CEO email fraud costing billions to businesses

by Victoria Bruce14 Mar 2016
If your CEO sends you an email request to transfer a few million dollars from the company coffers into an offshore account, then your business might be the target of a sophisticated email scam.
This form of “business email crime”, where hackers impersonate the email account of a company’s head honcho and send requests for staff to transfer company funds offshore has cost companies over US$2 billion in the past two years, according to the US Federal Bureau of Investigation.
Also known as “CEO fraud”, the FBI says that while the average loss is around $120,000, some companies have been duped into wiring up to $90 million into offshore accounts.
But if your employee unwittingly authorises the transfer of your precious company funds to the scammer’s accounts, employers may find themselves without a legal footing to discipline that staff member, says employer lawyer Ben Burke.
“Whether an employer could discipline an employee who authorises a payment or transfer of company funds in reliance on a bogus request or instruction would depend on whether the employee complied with the company’s policies, procedures and processes for payments and transfers of company funds,” Burke says.
If an employee acted in good faith and complied with relevant company policies, procedures and instructions, it is unlikely the company could take action against the employee, says Burke, partner at Baker & McKenzie.
“Employers must implement clear and comprehensive policies, procedures and processes for authorising payments and transferring company funds,” Burke told HC Online.
“These policies, procedures and processes should include appropriate checks and authorisations which ensure any request for payment of money or transfer of company funds is genuine and complies with relevant legal requirements,” he says.
He says Australian employers should beef up their policies and procedures or risk falling victim to these scams.
Employers need to critically assess the risks they are exposed to and develop appropriate policies, procedures and processes, including cyber security policies and protections, to effectively manage these risks,” Burke says.
Similar stories:
New Zealand HR manager jailed over $400k theft
If you can't beat a hacker, hire them
Disciplining workers for breaching workplace safety - to fire or not to fire
Position descriptions, policies and procedures - do they still matter?


  • by LJR 14/03/2016 12:01:41 PM

    The version of this circulating in the US has the HR person receiving an email from the CEO asking for the full list of employees, specifying that the list include name, home address, date of birth, social security number, and salary. Sadly, it appears this scam has worked a couple of times...

Most Read