BETTER SAFE THAN SORRY. CEO- AND INVOICE FRAUD

drs. Gijs van der Salm MCIConsultant investigations Hoffmann

Classification: open

February 12, 2019

│ CEO- and Invoice fraud│ Classification: open2

• Fraud is of all times

• Hoffmann CEO fraud figures

• CEO fraud process (C-level)

• Invoice fraud process (Operational level)

• Hoffmann investigation method

• Prevention

CONTENT

│ Footer │ Classificatie: commercial in confidence3

OF ALL TIMES

Hegestratos, 300 B.C

ATM Jackpotting

│ Footer │ Classificatie: commercial in confidence4

• CEO fraud

• Trust

• Weakest link

• Change

“Make your weakest link the strongest”

TODAY: THE HUMAN FACTOR

FRAUDE TODAY

│ CEO- and Invoice fraud│ Classification: open5

│ CEO- and Invoice fraud│ Classification: open6

HOFFMANN CEO FRAUD FIGURES

0

5

10

15

20

25

30

# of cases

2015

2018

€ 0,00

€ 10.000,00

€ 20.000,00

€ 30.000,00

€ 40.000,00

€ 50.000,00

€ 60.000,00

€ 70.000,00

€ 80.000,00

€ 90.000,00

€ 100.000,00

2015

2018

Amount stolen

│ CEO- and Invoice fraud│ Classification: open7

EXAMPLE OF CEO FRAUD MAIL – HOW IT STARTED

CEO FRAUD: HOW IT’S DONE

│ CEO- and Invoice fraud│ Classification: open8

Company mailserver

Criminal’s server

The CEO clicks on the link and

submits his username and

password on the fake website

made by the criminal

The criminal sends

A phishingmail

to the CEO

Criminal

The phishingmail

contains a link to a

fake website of target

company

CEO

The criminal has

username and

password of the

CEO

│ CEO- and Invoice fraud│ Classification: open9

EXAMPLE OF CEO FRAUD MAIL - TODAY

Aan: Bert

Roelof,

Kun je een internationale betaling uitvoeren.

Het is een betaling naar Mexico van $250.000.

Onderstaand de bankgegevens. Wil je de betaling z.s.m. uitvoeren, het heeft haast.

Bank of Mexico

ABG Trading Inc.

Account #3244790287

Swift code: TGFDREBH

Bank address: Solidaridad Nacional, Gustavo A. Madero,

06059 Ciudad de México, Distrito Federal, México

Groeten

Jan

Belava B.V.

Van: Jan de Haan <j.dehaan@belavabv.com Verzonden op ma 15-10-2018 16:06

Aan: Roelof Jansen

Onderwerp: Betaling

CEO FRAUD: HOW IT’S DONE

│ CEO- and Invoice fraud│ Classification: open10

Company mailserver

Finance

employee

Criminal

Logging on to the

mailserver using CEO’s

accountname and

password

The finance employee

executes the requested

payment

Amount transferred to criminal’s

account

Bank / PSD2 license

holder

Payment request email from

CEO’s email-account to

finance employee

│ CEO- and Invoice fraud│ Classification: open11

• j.dehaan@balevabv.com

• j.dehaan@bellavabv.com

• j.dehaan@belavabv-eu.com

• j.dehaan@belavabv-nl.com

• .rn instead of .m

FALSE DOMAIN NAMES

CEO FRAUD ALTERNATIVE METHOD

│ CEO- and Invoice fraud│ Classification: open12

Finance

employee

Criminal

The finance employee

executes the requested

payment

The payment amount will be

transferred to the criminal’s account

Bank / PSD2 license

holder

Alternative process: the criminal sends the e-mail in the

name of the CEO directly to the finance employee by an

emailadress with a false domainname

OPERATIONAL LEVEL: INVOICE FRAUD

│ CEO- and Invoice fraud│ Classification: open13

Company mailserver

Sales employeeEmployee

of the customer

CriminalThe criminal logs on, using the

useraccount of a (sales-)

employee and starts reading all

email conversation

The criminal detects an email

conversation with a customer that

wants to place an order.

When an order payment has to be

issued, the criminal sends an e-mail

with false payment information to the

customer.

EXAMPLE OF INVOICE FRAUD MAIL

│ CEO- and Invoice fraud│ Classification: open14

Aan: Bert

Hi Harm,

Our account number has been changed, can you please make the payment for the pending order with the

account details below.

Bank of Mexico

ABG Trading Inc.

Account #3244790287

Swift code: TGFDREBH

Bank address: Solidaridad Nacional, Gustavo A. Madero,

06059 Ciudad de México, Distrito Federal, México

Best regards

Pete Smith

Van: Pete Smith <pete.smith@XYcompany.com> Verzonden op vr 5-10-2018 12:04

Aan: Harm Blokker

Onderwerp: Re: Order 56278

│ CEO- and Invoice fraud│ Classification: open15

- Acting fast

- Direction

- Communication

- Logging

- Interviews

- Modus Operandi

- Identification

- In compliance

HOFFMANN INVESTIGATION METHOD

│ CEO- and Invoice fraud│ Classification: open16

• Organisational measures

• Technical measures

• Human (behaviour) measures

PREVENTION

QUESTION:

│ CEO- and Invoice fraud│ Classification: open17

How can we influence employee

behaviour in order to prevent

fraud?

Motivation, Capacity,

Opportunity

QUESTION:

│ CEO- and Invoice fraud│ Classification: open18

What is your biggest concern

about fraud in your

organisation?

www.hoffmann.nl

VERTROUWEN IS GOED, HOFFMANN IS BETER