“Fake President” Fraud: best practices to prevent the risks

The “Fake President” fraud may affect both small and larger companies. Its consequences can jeopardise the enterprise future. There are however many ways to prevent the risks by implementing some best practices.

This type of scam appeared about ten years ago and has been widely publicised in France. It still regularly affects companies, from small local businesses to wide international groups. Its success relies on the use of social engineering, which exploits psychological weaknesses to get informations in a scam purpose.

There have been many cases of “Fake President” fraud in France during the past years. An important agroalimentary group has lost 17 millions euros in 2013, a well-known tyre manufacturer has been scamed for 1.6 million euros in 2014, or even a global audit company belonging to the “Big Four”, supposed to be an expert in these risks, for 8 millions euros in 2012. But the scam also affects much smaller companies, with more serious consequences: a transport company lost 150 K€ in 2019, or a SME specialised in libraries construction losing more than one million euros in 2015. In the North of France, a famous aquatic museum suffered half a million euros loss few years ago.

The “Fake President” fraud targets companies and uses a well-established mechanism :

• Preparatory phase: the social engineering. Criminals prepare their attack by collecting key informations about the company organisation. This includes the management organisation chart, the managers identities, their email adresses and phone numbers, the list of all subsidiaries including abroad, or the name of the banks used by the company. These informations can be collected by a direct approach with a scenario by contacting the company switchboard, pretending they are a potentiel customer for example. Sometimes the informations are even available on the Internet, which makes the criminals job easier.
• Direct approach of a target employee, by phone or email. The finance and accounting departments are usually especially targeted as they initiate the payments in the organisation. The criminal poses as a top-level executive in the company, using for instance an email adress enhancing the employee’s confusion. The fake President asks to wire a large amount of money for an important purpose, usually urgent and highly confidential.
• Once the employee has made the transfer, the money is quickly sent from one bank account to another, arriving abroad very soon. The consequences may be devastating for both the employee and the employer.

The scam uses well-identified ingredients : the knowledge of the organisation, the urgency and confidentiality of the transaction (in most cases an acquisition), the confidence given to the employee who feels “special”, the target period (holidays, or a very busy period), and sometimes psychological pressure and threat.

When we know how the scam works, its approach may seem obvious. However tens of companies still suffer this fraud every year. This shows how important it is to permanently increase the companies and employees awareness. Even if financial and accounting departments are usually targeted, the risks must be reminded to all the employees. It is important to communicate about the criminals techniques, and to educate on the precautions to take when receiving a money transfer request. The awareness campaign must be permanent: the attacks can also affect temporary employees during holidays, especially appreciated by criminals.

During a fraud attempt in a company, the management should communicate within the organisation in order to reinforce the employees awareness.

Once the transfer has been made, especially abroad, the possibilities of recovering the funds are very low. Preventive communication is the most efficient protection against the “Fake President” fraud.

Before attempting the fraud, criminals collect informations about the company and its managers. They will then use these informations to pose as a manager of the company and target the employees able to initiate money transfers.

It is recommended as much as possible to avoid publishing informations about the organisation chart and its executives. Many companies communicate these informations on their websites, sometimes with the email adresses and direct phone numbers of their managers. This is a first front door for criminals who will not even need to use social engineering.

When these informations are not public, criminals will directly contact the company switchboard to obtain them. They may use a scenario to get the name and contact details of the managers, by posing as a potential customer, a former colleague or even an official.

Employees prone to answer these requests (switchboard, assistants, secretaries) must be educated on these risks. It is recommended not to give the requested informations at the first contact, and better ask the requester contact details, check with the managers, and call back if the request is considered as legitimate.

These are requisite measures but they are not always sufficient to prevent criminals from collecting informations. They can indeed use professional social networks such as Linkedin to get the identity of the Financial Director and use it, for example. In big companies, the email adresses are usually well structured (for example: name.surname@company.com) and criminals can easily guess the email adress of an employee once his identity is known.

Even when criminals would collect informations in order to impersonate a company executive, the implementation of strict processes will prevent them from realizing the scam. Among these protocols we may mention:

• The purchasing processes. They must follow a well-defined workflow within the organisation. Payments must be launched based on a supporting document, ideally an invoice. The payment requester must be clearly identified within the company. The communication and tracking flows must be structured and secure. Ideally the payment request must be done through the enterprise resource planing (ERP) of the company, and follow a complete purchasing process: purchase request, purchase order, reception, invoice. In any case, an urgent transfer request by email, without any supporting document, and to an unknown bank account, should always raise the recipient awareness.
• The payments and transfers execution. It is highly recommended to implement a double signature protocol for transfers higher than a certain amount, for instance by the accounting manager and the business unit manager. The fraud risk will be higly reduced. The international transfers should also be subject to a specific protocol and additional controls.

These protocols once implemented must be followed no matter the context, facing the criminals pressure and the organisation vulnerability during holidays.

The internal communication of the company must educate the employees regarding the specificities of the “Fake President” fraud. The arguments and methods used by the criminals are indeed usually similar, and it is easy to detect them and avoid the scam once identified.

• The origin of the transfer request. If the payment is requested by phone, we should obviously check the number used and make sure that it can belong to someone within the company. If the number is hidden, it should already raise the attention. When the request is made by email, we should  analyse carefully the sender email adress. Be careful as the adress can apparently strictly correspond to the adress of the executive usurped. By simulating an answer to the email received, we can see that the “reply to” adress is actually different than the one mentioned for the sender.
• The destination of the transfer. In most cases, the “Fake President” fraud is materialised by an international transfer. Be aware, though, that they are not necesarily far-away countries such as in Asia or in tax havens: some real cases show transfers within the European Union, for instance in Romania or Cyprus. The money is then quickly transfered by the criminals to other accounts, in other countries.
• The confidentiality of the request. Criminals use this to give confidence to the employee. They can pretend a confidential investment project, stating that only the target will be aware of. The target employee feels that he has a special status towards his managers, and it contributes to his manipulation.
• The urgency of the payment. To reach their gols, criminals need that the transfer is executed as quickly as possible, to prevent the employee from checking the informations and informing his managers. However in the real life, a high-level investment will be prepared for a long time within the company, and should never be financed by an express transfer as requested by criminals.
• Flattery or, conversely, threats. These are just tools used by criminals, and they are not in any case techniques needed by a manager to request a payment to his subordinate.

If the target employee still doubts despite the precautions above, a last filter his highly efficient to avoid the scam. The employee must check the legitimacy of the request by contacting directly the so-called requester. Whatever the size of the company, all the employees normally have the possibility to contact their managers, at least by email or phone. The managers will be able to confirm quickly if they are indeed the transfer requesters. Even if the request would be legitimate, we can not imagine that a manager would reproach his colleague for being cautious before the payment of a high amount of money…

After facing a fraud attempt, it is important to report the event to the company management, or to the legal, financial or human resources departments. They must use these events to increase the employees awareness against the risks of fraud.

The consequences of a scam such as the “Fake President” fraud may be disastrous for companies, but it is completely possible to avoid it. First of all, a permanent communication to all the actors of the company will highly reduce the risks. The implementation of protocols, control processes and the knowledge of the specific signs of this type of scam will ensure the company’s security against criminals.

Solvest can support your company in the implementation of awareness campaigns and realize audit against the risks of scam, for instance by performing tests of social engineering (collect of critical informations about the organisation chart) and penetration tests (approach attempt) in order to improve your processes.