexperienced member of staff covering for an absent colleague.
Equally, we are also aware of this fraud being successful in a small finance team where the controls over payments were not sufficiently strong – and could easily be manually overridden by staff subject to psychological manipulation. The success of this fraud led to a full review of payment controls and fraud awareness within the organisation.
More effective protection from this type of fraud may be found by concentrating on the soft controls. These include developing an anti-fraud culture; improving staff awareness of current scams; and to promote a culture of questioning things that look unusual or suspicious.
A little bit of scepticism goes a long way…
Unusual things in the case of “Big Boss” might be:
- Spoofed email address that when clicked on links to an unrelated email address
- Unusual email footer or signature
- Unusual or out of character style or wording (one client said that they quickly identified a suspect email because “the CEO is never that polite”!)
- The very fact that a money transfer is being requested on an email.
Some organisations have had their “big bosses” send a memo to finance staff to say that they would not request a BACS or CHAPS transfer by email and if staff receive any such request they should check directly with them by phone.
So what should questions should internal audit be thinking about in reaction to this growing type of fraud:
- How is the organisation making sure all staff are aware of this fraud and the signs to look for?
- What is the control culture like in the organisation? The ‘tone at the top’? Are big bosses often looking to override or ignore established controls when it suits them or when it’s more convenient?
- Are there clear processes and expectations in place for staff to verify that a communication they have received from the CEO or other senior executive is legitimate (even if this is just a phone call to their PA)?
- Is the organisation reviewing what information about their functions and staff is available publically (ie through the internet or through more traditional means)?
- How strong is the design and effectiveness of the controls over the systems for making bank payments? Is there effective segregation of duties between the initiator and authoriser and what checks is the authoriser actually undertaking?
- Is there a regular review of payments to establish any that look unusual?
Given the growing incidence of this kind of fraud, the risks associated with it should be under consideration by heads of internal audit in all industry sectors.