Early 2023: Already 10 million EUR in damages in 3 months due to CEO fraud

by Patrick Müller

23.03.2023

0 Shares

A touch of myth, a drop of hysteria... bring us a sacrifice... we know you trust us... because the order comes from the top...
This is not only sung by the Hamburg hip-hop group Deichkind but also by the CEO fraudsters who apply the grandparent scam to businesses, such as in January 2023, when they swindled approximately 2 million euros from a company in Erfurt.

Is this scam only about large sums?
The answer is clear: NO!

Recently, there was an incident in Langenhagen involving 18,000 euros, and in Kirchhorst, a forged order for 250,000 euros. Such smaller amounts rarely make front-page news or the national press, making these incidents less known, causing smaller companies to misjudge the risk. But these smaller frauds are no longer isolated cases; they have become a business model for fraudsters. For example, Europol identified and dismantled a network responsible for nearly 40 million euros in CEO fraud.

The ongoing trend toward smaller amounts in CEO fraud cases shows that no organization – regardless of size – is immune to such fraud attempts. Smaller companies, in particular, which often have less sophisticated IT infrastructure and automated processes, are increasingly vulnerable. They often rely on manual approvals and do not always have the technological means to effectively detect and prevent sophisticated fraud attempts.

The takeaway is that even smaller businesses need to engage in serious and proactive education within their organization. It is crucial that they inform their employees about the risks and signs of CEO fraud and conduct regular awareness training. They should also establish clear procedures for verifying and approving payment instructions to minimize the chances of fraudsters successfully stealing funds.

Additionally, even basic security measures such as two-factor authentication and regular checks of email addresses and request content can significantly improve security. It’s important that smaller companies also invest in training their employees and implementing adequate security tools to protect themselves from financial and reputational damage caused by CEO fraud.

Selected Recommendations for Prevention – Prevention, Not Reaction, Is Key

Train, audit, adjust, and secure processes.
Continuously detect and eliminate process deviations and exceptions with data analysis.
Train risk management, internal audit, employees, and management on cybercrime & social engineering, especially those with sensitive access or high authority.
Sensitize management and top executives that permitted process deviations can facilitate identity theft.
Implement IT measures to easily identify external content for users.
Verify external company information, employee availability, or absences.
Establish regular attack training – creating an alarm routine like annual fire drills or test SPAM emails.