To be or not to be your CEO. That is the question.

Would you be able to spot a deep fake video of your CEO? Companies should prepare for the next wave of cybercrime in which criminals use AI-based software to impersonate voices and images. In this frightening new world, rigorous processes are key to managing a swift response to fraud, says Joe Hancock

How well do you know your CEO? This year criminals used AI-based software to impersonate a chief executive’s voice to defraud a UK-based energy firm out of €220,000. Experts believe the fraud was the first to be reported in Europe in which criminals clearly drew on AI, so companies should be prepared. The next wave of cyber fraud is expected to be ‘spear phishing’ – attacks that target individual CEOs and their companies using AI-generated voices, deep fake videos and more.

Cyber fraud is a booming business. It is predicted to cost the global economy $6 trillion by 2021 and can affect anyone or any company. It used to be considered a legal or revenue-protection problem, but these days it increasingly involves chief information officers, chief technology officers and chief information security officers. And rightly so. My own experience, however, indicates that many organisations are simply not prepared. There is a widespread failure to recognise that financial fraud is a risk that comes under their watch.

Without doubt, there is a need for more education about financial fraud, including the rapidly evolving technological weapons available to criminals and what can be done in terms of protection. But equally important is the need to establish effective anti-fraud processes within organisations. All too often, we see the window to recover funds has long since closed because responsibilities were unclear and processes not followed.

Speed is of the essence to combat cyber fraud, but you can only be quick if you know what to do. First, identify those who must be told of possible frauds – this may vary according to how big the fraud is. Make sure those people know they are responsible and that they understand the next steps. Our advice is always to follow the money first and investigate afterwards because this maximises the chances of recovery. Only if you have the resources should you attempt the two in parallel.

In a small company, the person assigned to dealing with fraud may have several other responsibilities; in a large organisation, the chances are it will be the chief information security officer. Again, our advice is to make sure you address the risk to your organisation with the appropriate level of resources and build fraud risk management into other risk-management processes such as tech, cyber, data and environmental risk.

Hold regular workshops to keep staff informed and alert about the risk of fraud and make them aware of how phishing and spear phishing are used to get emails, passwords and bank details. Explain how fraudsters access personal details to try to trick a victim and how they can impersonate customers, suppliers, banks, senior staff members and even the tax authorities.

Employ real-time threat software that can raise an alert when something goes wrong. Have processes within the accounts department to check payments and use two-person authorisation for larger transfers and payments. Whatever processes you put in place, ensure all staff realise the importance of following them at all times.

Foster a culture of care – and make sure that anyone who questions a payment or email that turns out to be bona fide is not made to feel bad, and is perhaps even rewarded. Time and again, a fraud is successful because people haven’t followed process, particularly when the order for payment has come from a senior member of staff. The natural inclination is to obey the hierarchy.

Next time you hear from the CEO it might not be by email; it might be a FaceTime call. You might be asked to transfer £20,000 to a Swiss bank account and congratulated at the same time on your recent wedding. Just because it looks like the CEO doesn’t mean it is the CEO. And just because you got married recently and the company gave you a nice gift, it doesn’t mean the CEO knew about it. The fraudsters did their research. Think twice. Think process.

Joe Hancock is Partner and Head of Cyber at Mishcon de Reya

Keep reading

High Court Sets Aside Injunction Granted Against Binance
Crypto fraud losses in the UK have increased by 40% in the past year according to Action Fraud. Mishcon de Reya’s Rhymal Persad, Sofia Berggren and Philippa Rees explore Piroozzadeh v Persons Unknown, and the increase in crypto-related fraud cases brought before the English Courts. High Court sets aside injunction granted against Binance: are we going to see more
Navigating Cross-Border Challenges
Fraud and asset recovery cases are increasingly being fought against unidentified defendants, as individuals hide behind computers, fake emails and false online personas. Rhymal Persad, Philippa Rees and Jordan Harrison of our member firm Mishcon de Reya explore the importance of disclosure orders, and the challenges of seeking them from foreign banks: Asset tracing in fraud cases: navigating
Article on Government’s recent Fraud Strategy Announcement
The IFG are delighted to share the below Article written by Catherine Rogerson, Associate and Linda Ali, Trainee Solicitor, Fraud Department at Mishcon de Reya LLP on the Government’s recently announced fraud strategy. Please click the link below  
Thank you Toronto! IFG Asset Recovery Conference (April 2023)
Our IFG members travelled out to Toronto for our Spring Meeting hosted by Bennett Jones taking part in another great Asset Recovery Conference. We were delighted to welcome key note speakers Hon. A. Anne McLellan P.C., O.C., A.O.E., former Deputy Prime Minister of Canada, Former Minister of Justice and Attorney General for Canada, and Inspector