Skip to content

CEO Fraud: A Fish Rots From The Head

CEO Fraud
Listen to the Podcast

CEO Fraud: A Fish Rots From The Head

The proverb from which this article takes its title is variously attributed to the English, Turks and Chinese, but its true origins seem to have been lost in antiquity. And yet, as ancient as the wisdom may be, it is still 100% relevant today.

In so many cases of private and public sector fraud and corruption, it’s the company CEO or senior government official at the heart of the scandal. This creates a culture of corruption that is very hard to reverse.

South Africa has seen more than its fair share of CEO-led fraud in recent years, and the names Johann Steynberg, Chris Warriner, Markus Jooste, Matshela Koko, Pepi Silinga, and Stephan Burger, among others, will be familiar to many of us for all the wrong reasons.

There are occasions, however, when high level CEO fraud is not actually committed by a CEO at all.

That might sound confusing, but read on…

Often referred to as Business Email Compromise (BEC), the kind of CEO fraud we’re referring to here relates to the practice of sending an email that looks as though it comes from the CEO of an organisation, but in reality, is sent by a fraudster.

It typically takes the form of a request for money to be transferred into a particular bank account for services or products purchased. Although it might appear slightly irregular (the request is often for monies to be paid into a different account than the one you usually use, or there is an urgency about it), the person receiving the email usually feels pressured to comply because of the apparent seniority of the sender. 

Most people won’t question a request from their superiors, and this is exactly what modern cybercriminals rely on – and it’s why so many CEO fraud attempts are successful.

So successful, in fact, that the FBI rates it as one of the most popular types of BEC attacks. Globally, between 2016 and 2021, there were 240 000 incidents accounting for losses of over $40 billion.

In South Africa, experts estimates the damage comes to around R2.2 billion per year.

 

Jess Burn, a senior analyst at Forrester Research, believes there is a definite reason for the spike in attacks, saying, “With geopolitical strife disrupting ransomware gang activity and cryptocurrency – the preferred method of ransom payment – imploding as of late, bad actors are going back to old-fashioned fraud to make money, so BEC is on the rise.”

While anyone within an organisation can be targeted, people working in Finance, HR and IT are most at risk. But even members of your executive team are vulnerable – they have greater authority to sign off on transactions and are usually so busy they don’t have time to properly examine what appears to be a legitimate request.

As with any type of crime – but cybercrime in particular, forewarned is forearmed. If you know what to look for, you have a better chance of spotting it.

CEO fraud can take many forms, but the FBI lists the most common as:

  • Spoofing: The scammer slightly varies a legitimate e-mail address and tricks victims into thinking fake accounts are authentic.
  • Spearphishing e-mails: These messages look like they are from a trusted sender and are aimed at tricking victims into revealing confidential information that allows criminals to access company accounts and obtain the details they need to carry out a BEC scheme.
  • Used to gain access to legitimate e-mail threads about billing and invoices so scammers can send messages without alerting the attention of accountants or financial officers don’t question payment requests. It also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.

Here are just a couple of examples of recent scams:

  1. December 2021. A criminal network comprising French and Israeli nationals impersonated the CEO of a company specialised in metallurgy. He asked the company’s accountant to make an urgent and confidential transfer of €300 000 to a bank in Hungary. The fraud was discovered a few days later. The same group struck again, convincing a real estate developer to transfer €38 million abroad, thinking it was going to a reputable French accounting firm.
  2. February 2023. Gauteng Attorney Gavin Hartog believed he was transferring R1.4m into his client’s account but was unwittingly paying it into the Standard Bank account of a fraudster who had intercepted his email correspondence. The fraudster, who has never been caught, withdrew the money immediately. It has never been recovered. The South African High Court has since rejected Hartog’s claim that it wasn’t his fault and ordered him to pay the money to his clients.
  3. April 2023. PSG Wealth Financial Planning was ordered to pay a client more than R800,000 stolen by fraudsters who had hacked a client’s email and asked that their investment shares be paid into a new bank account. PSG argued that it could not be liable for the loss because it was their client who’d been hacked, but the Judge found that PSG had not complied with its own policy to protect its clients from cybercrime.
  4. January 2024. South African homebuyer Judith Hawarden unwittingly paid R5.5m into the bank account of a fraudster instead of that of law firm Edward Nathan Sonnenberg (ENS). Hawarden later instituted successful legal proceedings against ENS, arguing that they sent her their account details in an unprotected email. Earlier this month, however, the Supreme Court of Appeal upheld ENS’ appeal, saying that the loss did not occur as a result of any failing of their system but because Hawarden’s email account had been compromised.

These examples are a strong warning to us all: Do not pay anything – even if the demand comes from your CEO or any other person in authority and seems legitimate – until you’ve verified the details in person or over the phone.

So, what are some of the key warning signs to look out for?

Barclays Bank in the UK says that urgency is usually a red flag – it’s how fraudsters try to persuade us to bypass controls around payments. Reference to the payment being ‘special’ or ‘secret’ should also ring alarm bells.

The Financial Advisory and Intermediary Services ombud has this advice:

  • Create strong and unique passwords for your email accounts and other online platforms. Avoid using information that can easily be guessed, such as your name or birthdate.
  • Keep devices and security software up to date.
  • Implement strict verification procedures – such as phone calls to the person you think has sent the email – and ensure staff are trained, vigilant and empowered to challenge any requests.
  • Look out for unusual email addresses, grammar errors and unexpected attachments or links in your correspondence.
  • Be aware of how much information is revealed about your company and key officials through your website, social media and out-of-office automated replies.

The following video appeared on the Barclays UK website, and is perhaps an appropriate way to conclude:

(embed video here: https://www.media.barclays.co.uk/serve/175667-6105483.mp4)