What is it?
A criminal impersonates your boss or a senior manager to either make an urgent payment or change payment details for a contract or supplier.
They gain access to your business’s email account by hacking or use spoofing software to email a member of the finance team with what appears to be a genuine email from your boss or a senior manager.
Criminals may target businesses over several months, building a picture of the structure of your firm and the employees responsible for authorising payments. Your website can sometimes reveal information about genuine suppliers that can then be used by criminals.
How to spot a CEO scam
- You’re asked to urgently process an out of the ordinary payment by your CEO, a boss or a senior manager
- The language used in the email isn’t consistent with that of the genuine sender
- You’re asked to change the bank details of an existing supplier on your system
Example of a CEO scam
Mary*, a financial controller, received an email from her CEO Kurran requesting an overdue invoice of £5,650 be paid to a supplier. Due to meetings Kurran said he was only available via email and asked that the payment was made immediately. Kurran’s email said he was aware this payment was outside internal procedures but that it was urgent and asked for proof of payment once it was made. Without consulting any members in her team or following the company’s internal processes, Mary sent the funds.
Mary believed the man she was corresponding with was genuinely her CEO and not a criminal who had hacked and subsequently sent out email on behalf of the CEO. By the time she realised what had happened it was too late, and the company lost all the money as a result.
*Case studies are based on insights from partners