CEO fraud targeting at least 400 firms per day

Business email crime reaches epidemic levels, with one group of scammers targeting more than 2,700 firms in just two months

Business email compromise (BEC) – more commonly known as CEO fraud – is affecting more than 400 companies per day, according to digital security experts Symantec.

Figures released by the organisation show that this species of fraud has claimed 22,000 victims around the world in the past three years, triggering losses of $3bn, and has now reached epidemic levels.

Geographically, the UK is the third worst originator of business-based email scams, issuing 15% of fraudulent communications, with the US in second place (27%) and Nigeria first (46%).

The figures also show that almost 40% of targets are SMEs, raising serious questions over whether firms that form the bedrock of the global economy have the scope to grow if they are being undermined by such a dramatic wave of financial crime.

Other figures indicate that businesses are falling prey to the same offender over and over again. One group of scammers is responsible for 12% of all BEC activity, and from mid-May to mid-July has targeted more than 2,700 organisations, via 147 different email accounts.

Most of the group’s criminality has stemmed from Nigeria, but some of its emails have also been issued from the UK and US.

Symantec notes that the current spate of BEC crime has evolved out of so-called ‘Nigerian 419’ scams that arose in tandem with the popular acceptance of email around two decades ago. In those scams, the offenders tended to pose as fictional dignitaries, promising substantial rewards for modest donations.

Typically, the old-style 419 scams targeted individual email users on, for example, Google, AOL or Yahoo! accounts, or through their work addresses. Now, scammers are approaching corporations, and posing as their senior executives.

The research stresses that CEO fraud has become particularly damaging to corporate reputations, following Austrian aerospace manufacturer FACC’s decision in May to fire its CEO Walter Stephan, after the company lost €42m ($47m) through a BEC scam.

Days after the figures emerged, new data from the UK’s Office for National Statistics (ONS) showed that one in 10 Britons had fallen prey to cybercrime over the past year.

The ONS’ move to include cyber incidents for the first time in its annual round-up of crime figures appeared to double the nation’s overall crime rate at a stroke.

Symantec offered three points of advice to business leaders concerned about the spike of CEO fraud:

  1. Question any emails requesting actions that seem unusual, or are out of step with normal procedures.
  2. Users should not reply to any emails that seem suspicious. Obtain the sender’s address from the corporate address book and ask them about the message.
  3. Use two-factor authentication for initiating wire transfers.

For thoughts on what corporate treasurers should do to protect their companies against CEO fraud, read this in-depth feature.

Scroll to top