How to protect your business from CEO fraud


How many of your team members would question an email from what appears to be you, or a company director asking them to do something? Probably not many.

CEO Fraud

Last month, we launched the Keep Your Business Safe series with some tips to protect yourself against Authorised Push Payment (APP) fraud.

APP fraud is where criminals trick people into making a payment, believing it’s for a legitimate reason or from someone that they know. Unfortunately, APP fraud is on the rise – particularly for small businesses.

Our first guide included helpful tips on invoice fraud and social engineering, but another type of APP fraud all small businesses should be aware of is CEO fraud. It’s been estimated that up to 500,000 UK companies have been hit by CEO fraud, with the average loss being £27,000.* Here’s how to protect your business from becoming a victim of CEO fraud.

* Estimations by Lloyds Bank

So what is CEO fraud?

“Hey Simon – the supplier’s chasing us for their overdue invoice. Can you pay ASAP?”

The finance director receives an email from the company’s CEO or director. The email says that they need to quickly transfer money to a bank account for a specific reason, like an overdue invoice. The team member immediately does as instructed and makes the payment, not knowing that a fraudster has impersonated the company’s CEO and that they’ve actually moved the company’s money into an account controlled by the fraudster.

As soon as the funds have been transferred, the fraudster immediately moves the money into another account, often breaking the payment up into smaller values, and into multiple bank accounts, making it extremely hard to trace.

How do the fraudsters do it?

Typically, sophisticated fraudsters commit this type of fraud as opposed to amateurs. They spend time researching various aspects of your company, including key staff members, reporting lines and third-party suppliers. They might even follow you and your team on social media to see when you are out of office and therefore more likely to send a quick email with instructions, or make it harder for a staff member to verify a payment with you.

The fraudster may have a similar email address to the person they are trying to impersonate, such as dan@abclmited.com impersonating dan@abclimited.com.

What you can do to protect your business from CEO fraud:

In cases of CEO fraud, it can often take a long time for someone to realise that they’ve been defrauded. Action Fraud has warned that, not only is CEO fraud is on the rise, with increasing financial losses to companies, hardly any money is ever recovered.

  • Come up with a way that all team members can verify if a payment instruction is legitimate. This could be a ‘safe word’ or having a second senior person verify it. Or, better yet – go over to to the person who sent the request and confirm it!
  • Review recent transaction history regularly to check for any inconsistencies or transactions you don’t recognise
  • Be aware of the information you make publicly available about your business, staff members and third-party suppliers
  • Awareness and training is key. Ensure all members of staff are trained on this type of fraud, not just those with financial responsibility