Articles & Insights

Latest Articles

CEO Fraud

Written by David Plaza

More and more, employees find themselves at the mercy of text messages or calls claiming to be from higher-ups at their workplace. Little do they know that the person on the other end is a cunning criminal, poised to exploit the unsuspecting. These deceptive contacts infiltrate personal and business phones alike, leaving victims vulnerable and their companies in jeopardy.

The impostor’s tactic is simple yet sinister—they assume the role of a CEO or Founder, skillfully manipulating newly hired employees into parting with something of value. Often, these criminals demand thousands of dollars in gift cards or other financial rewards, preying on the vulnerable and the unaware. This deceptive maneuver has earned the moniker of CEO Fraud.

The extent of this crime’s success is staggering. The FBI attributes over $26 billion in losses to CEO fraud, making it the highest-grossing cybercrime to date. With such immense financial ramifications, it has become an ever-looming threat, wreaking havoc on individuals and businesses alike.

CEO fraud manifests as a scam in which criminals utilize email, telephone calls, or texts to impersonate executives, manipulating lower-ranking employees into unauthorized wire transfers or divulging sensitive company information. However, the scope of this fraudulent scheme extends beyond direct money transfers. Criminals may coerce employees to alter payment addresses on existing invoices, disclose crucial banking or payroll details, make illicit gift card purchases, or even expose sensitive data that can be later used for blackmail or corporate espionage.

The success of these scams can be attributed to several key factors. The perceived power dynamic within an organization often clouds the judgment of lower-ranking employees. Fear of disappointing or upsetting their superiors compels individuals to comply unquestioningly with their requests. In doing so, scammers bypass all cybersecurity measures and protocols, rendering them ineffective in the face of human vulnerability. Furthermore, CEO fraud requires minimal technical expertise, making it an attractive option for criminals seeking substantial gains with minimal effort.

Each CEO fraud attack commences with meticulous research. The culprits diligently gather identity details of at least two individuals—the executive they plan to impersonate and their intended target.

 Scrutinizing the company’s official website, social media accounts, and other publicly available sources serves as a starting point. However, these criminals go a step further, employing social engineering tactics or even physically visiting the office to gather more specific information by posing as a potential client, courier, or job seeker. 

This painstaking research phase, lasting weeks or months, culminates in a carefully crafted plan, allowing scammers to approach their victims via email or telephone with a request that seems tailor-made for the situation.

The alarming $26 billion theft figure is likely a mere fraction of the actual cost of CEO fraud. Many attacks go unreported as organizations opt not to disclose incidents involving what they consider relatively small amounts of money. 

Moreover, criminals have become increasingly innovative in their approaches. They exploit advancements in artificial intelligence, creating convincing deepfakes to deceive unsuspecting employees. By impersonating voices, they manipulate victims into fraudulent transfers or initiate fraudulent video calls, leaving victims none the wiser.

The threat of CEO fraud is a persistent one, plaguing even the most security-conscious organizations. Vigilance is key, as employees in various roles become targets. Finance departments, with their direct involvement in financial transactions, are prime targets. Human resources personnel, entrusted with confidential employee data, hold a wealth of information desirable to scammers. Executives, possessing significant financial authority, are crucial cogs in the fraudulent machinery. IT departments, responsible for access controls and password management, also find themselves in the crosshairs of these criminals.

While CEO fraud continues to plague companies, taking preventive measures can significantly reduce the risk of falling victim to these schemes. Employees should verify every payment and purchase request in person, scrutinize email sender addresses carefully, scan all email attachments for malware, and report any suspicious activity to the security team. 

Sharing personal information on social media should be avoided, as scammers often exploit such details to guess passwords (e.g., pet names, birthdays, high school names, etc.) and set social media accounts to “Private”. 

It’s also important to recognize that executives and founders rarely contact new employees directly via personal phones, delegating such communications to assistants or department managers.

By implementing these precautions and staying informed, companies can strike a balance between operational efficiency and mitigating the risks associated with CEO fraud.

For information on how I can assist you in preparing against threats like this and others, contact me at [email protected]

Written by David Plaza

Telephone Scammers Posing As Federal Agents

Over the last few years, there has been an increase in people becoming victims of telephone scammers who conduct their criminal activity while posing as federal agents. In 2021, phone scammers stole approximately $29.8 billion from victims over those 12 months and the frequency of these crimes appears to be increasing. 

Typically, the person impersonating a federal agent advises the recipient of the call that criminal charges have been, or soon will be, filed against them, and threatens to confiscate the recipient’s property, freeze their bank accounts, or have them arrested unless payment is made immediately. If the recipient questions the caller, the caller becomes more aggressive and threatening. The targets are advised that it will cost thousands of dollars in fees or court costs to resolve the matter, and the caller typically instructs people to wire “settlement” money or provide payment via prepaid cards, gift cards, or, recently, in Bitcoin to avoid arrest.

