Watch out for CEO fraud during the crisis

CEO fraud is where scammers trick someone within an organisation by sending e-mails where they pretend to be one of the organisation's senior executives. They might con someone in the accounts department into making an urgent payment to an account abroad, for example. If the person getting the mail hesitates, there may be a follow-up phone call where the crooks say that they're from a law firm or the like. Convinced by the body of correspondence and calls, the victim makes the payment in good faith.

Most home networks are less secure

With so many people working from home, there's less short-line contact between rank-and-file workers and top managers. Where a firm's continuity is at stake, workers may also be under extra pressure and stress. "Home networks represent a further risk. They're generally less secure than company networks, and consequently easier to hack," says Suzanne Visser of the AMLC, a centre operated jointly by the police, tax fraud investigators and the Public Prosecutor's Office.

Inside information

PwC has come across several cases this year where crooks got access to an executive's mailbox and therefore knew about upcoming transactions. The information they picked up was then used for a scam. Because of the current upheavals, many organisations are involved in transferring large sums of money. As a result, staff in accounts departments aren't surprised by urgent confidential requests. They're less likely to question instructions that seem to come from a boss, especially within organisations with more hierarchical cultures.

Internal mail traffic

Cybercrooks are becoming more sophisticated. PwC accountant André Mikkers has seen cases where crooks monitored internal mail to see when the person who normally signed off transactions was away. The scammers then took advantage of that person's absence to get their fraudulent payment requests through.

Tips for avoiding CEO fraud

You can reduce the risk of falling victim to CEO fraud by following these tips: • Put CEO fraud on the organisation's agenda and get people talking about it. • Tell staff never to be overawed by the status of the person making a payment request. • Check payments by contacting recipients. • Put clear payment procedures in place. • Make sure everyone knows who is allowed to initiate payments. • Ensure that significant payments always require more than one person's approval. • Never make exceptions.

E-mail security standards

Many CEO frauds involve 'e-mail spoofing'. A spoof e-mail appears to come from the real address of the impersonated individual. That's done by falsifying certain fields in the message, such as 'From', 'Return-Path' and 'Reply-To'. You can make spoofing much harder by implementing the e-mail security standards DKIM, SPF and DMARC. The standards are often used together to verify the sender and the sending host, and to check that the message content hasn't been modified in transit. For the highest level of protection, we recommend using DNSSEC as well. DNSSEC is a security extension to the DNS. Many mail programmes already support DKIM, SPF and DMARC.

Check whether your domain name complies with open standards

You can find out whether your domain name supports the recommended standards by visiting internet.nl. For advice on making your domain name and e-mail service more secure, it's usually best to contact your internet service provider or to put them in touch with your system administrator.