Australian CEO’s on Notice: A Hack can cost Your Job
Last month FACC, a European supplier to Boeing and Airbus fired its CEO after he played an unwitting part in the loss of €41.9 million.
The sacking came after the company fired its CFO in January for the same event dubbed “the Fake President Incident”.
The fraud came about after an email, purportedly from the CEO was received by the accounts department requesting funds to be transferred to a supplier account. Beyond that, the details are a closed secret, but typically either the supplier is not real, or the supplier’s payment details are altered to divert funds to a fraudulent actor and pressure is applied to the accounts department to make a transaction.
It might seem unfair, but when millions are lost, heads usually roll.
What can you do to ensure you don’t suffer the same fate?
Rigid accounts process and the right culture
A successful swindle like this relies on employees being persuaded to go outside of standard operating procedure. The appropriate safeguards and balances are bypassed, and the lower-level workers, unaware they are pawns, don’t question the apparent directives from above.
A culture that encourages questions and follows written procedures, as well as an accounts payable procedure that must be followed every time, will go a long way toward lowering the risk of CEO fraud.
Integrate multi-factor authentication
Phishing emails that ask users to verify their Active Directory security credentials are not uncommon. To add an extra layer of security to prevent compromises even if this first layer of security fails, implement multi-factor authentication. It might be anything as simple as a mobile phone soft token system or a spoken password only known to the CEO and CFO.
Accept that you may be left stranded
Fraudsters that succeed are very knowledgeable researchers. “The Stranded Tourist,” a fraud in which CEOs who travel abroad are used, is widespread. Here’s how it works:
An email is sent to your accounts payable staff, ostensibly from you, stating that you have been robbed or that your cards don’t work and that your phone has been lost and you can’t be reached via any normal route as you were lucky enough to meet someone who would let you use their internet, but you have little time.
Your team are instructed to send several thousand dollars to a money transfer location, and you inform them that you’ll contact them after you’re back on your feet.
You can see where this leads. The money is sent and that’s the last time it’s ever seen.
It’s simple to instruct the accounts department not to fall for this trick. The disadvantage is that if you find yourself stranded as a tourist, you won’t get any assistance from the office!
All jokes aside, don’t be shocked if you lose your job if you’re at the heart of a scenario in which someone’s identification is falsified and others around you believe what the phony you has to say. Everyone has a part to play in safeguarding the organization.
Create a workplace culture in which processes are set and followed, and employees are expected to question things that aren’t normal, and you’ll be OK. When combined with strong IT security measures, this approach is extremely resistant to all types of assaults.