In many cases, the caller may have some personal information such as your residence or what kind of car you drive. They often use this as an opening to elicit further information which can often lead them to obtain enough information to not only scam money from you over the phone but also begin identity theft operations for them to gain funds and/or valuables under your name.

The scammers will often call and provide their targets with a name, badge number, warrant number, and case number to imply legitimacy to their claims, however, providing that information via telephone should be a sign that they are not who they claim to be and here is why:

Contacting you by telephone:  Most law enforcement agencies, and especially federal agencies, will not contact you by telephone or inform you that you are the subject of a criminal investigation. If you were the subject of an investigation, an agent would contact you in person or, in rare cases, through the mail.  

Badge Numbers: Most federal law enforcement agencies do not provide badge numbers to their agents nor do the badges they carry for identification have numbers on them. Federal agents are provided with a badge and identification card once they’re sworn in as agents and their identification cards only provide their name, agency, and position title (e.g., special agent). Being provided with a badge number by someone claiming to be a federal agent should be a red flag that they are not who they claim to be.

Warrant Number: Under no circumstance will a police officer or federal agent provide you with a warrant number or tell you they have a warrant for you over the telephone. There are only two warrants that law enforcement can have against you: a Search Warrant or an Arrest Warrant. No law enforcement agent/officer (either local or federal) will want you to know they have either until they serve them upon you in person. The reasons for that are this: 

Search Warrant: Officers or agents will not tell you they have a search warrant over the telephone because they would not want a guilty subject to destroy any potential evidence before their arrival and service of the warrant- i.e., a search of your residence, place of work, person, or property. 

Arrest Warrant: Legitimate police officers and/or federal agents will not volunteer that they have an arrest warrant for you simply because they would not want to risk having a subject flee before they could place them under arrest. In most cases, a subject will be unaware that law enforcement obtained an arrest warrant for them until they are contacted in person and placed in handcuffs.

Furthermore, both search and arrest warrants require the approval and signature of a judge which means the agents already have enough evidence to establish probable cause for an arrest warrant or verifiable reasonable suspicion for a search warrant. Due to that, they would not need to question you over the telephone. 

Telling a target that there is a ‘warrant number’ is simply a tool to instill fear into the target and coerce them into complying with their demands and providing information. 

Case Number: While law enforcement agencies (local and federal) do have case numbers attached to their investigations, they normally do not provide them unless requested or they feel it may help them with their case (such as providing their card and case number to a witness in case they remember something later and wish to call).

Just like warrant numbers, case numbers are used by scammers to give a sense of legitimacy and urgency to their call while instilling fear in their targets to frighten them into complying with their demands. 

If you are contacted over the telephone by someone claiming to be in law enforcement or a federal agent, consider the following best practices:

Do not give any personal information: Scammers will do some intelligence gathering on their target before contacting them. Due to that, they may have your current address or know what kind of car you drive.

Keep in mind that law enforcement has access to databases that will provide them with all the information that they would need about you. It would only take a second for a legitimate law enforcement officer or federal agent to obtain your birthdate, social security number, address, and vehicle information as well as a mountain of other information about you. Due to that, anyone who claims to be a federal agent or law enforcement officer but is asking for this information is most likely not who they claim to be.

Ask what office they’re stationed out of:  If you receive a telephone call from someone claiming to be a federal agent, ask which field office they’re stationed and let them know you will call them back then hang up. You can then call that office and verify that you spoke with an actual agent that is assigned to that office…or that you didn’t. 

Do not accept a field office number provided by the caller, instead, look up that field office telephone online and call that number. Law enforcement officers/agents expect to be asked for some kind of verification when in situations where they are not easily identified. Legitimate officers/agents will not be angry or upset when someone acts intelligently and responsibly with them and wants to confirm the identity with whom they’re interacting.

Do not let the caller bully or intimidate you: When a target begins sounding doubtful of the scammer’s story or does not readily provide the information they want, they will often become aggressive and threatening over the phone. The best course of action, if this happens, is to simply hang up and verify the identity of the caller. 

Scammers rely on people being easily intimidated and led when they pose as authority figures, and it has proven to be very profitable for them. 

Hopefully, by keeping the previous information in mind, you should be able to greatly reduce the likelihood of becoming a victim of a federal agent scammer in the future.

For information on how I can assist you in preparing against threats like this and others, contact me at [email protected]

Awareness is the first step. Action is the next.
If anything you’ve read here feels familiar or hits too close to home – I can help. Your situation is unique, and so is the strategy we’ll build to protect it.