Identity theft (CEO fraud + invoice fraud)

Identity theft on the Internet occurs when one person impersonates another in order to commit an unlawful act or damage. In the business world, it is common for it to be carried out in order to obtain money or confidential information, although the reasons may be manifold.

Nobody is safe from this crime, nor can they be certain that it will never happen. We are all susceptible to being a victim of this type of fraud, which can cause serious economic and harm our image.

Knowing the different types of scams, how they occur and what to do if they happen is the first step to preventing identity theft in companies.

CEO Fraud

About

CEO fraud is a scam based on the social engineering of companies. Cybercriminals impersonate a senior company employee in order to deceive employees into carrying out fraudulent payment orders in most cases. 

How does it work?

The scammer studies the victims and obtains information on the company. Once they have learned the organisational hierarchy and discovers the usual transactions made by the company, they impersonate the CEO or a senior executive of the organisation, usually by hacking their email account or creating a fake address. Then, they start sending emails and/or calls to request payment from a third party, always urgently and confidentially. The goal is to discourage the victim from verifying the transaction.

Once the instructions have been received, the deceived employee proceeds to make the payments requested to the accounts controlled by the scammer.

What you can do to prevent CEO fraud in companies

• In the event of any suspicious request, confirm the legitimacy of the transaction by another means of communication. Whether by phone or email, it is important to establish a double verification system with the manager in charge. Scammers will want to keep the matter under the utmost confidentiality so that you do not carry out the appropriate checks.
• Even if the urgent requests come from senior employees in the company, don't feel pressured. Follow the usual procedures. Remember that hurrying the worker is a common tactic among scammers.
• Be careful with the information you share on social networks about the company and the position you hold. Attackers will use all the information they can to carry out identity theft.
• If the fraudulent transaction is finally executed, you must urgently inform the bank branch and file an official complaint with the police. Speed is a key factor in stopping the scam and curtailing potential damage.
• You must not delete emails, telephone records and/or documentation provided by scammers. This is proof and may be required for a police investigation.
  
  

Invoice Fraud

About

Invoice fraud is a scam based on the social engineering of companies. It occurs when the scammer impersonates a supplier or employee in order to divert the payment of invoices.

How does it work?

Invoice scammers study companies, investigating their corporate website, social networks and even hacking employees' email accounts. Their goal is to discover the relationships they have with their suppliers, and find out the details of regular payments.

Cybercriminals impersonate the supplier and contact the company to request a new payment procedure, providing a new fraudulent bank account number.

From here, the victim will send all payments to the bank account controlled by the scammer. Such fraud can only be discovered when the legitimate supplier complains about the non-payment of invoices.

What you can do to prevent invoice fraud in companies

• When you receive a request to change the bank account number from a supplier/creditor, contact them through a different means of communication to confirm the transaction. A double verification system, whether by telephone or by email, is essential to ensure the legitimacy of the transaction.
• Carefully study each invoice and compare them with previous invoices that you know are genuine. Bank account details, the wording used and the company logo can infer the authenticity of the document.
• Consider removing information on customers or suppliers from the company's website and social networks. Revealing your employment relationships can be beneficial to your business, but it will also be easier for identity thieves.
• If you have been a victim of such a scam and you have made transactions to a fraudulent account number, you must urgently inform your bank branch and file an official complaint with the police. The speed with which you react will determine the extent of the damage.
• Never delete emails, telephone records and/or documentation provided by cybercriminals. This is proof and may be required for a police investigation.

Any company may be the victim of this and other types of fraud. For this reason, training and awareness surrounding cybersecurity is crucial for users to be able to recognise fraud and report it on time.