Corporate fraud

Protect yourself from fraud by learning about the types of scams and countermeasures used to prevent these.

The following types of corporate fraud are described below:

  • CxO fraud
  • eBanking fraud
  • Invoice fraud

These fraud cases occur daily, worldwide and generate billions of losses annually.

 

CxO fraud

Social engineering is used to profile your company, so the fraudster can plausibly pose as a senior manager or a third party acting on behalf of senior management and manipulate employees into executing payment transactions or divulging confidential information.

 

- What happens?

  • Fraudsters will contact your company by email or phone, acting as auditors, chartered accountants or even a government department undertaking an investigation. By these means, they gather information on your company's internal payment procedures as well as the people who make them. Also, information on social media (LinkedIn, Facebook) might help fraudsters to identify employees involved in payment procedures.
  • Next they contact company employees with rights to make large payments posing as the CEO, CFO or other senior manager. Referring to a decision to possibly take over a foreign rival, or other event requiring a major transaction.
  • It is common in these scenarios that the fraudster explicitly stipulates that the transaction must be executed urgently and with the utmost secrecy.
  • The fraudsters may even call on an external consultancy (whose identity they have stolen) to make the operation more credible. The consultancy then contacts the target employee to confirm the transaction and reiterate the secrecy and urgency of the payment to be made. If the employee hesitates the fraudsters will use several tricks such as name dropping top executives in the company, flattery or even threats.

 

- Variants of such fraud

Several varieties exist, such as fraudsters posing as lawyers, notaries, police officers, helpdesk, etc.

 

- What safeguards to take?

  • Always be cautious when funds are asked to be transferred urgently and secretly.
  • In the event of an urgent request, always call the person who made the request back on a known, previously verified phone number.
  • Implement segregation of duties like dual sign permissions, where at least two separate people have to sign payments.
  • Do not allow people to share authorisation devices (e.g. cards and PIN numbers).
  • Ask employees to limit the level of detail in their social media expressions on the role they occupy within the organisation.
  • Appoint a reference (who is neither the CEO nor the CFO) who must be contacted when a confidential or urgent transaction is requested. That person can contact the company director personally to check the authenticity of the request. Caution, such powers must not be known outside your company

 

eBanking fraud

eBanking fraud covers phishing and malware infections. It may affect your company or your private life. Whatever the case, cyber criminals will try to steal money by recovering identification codes and electronic signatures of their victim. With these codes, they transfer funds to their accounts by emptying your bank accounts.

 

- What happens?

  • You receive an e-mail supposedly from your bank claiming to be a security check, that an account will be blocked or that a change will be made to the services offered by the bank. Other motives are possible. Each time the aim is to get you to click on a link within the e-mail that diverts you to a false identification page that looks similar to your online banking.
  • On that page, you enter your access codes which the criminals retrieve as you are on their site and not your bank's site. With your codes, these criminals can access your online banking and execute transactions.

 

- Variants of such fraud

  • You receive a call from the fraudster pretending to be a bank employee. Calling you to perform some sort of security check or 'update', requiring you to generate one or multiple response codes with your smartcard and reader. The fraudster will use these to login to the bank’s eBanking website and enter and sign transactions on your behalf.

 

Your computer is infected with malware. Such infections typically occur by opening attachments or links in a malicious email you have received. Or by visiting compromised websites, which exploit vulnerabilities in your web browser or operating system to install malware on your PC.
Once active several scenarios are possible, depending on the type of malware. Ultimately all these scenarios lead to the malware trying to create and execute fraudulent payments on your behalf.

 

- What safeguards to take?

  • Keep your pin and generated security codes secret. Never reveal these secret codes to anyone who asks for them, e.g. on the phone, in email,  via SMS, WhatsApp message or face-to-face. ING staff will never ask you for your codes
  • Never generate a security code when not accessing or using online banking yourself.
  • Always check the details, i.e. amount, beneficiary name and account numbers of all payments you are about to sign.
  • Always close the active web browser session properly by clicking on ‘Log out’. Never leave your computer unattended when you have an active session: Close the session or lock your computer.
  • Implement dual signing: The person who must add the second signature has an external look at the transaction and can detect fraud more easily. Never leave both signatures in the hands of the same person and check what you are signing. Always make sure that 1st and 2nd signers use different PC’s, as this will increase your chance of detecting fraudulent payments created by malware.

 

Invoice fraud

Invoice fraud is manifold, in all cases the fraudsters will change the banking details of the company which issued the invoice to their own and as a result receive the invoiced amounts.

 

- What happens?

  • The criminals intercept the invoice between the time it is posted and its receipt, or by hacking the mail accounts used for sending invoices by email.
  • The fraudsters change the invoice to reflect their own banking details on it. They can do this in different ways: a new invoice is compiled with the new details, a sticker (often fluorescent) with the fraudsters' banking details and mentioning a change of bank is placed on the real banking details, etc. Then the invoice is sent again.
  • The invoice is received and paid to the new bank account number. It is highly likely that the following invoices will also be paid to the wrong account until the real issuer of the invoice realizes that their invoices have not been paid and contacts the debiting company

 

- Variants of such fraud

Invoicing fraud comes in several varieties. For instance, the debiting company receives an email from what it thinks is its supplier, stating a change of bank and consequently of account number. This message will bear the suppliers' letterhead and seem legitimate. In such cases, no invoices are intercepted, but an ordinary message with the new banking details is sent. All pending invoices as well as subsequent invoices will be paid to the new account number. 

Whatever the scenario, the aim of the criminals is to make a change to what we call the suppliers details (phone number, bank references, email address) in order to steal funds.

 

- What safeguards to take?

  • Validate the invoice: Did you expect the invoice? For this amount? Are the supplier details unchanged compared to previous payments?
  • Any change in your suppliers' details (address, phone number, email address, account number, etc.) must result in a phone call to a verified  number (not to the number indicated on the invoice itself), to check the validity of the requested change

 

Important information

The information on this page is provided to you solely for informational purposes in order to make you aware of the most frequent cases of fraud and provide you with recommendations to protect yourself against it. This information does not ensure that your company, acting upon these recommendations is or will be protected against any occurrence of fraud detailed on this website. No rights can be derived from the use of and reliance on the safeguards you take by following up these recommendations. ING does not accept any responsibility or liability with respect to your reliance on and the actions you take as a result of these recommendations. This disclaimer is governed by Dutch law.