CEO Fraud - How Can You Protect Yourself Against It?


Also known as email ‘phishing’ or ‘fake president’ scams, CEO fraud has become an increasingly popular method of conning finance administrators into transferring funds from the business accounts.

So, what is CEO fraud?

  • CEO fraud is committed when an external sender poses as an important person in the company (often the Director) and emails a member of the finance team requesting a sum of money to be transferred to an account or asks a finance question. The emails are very clever and are written in a similar way to most internal emails which include a signature. At first glance, they appear completely normal right down to the email address but at closer inspection, you may find a random ‘.’ (such as [email protected] instead of [email protected]) or once you click ‘reply’ the sender’s email address will change.

Why does it affect me?

  • CEO fraud happens to many companies – of all sizes – so it’s easy to become a target. Within your role, it may be normal for you to have requests sent by your manager/director to pay invoices or transfer funds which you wouldn’t necessarily question. However, it is vital you are being extra vigilant and checking that the requests are coming from internal or ‘safe’ emails. If you don’t work in finance, you may think that CEO Fraud may never happen to you, but it’s important to be aware of it or even share the information with your colleagues as some companies have suffered huge losses as a result of these clever emails and have processed thousands of pounds to a fraudulent bank account.

How can I protect myself?

  • ·If you receive an email requesting money from another person within the business, the best thing you can do is check with that person face-to-face or by calling them before transferring any amount.
  • ·Always ensure you read the email address and reply-to address of the sender thoroughly by clicking ‘reply’ to see who your reply will be sent to. If the address looks unusual or incorrect DO NOT reply.
  • ·If you are ever completing a bank transaction after being requested to do so by email – ensure you know exactly who and where the money is going to, and also what the money is for.

They Techy Bit

  • Neil, one of the system's experts and support consultants at Minster, explains:
  • “The internet as we know it runs on standards and protocols. One of those protocols is Simple Mail Transfer Protocol, generally referred to as SMTP.
    SMTP was developed in the early 1980s and went on to become the accepted standard by which all emails are sent on the internet.
    When it was developed there were very few servers online and security was not a priority, which meant there was no provision for checking that sender addresses were valid. The core functionality of SMTP has not changed much in that time which means it is very easy to send an email with an invalid email address (spoofing). The sender’s display name can be set to anything, so these days a quick look on social media will find valid names for a company, which can be put on a fake email making it look convincing.
    A variety of attempts have been made to implement features to verify sender information, but these have not been universally adopted which limits their effectiveness. Until a new standard implements sender checking features on all servers this will continue to be an issue and will continue to be exploited by spammers. Spam filters can help, but can only do so much, end users need to be wary of emails.”

  • For further support, Minster have created a step-by-step video tutorial to help you set up your email system to determine what is a ‘real’ internal email. In other words, it will help you differentiate between those emails that have been sent from inside your company to those that have come from external sources.Click here to access the free tutorial video.