In this article, Richard Hudson, Partner, Litigation & Dispute Resolution at Deacons details the ‘CEO Fraud’ phishing scam and explains measures companies can take to both reduce the risk and mitigate after the fact.
Corporate fraud is nothing new, but the increased use of IT in the corporate environment over the last few decades, particularly where financial transactions are concerned, has been accompanied by the rise of a new type of corporate fraud: ‘phishing’ scams, where fraudsters use emails and phone calls to attempt to acquire sensitive information or steal money from businesses.
There are various types of phishing scams in operation around the world, but particularly prevalent at this time in the author’s experience is the ‘CEO Fraud’ phishing scam. The purpose of this article is to examine how this scam works, make suggestions as to what might be done to combat it, and look at the steps that should be employed to recover stolen money if a company falls victim to this scam.
The FBI’s Internet Crime Centre estimates that around 7,000 companies were defrauded of more than US$740 million over the last two years as a result of CEO Fraud, although it is possible that this figure is much higher, given that many companies are reluctant to admit being defrauded in this way (see The Bogus Boss Emails Scam Costing Firms Millions, bbc.com, 8 January 2016). It is believed that the CEO Fraud was invented by Gilbert Chikli, a French-Israeli national who was sentenced to seven years’ imprisonment in absentia in France in 2015 having defrauded more than 30 banks and companies out of up to £€9.7 million during 2005 and 2006 by using the CEO Fraud. Although Mr Chikli – believed to be based in Israel, out of reach of the French justice system – may now be retired, regrettably, many other criminal enterprises seem to have noted Mr Chikli’s success and there appear to be a number of criminals or criminal gangs still operating the CEO Fraud, causing losses to companies worldwide on a daily basis.
How does the CEO Fraud work?
In the experience of the author, the CEO Fraud is perpetrated against companies in the following way:
1. An employee in the company’s account department receives an email which appears to have been sent by a CEO or another higher level employee of the company. In reality, the email has been sent by the fraudsters, with the CEO’s email address either having been hacked or the email address being similar, but not identical, to the high level employee’s email address and with the difference not being immediately obvious to the recipient. Such emails are not routinely picked up by companies’ cyber-attack prevention systems.
2. The fraudulent email requests that funds be transferred immediately to an account in a different jurisdiction as part of a secret project that is being carried out by the company. The recipient is told not to tell anyone else about the transaction.
3. In some cases, the emails are accompanied by telephone calls from individuals impersonating the sender of the email, urging that the transaction be carried out promptly and reminding the recipient of the email of the need for secrecy.
4. Once the email is acknowledged by the recipient, the fraudster will often send further emails checking on the status of the transaction and, if the money is transferred as requested, the fraudster may send instructions for further transfers to be carried out. The author has seen cases where up to six transfers have been processed by the same company on the basis of such emails, followed up by phone calls.
5. Companies in many different jurisdictions have been targeted by the CEO Fraud. The author has acted for clients based in four different continents and in over 20 different countries who have fallen victim to this fraud, although it seems to be particularly prevalent in North America and continental Europe.
6. The funds are typically transferred between several different bank accounts to make recovery difficult. The author has encountered many examples of funds being transferred first to accounts held at banks located in Hong Kong, from which they are transferred to banks located in the PRC, where the money is apparently withdrawn as cash. The accounts in Hong Kong are typically held by recently incorporated Hong Kong or offshore companies. The directors and shareholders of these companies are either other corporate entities or PRC nationals of whom no trace can ever be found.
7. Whilst companies of all sizes and all types can fall victim to the CEO Fraud, in the author’s experience a company is more likely to become a victim where:
a. A senior employee has the power to order the transfer of funds without needing to involve a second corporate officer; and
b. The company is small enough that it does not have extensive rules in place regulating the transfer of funds, but at the same time is large enough that the accounts department staff do not know the senior staff personally, and therefore is more likely to be fooled when a senior staff member is impersonated on the telephone.
Whilst it can safely be assumed that the CEO Fraud is not always successful, and probably fails more often than not, the potential rewards can be enormous. Sums stolen from a particular company can run into the millions of US dollars.
