Two of the world's largest online businesses have become the latest victims of "CEO fraud", in which crooks pose as senior executives of a business and order more junior members of staff in finance or accounts to make payments to another company. Google and Facebook said last week that they had both been caught out by a scam thought to be worth as much as £77m, though both companies have recouped at least some of their losses.
If online criminals now have the skills to dupe these supposedly tech-savvy internet giants, most other businesses are potentially vulnerable. And while high-profile cases make all the headlines, it is small- and medium-sized enterprises (SMEs) that are most routinely targeted by scammers and which can be the most vulnerable to attacks.
Online attacks of all kinds now pose a huge threat to SMEs, with one in five businesses having been targeted over the past year, according to the British Chambers of Commerce. However, the rise in CEO fraud is especially worrying, with criminals employing sophisticated techniques to impersonate key executives convincingly.
Subscribe to MoneyWeek
Subscribe to MoneyWeek today and get your first six magazine issues absolutely FREE
Staff believe that they've been given instructions by the boss and are often told the payments are emergency transactions to avoid a contract being breached or to settle a legal dispute before it escalates so they transfer the money promptly, only to discover later that the orders were fake and money has disappeared.
It's easy to dismiss these threats as only affecting the careless, but keep in mind that such deceptions are typically well planned and carefully executed. Attackers often spend months researching who in an organisation has the authority to authorise payments to third parties, as well as who has the clearance to action such orders.
They often track the executive's movements so they can strike while the person is travelling, for example and they may look for new employees in a finance department, who may be unfamiliar with company procedures. Often, the person targeted will be told the transaction is highly sensitive and must be kept confidential, even from close colleagues.
While that may sound difficult to pull off, too many companies make it easier for criminals to strike for example, by publishing extensive information about key people, including roles and contact details, on corporate websites. Social media is another key target for attackers seeking information, with company employees routinely disclosing key information about what they do, as well as when they're going on holiday or will be out of the office.
How to defend against imposters
Cyber criminals can be convincing and no single line of defence will protect your business from fraud. However, it's crucial to encourage your staff to develop a healthy sense of scepticism. They need to be prepared to question instructions and approaches they receive, even where the communication shows every sign of being genuine. In addition, consider the following action points:
Make sure that your organisation has policies in place that require additional checks to be carried out before a transfer worth more than a certain amount can be made. No one person should have the authority to sign off on a large transfer of funds single-handedly.
Encourage extra vigilance at key times. Many CEO frauds are launched late on a Friday or just prior to public holidays, when attackers know attention levels are at their lowest and senior staff absences may be more common.
Consider carefully what information your company puts into the public domain about who is responsible for finance, particularly on corporate websites.
Remind people at every level of the business of the dangers of sharing too much information online, including on social media and personal blogs.
Inform everyone within the organisation if you have been targeted by CEO fraud. While you may have seen through the attempt, sharing details will enable you to highlight everything wrong with it and encourage your staff to be wary in the future.
Conduct monitoring with domain registration services. If someone is trying to register domain names similar to your own business, they may be trying to acquire convincing email or website addresses in preparation for an attack.
Sign up for MoneyWeek's newsletters
Get the latest financial news, insights and expert analysis from our award-winning MoneyWeek team, to help you understand what really matters when it comes to your finances.
David Prosser is a regular MoneyWeek columnist, writing on small business and entrepreneurship, as well as pensions and other forms of tax-efficient savings and investments. David has been a financial journalist for almost 30 years, specialising initially in personal finance, and then in broader business coverage. He has worked for national newspaper groups including The Financial Times, The Guardian and Observer, Express Newspapers and, most recently, The Independent, where he served for more than three years as business editor.
How high earners could boost their pension by thousands and cut childcare costs
Monzo launches 11 ETFs via Blackrock to help savers invest
