The "Fake President" Fraud - How to Mitigate the Risk
In recent months, numerous European companies reported that they were victims of the so-called fake president fraud. French businesses are said to have lost an estimated EUR 465 Million since 2010 (http://www.bbc.co.uk/news/business- 35250678, BBC News, 8 January 2016). According to a statistic of the FBI's internet crime center or IC3, a loss of over $1.2 billion was reported worldwide from October 2013 to August 2015 in connection with this fraud scheme (see:http://www.ic3.gov/media/20 15/150827-1.aspx).
"Fake President" fraud or "Your President is calling"
What is a "fake president" fraud? This fraud scheme is based on a rather simple but highly effective scenario. Often the fraudsters use a bogus email address of the management staff within the company, such as the CFO or CEO. Then they contact an employee of the company by email or by phone and persuade him or her that an immediate and urgent transfer of monies from the company's bank account to another foreign bank (often an offshore destination) has to be made. In order to persuade the employee to execute the payment, the "fake president" tells the employee that he or she was chosen because he or she has performed so well in the past and he or she enjoys the full confidence of the "fake president" to manage this "challenging" and "time critical" situation. The employee is usually requested to keep everything "confidential" and not to talk to others about this matter because otherwise a not yet disclosed "important deal or transaction" could be "endangered".
How to mitigate the risk
What can be done to protect a company and to avoid the risk of such an incident?
- Employees should be made aware about the “fake president” fraud and similar social engineering schemes and should be trained on how they can prevent becoming a victim of such fraudsters.
- A company should have robust guidelines and processes in place on how payment transactions have to be handled.
- A financial authority limits policy should be in place that provides employees clear direction with respect to the approval process.
- If possible, no payment instructions (at least not above a certain amount) should be given by phone or by email.
- A company should regularly review the information the firm makes public on its website or in social media, such as employee positions, email addresses, and phone numbers and should consider to remove employees who are working in crucial areas, such as the financial department.