Attacks

CEO fraud and invoice fraud

What is CEO fraud?

CEO fraud is a scam in which criminals pose as company management and order an urgent transfer. In the related invoice fraud, a genuine invoice is intercepted or rebuilt with different bank details, so that the payment reaches the criminals.

The preparation is done from publicly available sources. Your website, company register entries and professional networks reveal who runs the business, who handles the accounts and which suppliers you work with. In some cases a business partner's mailbox has also been taken over. The attacker reads the genuine correspondence and joins it at the right moment, which is why the message reads correctly and refers to an order that really is in progress.

The signs are recognisable. A familiar invoice arrives with different bank details, often explained as a change of banking arrangements. The sender address differs by a single character, or the reply address points to an unfamiliar domain. The instruction is urgent, is to be kept confidential and arrives while the manager concerned is demonstrably travelling. A familiar voice on the telephone proves very little either, because voices can be reproduced by technical means.

The most effective first step is a written payment rule. Every change of bank details and every payment above an amount your business defines is confirmed by calling back the telephone number held in your own master data, and a second person approves it. The rule applies to instructions that appear to come from management as well. That exemption is exactly what the criminals are looking for.

Once money has left the account, every hour counts. Contact your bank immediately, because a recall may still succeed if the report is very fast, and report the matter to the police. In parallel, check whether a mailbox has been taken over: unknown forwarding rules, logins at unusual hours and altered signatures all point that way. Change the passwords concerned, switch on two-factor authentication, meaning a second proof of identity in addition to the password, and inform the business partner whose invoices were abused.

Misuse of your own domain can be made harder by technical means. SPF, DKIM and DMARC are entries in your domain's naming system that tell receiving servers which servers may send on your behalf. When they are set correctly, a forgery using your sender address is rejected. The IT Check reviews these records and looks at how payment approvals actually work in your business.

All terms in the knowledge base

From the term to practice

Where does your business actually stand?

The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.

Book a first call