What You Need to Know About CEO Fraud Phishing and the Vendor Desk
What does company culture have in common with CEO fraud?
CEO fraud phishing is the bane of the vendor desk’s existence. In addition to being tasked with a ton of manual processes, managing vendor compliance, and mitigating other risks, your vendor desk is also being asked to step up to the plate as a fraud prevention professional.
Aren’t we asking a lot?
I get it – there’s a lot at risk. Someone has to take responsibility and ownership over fraud attempts against your organization.
However, when we look at the mechanics of CEO fraud phishing – how it works, the consequences, and the human cost of mitigating the risk – a lot more becomes clear.
Let’s dive in.
CEO fraud (phishing) is a nefarious attack by a fraudster posing as your CEO. It’s a type of spear phishing – where bad actors send emails that appear to be from a trusted source in an attempt to gain access to sensitive or confidential information.
In other words, it’s bad news.
CEO fraud phishing that targets the vendor desk can have dire consequences. In most cases, this is an attempt by fraudsters to get your vendor desk to transfer money to a bank account that the fraudsters own.
It’s in the same category as vendor impersonation fraud and business email compromise fraud. In other words, it relies on the trust of the target to be successful. In all these scams, bad actors pretend to be people they’re not to get access to money and/or data that doesn’t belong to them.
To see what this looks like in action, listen to Matt McDonald of the City of Vista talk about a near-miss his team had with a fraudster trying to steal money:
There are a few ways CEO fraud can happen, and they can be equally hard to catch. For example, an attacker might use the name of your top executive, but the email will come from the wrong email address. In most cases, the email address will be very similar to the right email address but might end with “.com” instead of “.gov” or be off by a few letters. This is called name spoofing.
Another way bad actors attack is by using both the CEO’s name and the correct sender email address. The trick is that they use a reply-to address that differs from the sender’s email. So when you reply, the email goes to the fake address (the fraudster) rather than to your CEO.
You can see how either of these scenarios might be problematic.
CEO fraud aka business email compromise (BEC) aka whale phishing (whaling) is on the rise. Call it by whatever name you want, just don’t underestimate it. The FBI calls it the $50 billion scam because that’s the total domestic and international losses accrued from business email compromise between October 2013 and December 2022 – $50,871,249,501, to be specific.
Between December 2021 and December 2022, the FBI reports a 17% increase in identified global exposed losses from BEC. And a recent report from the Anti-Phishing Working Group (APWG) notes that it logged just under 5 million attacks in 2022 – making it a record year. The trend report also points out:
In other words, now is not the time to let your guard down. The attacks are only getting worse and there’s a ton at risk.
If the stats above are any indication, successful CEO fraud phishing attempts mean money goes down the drain.
But it also means your vendor desk faces the oversized burden of single-handedly trying to prevent this fraud. And as Jens Brown of Huron Consulting points out, vendor managers are generally not IT security experts:
Moreover, the burden of being solely responsible for stopping these kinds of attacks is putting unnecessary stress on your vendor desk. Trust us, these folks are losing sleep over the potential consequences if they fail to spot these very sophisticated CEO fraud phishing attempts.
Finally, let’s not forget the potential for reputational damage. What happens when a successful CEO fraud attempt results in you sending money to a fraudster instead of the actual vendor? What will that vendor think when they email or call to follow up on the missed payment and you have to explain what happened? And when word gets around, what will your other vendors think? Your competitors? Your industry?
To sum up, millions of dollars are potentially at stake. Your reputation is at stake. And the well-being of your vendor desk is at stake.
You have a lot to lose.
Phishing has been around for a while, so you may feel like you have a grasp on what these bad emails look like. Here’s the thing: CEO fraud is in a different class than the phishing scams of old that were sent to thousands of recipients.
The person in charge of vendor management has a busy day. There are 50 new vendors to onboard, which means collecting vendor data X 50, verifying bank account info X 50, and running vendor compliance checks X 50. That’s a gross oversimplification, but let’s go with it for the sake of this example.
These 50 new vendors are in addition to the hundreds (or potentially thousands) of other vendors that have payments due, need contact information updated, or have bank account update requests.
Let’s add another twist: since vendor onboarding and management is seen largely as an administrative function at this hypothetical organization, it’s not uncommon for the higher-ups to bypass preferred or documented workflows just to “get things done.” That means the vendor desk is used to the CEO and other executives asking for exceptions to be made.
