CEO fraud involves the impersonation of a senior figure (usually the Chief Executive Officer) with subsequent requests for transfers of funds. Action Fraud, the UK’s national fraud reporting centre, have reported an increase in this type of fraud.
The most recent reports have involved targeting of schools where fraudsters have falsely claimed to be the head teacher or principal.
We issued an alert in January 2016 warning of the similar threat posed by mandate fraud.
What to look out for
Requests to your finance department or staff with authority to transfer funds, usually from a spoofed or similar email address to that of the subject being impersonated.
There are some reported instances where fraudsters have called up to make themselves appear legitimate. In addition, a second fraudster may be introduced who poses as a lawyer or regulator. The caller may claim to be based in another country.
With a strong social engineering element, the fraudster often requests that they, as the CEO, are not contacted further by the financial officer as they are busy.
Alternatively the fraudster may pick occasions when the real CEO is on holiday, preventing the financial officer from checking the validity of the request.
Protection and prevention advice
- review internal procedures regarding how transactions are requested and approved, especially those in relation to verifying validity
- email addresses can be spoofed to appear as though an email is from someone you know. Check email addresses and telephone numbers when transactions are requested. If in doubt request clarification from an alternatively sourced email address/phone number
- if an email is unexpected or unusual, then don’t click on the links or open the attachments
- don’t be afraid to question details when being tasked to transfer money at short notice
- sensitive information you post publicly, or dispose of incorrectly, can be used by fraudsters to perpetrate fraud against you. The more information they have about you, the more convincingly they can purport to be one of your legitimate suppliers or employees. Always shred confidential documents before throwing them away
If your charity has fallen victim to CEO, or any other type of fraud, you should report it to Action Fraud by calling 0300 123 2040, or visiting the Action Fraud website.
Charities affected by fraud should also report it to the Charity Commission as a serious incident, using the dedicated email address: email@example.com
Serious incident reporting helps us to assess the volume and impact of incidents within charities, and to understand the risks facing the sector as a whole. Where appropriate, the Charity Commission can also provide timely advice and guidance.
The Charity Commission, the independent regulator of charities in England and Wales, is issuing this alert to charities as regulatory advice under section 15(2) of the Charities Act 2011.