CEO Fraud: The "Grandparent Scam" for Businesses

From an auditor's perspective, the experiences of recent years have shown that new fraud methods have emerged, targeting companies increasingly through new media and employees. Fraudsters pose as members of the executive management or top managers of the company to instruct employees to take actions. This fraud method is called CEO Fraud, also known as the "Grandparent Scam for Businesses."

Understanding CEO Fraud

Fraudsters use either real-looking, but fake emails, hack the executive team's email accounts, or make a corresponding phone call to contact the targets. Additionally, more complex attack scenarios are increasingly being constructed, where multiple employees unknowingly become victims or accomplices.

The Two Phases of CEO Fraud

The Long and Meticulous Preparation

• Publicly available company information is used.
• Details about ongoing projects, upcoming investments, restructurings, or current business partners are often incorporated into the "scenario story."
• Information about employees on social media (promotions, absences, roles in the company, special events, etc.) is used to expand scenarios or as an entry point for conversation.

The Short and Targeted Execution

• Contacting selected and previously targeted employees.
• Using a fake identity combined with a well-constructed scenario story and selecting an ideal time when key individuals are not available.
• Ordering one or more large payments with high urgency.
• Payments are often directed to foreign accounts, although hacked domestic accounts or unwitting intermediaries are also commonly used.

Planning and Execution of CEO Fraud

CEO Fraud is characterized by long and meticulous preparation, but the execution is rapid and highly targeted.

During the preparation phase, research is mainly conducted on who has authorization for the systems and bank accounts. Business social networks like Xing, LinkedIn, and Polywork are particularly valuable sources. Once the right target within the company is identified, the procedural or system-related aspect of the fraud is straightforward. The unwitting accomplices only need to be convinced to manually initiate a payout in the accounting or ERP system and start a special payment run, or enter the payment directly in online banking.

Early contact is often made with these individuals weeks in advance to build trust and familiarity. This can be achieved through simple questions about real business transactions or brief conversations with congratulations on birthdays, company anniversaries, or promotions.

Simultaneously, research is done on the interests and schedules of the executives whose identities will later be impersonated. The goal is to identify absences or unavailability, which will determine the timing of the attack. This poor availability and the reason for it are also incorporated into the scenario story that will be presented to the victims. Simple checks will then confirm the story, for instance: "Yes, XY is attending that conference or is on the mentioned long-haul flight." During the execution of the fraud, either calls are made or fake emails are sent to the targeted employees, with particular emphasis on confidentiality and discretion. Additionally, a fictitious sense of urgency is created to ensure minimal discussion with colleagues or superiors.

These fabricated scenario stories usually revolve around special transactions, such as (fictional) corporate acquisitions or other lucrative purchases, like acquiring patent rights, real estate, or machinery. In this context, reasons are presented as to why a large sum of money must be transferred to a foreign account. Increasingly, domestic accounts are also used, with fraudsters having gained access to these accounts through another scam, enabling them to transfer the money abroad from there.

Social Engineering and Hacking for Information Gathering

In addition to public sources like official registries, two more digital approaches are used: Social Engineering and Hacking. Social Engineering involves spying on employees' personal environments on social networks to identify details such as positions, professional interests, résumé information, conference participation, and contacts.

This information enables a targeted and trustworthy approach via phone or email to potential victims. Generous settings on communication software like Microsoft Teams, Skype, or Slack also contribute to information leaks, allowing external parties to see employees' availability or absence status.

Selected Recommendations for Prevention – Prevention is Key

• Train, review, adjust, and secure processes.
• Continuously detect and eliminate process deviations with data analysis.
• Provide cybersecurity and social engineering training for Risk Management, Internal Audit, employees, and management, particularly for individuals with sensitive access or high-level authority.
• Sensitize executives to the risks of process circumvention, which can facilitate identity theft.
• Activate IT measures to easily identify external content for users.
• Review external company information, as well as employees’ availability and absence.
• Establish regular attack simulations – create an emergency routine similar to annual fire drills or test phishing emails.

Conclusion

Preventing new fraud methods is becoming increasingly complex. To meet this complexity, an interdisciplinary approach to prevention is essential. In addition to traditional process controls, preventive (data) analyses, supportive IT configurations, and organizational changes, it is advisable to conduct preventive training for Risk Management or Internal Audit/Fraud Management. Participants gain expertise in data and information security, social engineering attacks, false identities and forgery detection, forensic data analysis, and are trained in a data-driven auditing approach.

Further Reading:

CEO Fraud Blog - Your Guide in the Fight Against the Sophisticated "Grandparent Scam for Businesses".

➛

Go to CEO Fraud Blog