To be or not to be your CEO. That is the question.

Would you be able to spot a deep fake video of your CEO? Companies should prepare for the next wave of cybercrime in which criminals use AI-based software to impersonate voices and images. In this frightening new world, rigorous processes are key to managing a swift response to fraud, says Joe Hancock

How well do you know your CEO? This year criminals used AI-based software to impersonate a chief executive’s voice to defraud a UK-based energy firm out of €220,000. Experts believe the fraud was the first to be reported in Europe in which criminals clearly drew on AI, so companies should be prepared. The next wave of cyber fraud is expected to be ‘spear phishing’ – attacks that target individual CEOs and their companies using AI-generated voices, deep fake videos and more.

Cyber fraud is a booming business. It is predicted to cost the global economy $6 trillion by 2021 and can affect anyone or any company. It used to be considered a legal or revenue-protection problem, but these days it increasingly involves chief information officers, chief technology officers and chief information security officers. And rightly so. My own experience, however, indicates that many organisations are simply not prepared. There is a widespread failure to recognise that financial fraud is a risk that comes under their watch.

Without doubt, there is a need for more education about financial fraud, including the rapidly evolving technological weapons available to criminals and what can be done in terms of protection. But equally important is the need to establish effective anti-fraud processes within organisations. All too often, we see the window to recover funds has long since closed because responsibilities were unclear and processes not followed.

Speed is of the essence to combat cyber fraud, but you can only be quick if you know what to do. First, identify those who must be told of possible frauds – this may vary according to how big the fraud is. Make sure those people know they are responsible and that they understand the next steps. Our advice is always to follow the money first and investigate afterwards because this maximises the chances of recovery. Only if you have the resources should you attempt the two in parallel.

In a small company, the person assigned to dealing with fraud may have several other responsibilities; in a large organisation, the chances are it will be the chief information security officer. Again, our advice is to make sure you address the risk to your organisation with the appropriate level of resources and build fraud risk management into other risk-management processes such as tech, cyber, data and environmental risk.

Hold regular workshops to keep staff informed and alert about the risk of fraud and make them aware of how phishing and spear phishing are used to get emails, passwords and bank details. Explain how fraudsters access personal details to try to trick a victim and how they can impersonate customers, suppliers, banks, senior staff members and even the tax authorities.

Employ real-time threat software that can raise an alert when something goes wrong. Have processes within the accounts department to check payments and use two-person authorisation for larger transfers and payments. Whatever processes you put in place, ensure all staff realise the importance of following them at all times.

Foster a culture of care – and make sure that anyone who questions a payment or email that turns out to be bona fide is not made to feel bad, and is perhaps even rewarded. Time and again, a fraud is successful because people haven’t followed process, particularly when the order for payment has come from a senior member of staff. The natural inclination is to obey the hierarchy.

Next time you hear from the CEO it might not be by email; it might be a FaceTime call. You might be asked to transfer £20,000 to a Swiss bank account and congratulated at the same time on your recent wedding. Just because it looks like the CEO doesn’t mean it is the CEO. And just because you got married recently and the company gave you a nice gift, it doesn’t mean the CEO knew about it. The fraudsters did their research. Think twice. Think process.

Joe Hancock is Partner and Head of Cyber at Mishcon de Reya

Keep reading

C5 – 18th Edition Fraud, Asset Tracing & Recovery – Geneva – March 14-15, 2024
We are excited to announce that we are a media partner for American Conference Institute’s Fraud, Asset Tracing & Recovery Geneva conference that is taking place on March 14-15, 2024, in Geneva! Deemed as the foremost, can’t-miss event each year, the 2023 agenda will be fully revamped, and you don’t want to miss out on
IFG Conference in Hong Kong on 25th April 2024!
We are very excited to announce that we shall be hosting the International Fraud Group’s bi-annual conference in Hong Kong this spring, organised by Karas So LLP in association with Mishcon de Reya on Thursday 25th April 2024. This is a great opportunity for you to engage with international lawyers, forensic accountants, restructuring and insolvency experts,
OffshoreAlert is going to Bangkok!
We are delighted to be supporting event partner for Offshore’s first Asia-Pacific Conference. OffshoreAlert Bangkok! February 28 – 29, 2024 at the Siam Kempinski Hotel Bangkok 991/9 Rama I Rd, Pathum Wan, Bangkok, Thailand OffshoreAlert Bangkok is our first conference in the Asia-Pacific region and is designed to be a destination event to which attendees
Stop the Traffik “Big Give”
The IFG recently match funded our sponsor STOP THE TRAFFIK Group Big Give Christmas Challenge assisting Stop the Traffik in raising critical funds which will bolster their fight to create a world where no person is bought or sold. This would not have been possible without our incredible support. Watch this space for further updates