Sergey Nivens - stock.adobe.com

Half a million UK firms hit by CEO fraud, Lloyds Bank estimates

Nearly 500,000 UK businesses are being hit by impersonation fraud, according to estimations by Lloyds Bank, with the legal sector most at risk

Impersonation fraud, also known as CEO fraud and business email compromise (BEC), is on the rise, warns Lloyds Bank, with small to medium-sized enterprises (SMEs) losing an average of £27,000.

BEC attacks are increasingly popular with cyber criminals to steal money and information as well as spread malware, a recent report by security researchers at Barracuda Networks revealed, with the top objective of such attacks being to trick recipients into transferring money into accounts controlled by cyber criminals.

Attackers typically compromise the email accounts of CEOs and other top executives so those accounts can be used to send messages to more junior staff members, tricking them into taking some action by impersonating the email account holder.

More than half (53%) of respondents to a Lloyds Bank survey said they had experienced scammers posing as their boss, while 52% said they had experienced fraudsters posing as suppliers through invoice fraud, where a false change in bank account details is sent from a legitimate-looking supplier.

These tactics are extremely effective in manipulating employees as well as partners and customers of targeted businesses. This is because few organisations have processes in place for checking or verifying instructions ostensibly received from a top executive in an email message sent from a genuine account.

BEC attacks, where scammers intercept a legitimate email trail and change the beneficiary bank account details, is an increasingly common method of impersonation fraud, according to Lloyds Bank. This is especially dangerous as fraudsters can change information in a genuine email thread, which means there are no other warning signs.

As email is not a secure method of communication, so any change of details or financial information should always be double checked with a trusted contact, warns Lloyds Bank.

The survey reveals the impact BEC attacks are having on SMEs, with 7% of companies affected saying they had experienced financial hardship and 6% admitting that they had to make employees redundant due to the financial impact.

With one in 12 respondents admitting they have been targeted by impersonation fraud, Lloyds Bank said it is likely that nearly half a million SMEs in the UK have been affected by these scams.

The survey data indicates a 58% rise in this type of crime in the year to date. However, as this is only reported fraud, the true scale of the problem is likely to be much larger, the bank said.

Law firms are the most susceptible (19%), the data shows, followed by human resources (HR) professionals (17%), IT workers (17%) and finance companies (16%).

To raise awareness and educate workers on how to stop scammers, the bank has teamed up with the government-backed Get Safe Online campaign. The initiative includes a video showing a team of CEO impersonators dubbed the “fraudstars” to demonstrate the ways in which scammers can dupe companies into making payments, based on real-life scams.

The survey revealed that only 20% of BEC victims say they now think twice when receiving a request at work. The research also reveals that a lack of precautions around online safety could be assisting impersonation fraudsters. More than a third (37%) of employees say they do not know what to look out for or do not have any security precautions in place, leaving them vulnerable.

Read more about CEO fraud

Gareth Oakley, managing director of business banking at Lloyds Bank said the rise of impersonation fraud is a very concerning issue for SMEs.

“We know that falling victim to these types of scams can be serious as the impact extends beyond just the financial implications. This is why we’ve teamed up with Get Safe Online – to help educate business owners and employees on how to recognise these scams and take the right precautions to protect themselves,” he said.

The fallout from fraud is not just financial. Respondents have reported that the attacks also caused emotional upset, with 15% saying they felt angry that they were targeted, while 8% said they could not trust people close to them.

The research also found that 5% of victims of impersonation fraud were so ashamed that they hid their mistake from their team, potentially with the fear of being fired on their mind.

However, hiding a mistake like this may only cause further problems. If the systems have been compromised, then fraudsters may be able to get access to other critical information, or make additional payment requests meaning that losses will increase, Lloyds Bank researchers said.

The most common techniques used in impersonation fraud include:

  • Changing bank account details – where scammers pose as suppliers or other contacts and notify victims that their bank details have changed and get businesses to make payments to the fraudsters bank account (commonly known as invoice fraud).
  • Phishing – sending emails, texts or voicemails purporting to be from a reputable company to get individuals to reveal personal information.
  • Fake emails pretending to be your boss or other senior colleagues – emails set up to look very similar to legitimate emails, which are sent to try and trick the recipient into paying funds to a fraudulent account.
  • Social engineering – the act of manipulating or tricking people into certain actions including divulging personal information or financial information.

Tony Neate, CEO of Get Safe Online, said the most effective way to counteract these fraudsters is to double check the details. “Verify any requests for amended payments to an organisation directly using established contact details. If you’ve received a suspicious email, always check with the person you believe sent it by asking in person, phoning them or using a different trusted communication method,” he said.

The survey of 1,500 SME workers further reveals that tech-savvy millennials face the highest risk of being targeted – with more than 1 in 10 (12%) falling victim or knowing someone who has fallen victim to impersonation fraud.

Read more on Hackers and cybercrime prevention