In sum: the person steering the vendor desk is under pressure. So when an email request comes in that appears to be from the CEO asking for a vendor’s banking details to be updated ASAP, the heat is on.
It’s easy to talk about “vendor management best practices,” but it’s much harder to abide by them when you’re racing the clock – and a pile of never-ending, manual tasks – like the person in this example.
So the vendor desk does what they can: they check that the email looks legitimate. The sender’s address and name on it match the CEO’s. They make the change and check it off their to-do list.
Except it wasn’t from the CEO. It was from a bad actor with a bank account in the Cayman Islands who had successfully managed to reroute a legitimate vendor’s upcoming payment to their own bank account.
What went wrong? More importantly, how can the vendor desk avoid this bad outcome?
While we have a list below that you should definitely walk through and consider, let’s focus on the one thing you can change TODAY if you don’t want this to be you.
Change your culture.
If your vendor desk manager believes that your CEO or CFO or Controller would ever ask to break the vendor onboarding process, then, quite simply, you are at risk for CEO fraud phishing.
That aside, here are a few things to consider when authenticating requests:
Embrace skepticism – When it comes to bank account update requests or requests to share sensitive data, always be skeptical. Skepticism should prompt you to take additional steps to verify the authenticity of the requestor and the request.
Note the tone – This one can be tricky. Requests from a CEO are often inherently urgent, but we encourage you to take note when an email asks you to do something quickly and without question. These are exactly the types of tactics fraudsters use to bully people into acting without verifying the authenticity of a request. Anything urgent should immediately raise your red flag.
Question intent – Fraudsters often rely on the trust of their victims to perpetrate a scam. If you receive a request from someone who asks that you keep it confidential, question the intent of the sender. Are they trying to keep you from confirming the legitimacy of the request?
Watch out for inconsistencies – Sender name and email address are the obvious ones. But also look out for odd-looking account numbers, bank names, vendor names, and anything else that might seem slightly off. Remember, all it takes is one “rn” instead of an “m” to throw you off your game.
On a more strategic scale (see “change your culture,” above), there are things you can do as an organization to make sure CEO fraud phishing scams don’t get the best of your organization:
This one is big. When you write down your procedures for supplier onboarding and change management (grab a template for that here), you can start (or continue) productive conversations about your vendor management strategy.
If you’re part of an organization that likes to break the rules, log each time you’re asked to make an exception (you can use this template) to the vendor onboarding or management process. Over time, this can help you present a compelling case to leadership for revamping your vendor management strategy in a way that bolsters security and fraud prevention. (And maybe shows them that they are the problem.)
Build a framework (like this one) that allows you to create, refine, and fine-tune your vendor compliance processes so everyone can rest a little easier.
Sadly, there’s no perfect fix for fighting CEO fraud. However, there are steps you can take to significantly reduce it. Automating your vendor onboarding process is one way to do this.
With automation, you transition from error-prone manual processes to automated workflows that save time, money, and your sanity.
Automated platforms transition the ownership of vendor information entry to the vendor – and who better to do it? When vendors are responsible for entering their own contact and banking details, mistakes can be avoided. And with a platform that requires secure sign-on, CEO fraud phishing doesn’t stand a chance.
Additionally, an automated system can run the various compliance and bank account checks more quickly and accurately than one or two people who are also juggling a million other tasks. All vendor information update requests are completed by the vendor through a secure system. That system then runs the necessary checks to ensure that compliance mandates are met and banking account details are verified.
So while there’s no way to stop CEO fraud phishing attacks from happening, there are some surefire ways to make sure they don’t happen to you and your organization.
CEO fraud is just one of the challenges vendor management folks deal with on a daily basis. We know it takes a toll. In fact, we’ve dedicated an entire day to singing your praises: Vendor Management Appreciation Day (VMAD) on December 12th.
We’re hosting a virtual soiree (actually, we have several events lined up) to honor and celebrate the tremendously challenging job vendor management professionals do each and every day.
We know that vendor management professionals handle a lot of responsibilities – and we also know it’s one of the most under-recognized roles in any organization, regardless of the industry.
If this piques your interest, will you join us to celebrate on December 12th?
VMAD is a brand-new holiday geared toward unifying vendor management professionals and celebrating innovation in the field.
Learn more here, and grab some free vendor management goodies.
Our recent blogs are full of actionable guidance.