 Prevention is better than cure Whilst no system is completely criminal–proof, companies can defend against the CEO Fraud by simply tightening their existing procedures or by ensuring that those procedures are always adhered to. For example, instituting a procedure whereby two individuals must always authorise any transfer of funds out of the company over a nominal amount should drastically reduce the chances of the CEO Fraud being carried out successfully as a second person will have to critically examine the transaction in question. Further, simple due diligence carried out by accounting staff can minimise the risk of the fraud succeeding – a request for an invoice in support of a transaction might defeat the fraud. Even where a fake invoice is provided (as is sometimes the case at the outset), simple internet searches may reveal that a transaction is illegitimate by, for example, showing that the company to which the money is to be transferred does not appear to operate any business or is using an address which does not exist. Even double checking the accuracy of the email address of the senior employee requesting the transfer of monies can significantly reduce the chances of becoming a victim of the CEO Fraud.Recovering stolen funds – who do you call? A company that discovers that it has fallen victim to the CEO Fraud has no time to waste: as explained above, the stolen money will likely not rest long in the account to which it has been transferred, and if action is not taken quickly is likely to be transferred to an account located in a jurisdiction where it is difficult to or freeze or recover stolen monies.Applying for and obtaining a Mareva injunction or similar relief to freeze the stolen monies is one way of trying to ensure that stolen money is frozen whilst proceedings are brought to recover it, but even if your lawyers work fast, they may be too late, as the use of electronic banking allows money to be moved to another account faster than an injunction can be obtained to freeze the account. Accordingly, there are other steps that can and should be taken as soon as possible in order to minimise the risk that stolen money is moved elsewhere: 1. Call the banks: effort should be made to contact both the company’s bank and the recipient bank to obtain information about the status of the transfer and the whereabouts of the monies. It is possible that whilst instructions have been given for a transfer, it has not been processed yet and can be recalled. Further, the company’s bank can be asked to lobby the recipient bank and ask them to hold the money whilst other measures are taken to freeze it. Recipient banks are placed in a difficult situation by the CEO Fraud: on the one hand, no bank likes to be used as part of a fraudulent scheme, and they will co-operate with the authorities to prevent fraud. On the other hand, banks have contractual duties to their customers, which usually include the duty to honour any instructions to transfer funds out of a bank account. Given also that it can take time to communicate the details of a fraud to the right person in a large banking organisation and to persuade them to take action, it may be that a recipient bank can do, or will do, nothing to stop further transfers of the monies. One possible solution is to point out to the bank any potential criminal consequences of transferring funds which they know or suspect are the proceeds of crime: in many jurisdictions it is a criminal offence to deal with such funds (for example, Section 25 of the Organised and Serious Crimes Ordinance criminalises such conduct in Hong Kong). A letter to a bank that sets out details of the fraud, attaches all relevant paperwork and points out the potential criminal consequences for moving the funds may make a bank pause before honouring transfer instructions received from a fraudster, and buy time to freeze the money by other methods. 2. Call the police: efforts should be made to contact the police in both the company’s home jurisdiction and the jurisdiction to which the money has been transferred. Whilst the company will likely be able to bring civil proceedings to recover stolen funds, it should not be forgotten that they have been the victims of a crime, and the police may well be able to provide useful assistance. For example, the police may have powers to freeze a bank account much more quickly than if an injunction were obtained via civil proceedings (this can be achieved in Hong Kong via the ‘letter of no consent’ procedure), and it is possible that the police may assist in recovering stolen funds or even carry out the recovery process themselves. 3. Call your lawyers: in addition to bringing proceedings to recover stolen funds or an application for injunctive relief to freeze the funds in the interim, lawyers can provide vital practical assistance during the recovery process. For example, in the author’s experience, it is easier to obtain prompt cooperation from the police if a face to face report of the crime is made rather than dealing with the matter over the phone or via email: if the company has no presence in the jurisdiction to which the money has been transferred, local lawyers can make such a report on their behalf. Local lawyers may also be able to provide valuable advice in relation to the most efficient way to deal with banks who have received stolen funds. 4. Call your insurers: some (but not all) companies have insurance policies which will allow them to make claims to recoup losses suffered by way of a CEO Fraud. These policies should be examined to see whether a claim can be made. Insurance companies can also provide vital short term assistance in relation to the recovery of funds, as they may know from previous experience how to ensure that money can be frozen at short notice or have preferred lawyers in a particular jurisdiction which the company can engage. Conclusion ––––––––––– |
