How to reduce CxO fraud risk

• Fraudsters will contact your company by e-mail or phone, acting as auditors, chartered accountants or even a government department undertaking an investigation. This is called spoofing. By these means, they gather information on your company's internal payment procedures as well as the people who make them. Publicly available information on platforms like LinkedIn or Facebook can help fraudsters identify employees involved in payment processes.
• Once fraudsters have gathered sufficient information about your organisation, they move to the next phase: contacting employees with authority to initiate large payments. Posing as the CEO, CFO, or another senior executive, they often use flattery—suggesting the employee is uniquely trusted to handle a sensitive task. To increase pressure, they may reference a confidential event such as the acquisition of a foreign competitor, stressing that the transaction must be executed urgently and discreetly.
• All possible scenarios have in common that the fraudster explicitly stipulates that the transaction must be executed urgently and with the utmost secrecy.
• The fraudsters may even call on an external consultancy (whose identity they have stolen) to make the operation more credible. The consultancy then contacts the target employee to confirm the transaction and reiterate the secrecy and urgency of the payment to be made. If the employee hesitates, the fraudsters will use several tricks such as name-dropping top executives in the company, flattery or even threats.

Several varieties exist, such as fraudsters posing as lawyers, notaries, police officers, help desk, etc.

• Always be cautious when funds are asked to be transferred urgently and secretly.
• In the event of an urgent request, always call the person who made the request back on a known, previously verified phone number or verify with a trusted party within the company.
• Implement segregation of duties like the four-eye principle for transactions, where at least two separate people have to sign payments.
• Do not allow people to share authorisation devices (e.g. cards and PIN numbers).
• Ask employees to limit the level of detail in their social media expressions on the role they occupy within the organisation (e.g. LinkedIn, Facebook and Instagram).
• Appoint a reference (who is neither the CEO nor the CFO) who must be contacted when a confidential or urgent transaction is requested. That person can contact the company director personally to check the authenticity of the request. Important: this reference contact should remain confidential and not be disclosed externally.

Go to our banking safely page. 

The information on this page is provided to you solely for informational purposes in order to make you aware of the most frequent cases of fraud and provide you with recommendations to protect yourself against it. This information does not ensure that your company, acting upon these recommendations is or will be protected against any occurrence of fraud detailed on this website. No rights can be derived from the use of and reliance on the safeguards you take by following up these recommendations. ING does not accept any responsibility or liability with respect to your reliance on and the actions you take as a result of these recommendations. This disclaimer is governed by Dutch law.