Fraud using social engineering by email

Posted on

Recently I was seeing a contact who mentioned they had come across a strange instruction from his CEO to pay money relating to a contract to an offshore bank account. His CEO was offshore at the time but the email just did not ring true.

The email did however appear totally authentic and was written in a style that was similar to his boss. Never the less, his instincts caused him to send the boss a text, just to check the instruction out. And just as well he did! A scammer had infiltrated his bosses email and written the request on his behalf.

This type of fraud is becoming increasingly common and more sophisticated. A recent CBS news article indicated FBI figures of US$1.8billion for this type of crime to date. They referred to it as the “fake CEO” scam.

It appears that the scammer infiltrates the email system of the company and identifies who the key executives are and develops a strategy to send instructions from the most senior people to the finance team to make payments to off shore bank accounts controlled by the scammer.

In the case I became aware of the style of the email, and all the headers and sign offs was consistent with what was expected. It was this “social engineering” that very nearly paid dividends to the fraudster. It also indicated that this was not just a quick bulk email drop like we commonly see, it was a very deliberate targeted fraud attempt.

Last week, I was talking to a solicitor who had become very concerned about how he could verify the email instructions to transfer substantial amounts of money to bank accounts of his off-shore clients. He did not want to be caught out by the “fake CEO” type scam. I needed to re-emphasis the “know your client” rules of anti-money laundering and verification of the bank accounts being used.

I also suggested that he should use a multi-factor authentication process by supplementing the email instruction with a confirmation of the instruction through another medium, such as an actual phone call or a text message initiated by him to his client’s cell phone number that he had previously obtained at his initial meeting. The secret is that until you are totally satisfied and have independently verified the instruction you should keep asking questions.

A company should have a policy that an email instruction to pay money to a bank account without the usual paperwork being in place, or to a new vendor, should also go through a rigorous multi factor verification to minimise the risk of becoming a fraud victim. The policy should state that even if it is the CEO or most senior director, the policy must be followed. This empowers the finance team to critically examine all requests with feeling they are questioning the decisions of their bosses.

In summary the key take out to protect your company against this type of socially engineered fraud is “Trust but independently verify” using at least one different medium to the one used for the instruction. There has to be strong policy and permission to question the veracity of the instructions and the destination of the funds.


Graeme is a Certified Fraud Examiner and forensic accountant at McGlinn Consulting Group Limited. He has over 35 years experience in accounting, auditing and litigation support in New Zealand and overseas. He can be contacted via his website or by email at

Leave a Reply

Your email address will not be published. Required fields are marked *