BETTER SAFE THAN SORRY. CEO- AND INVOICE FRAUD
drs. Gijs van der Salm MCIConsultant investigations Hoffmann
Classification: open
February 12, 2019
│ CEO- and Invoice fraud│ Classification: open2
• Fraud is of all times
• Hoffmann CEO fraud figures
• CEO fraud process (C-level)
• Invoice fraud process (Operational level)
• Hoffmann investigation method
• Prevention
CONTENT
│ Footer │ Classificatie: commercial in confidence3
OF ALL TIMES
Hegestratos, 300 B.C
ATM Jackpotting
│ Footer │ Classificatie: commercial in confidence4
• CEO fraud
• Trust
• Weakest link
• Change
“Make your weakest link the strongest”
TODAY: THE HUMAN FACTOR
FRAUDE TODAY
│ CEO- and Invoice fraud│ Classification: open5
│ CEO- and Invoice fraud│ Classification: open6
HOFFMANN CEO FRAUD FIGURES
0
5
10
15
20
25
30
# of cases
2015
2018
€ 0,00
€ 10.000,00
€ 20.000,00
€ 30.000,00
€ 40.000,00
€ 50.000,00
€ 60.000,00
€ 70.000,00
€ 80.000,00
€ 90.000,00
€ 100.000,00
2015
2018
Amount stolen
│ CEO- and Invoice fraud│ Classification: open7
EXAMPLE OF CEO FRAUD MAIL – HOW IT STARTED
CEO FRAUD: HOW IT’S DONE
│ CEO- and Invoice fraud│ Classification: open8
Company mailserver
Criminal’s server
The CEO clicks on the link and
submits his username and
password on the fake website
made by the criminal
The criminal sends
A phishingmail
to the CEO
Criminal
The phishingmail
contains a link to a
fake website of target
company
CEO
The criminal has
username and
password of the
CEO
│ CEO- and Invoice fraud│ Classification: open9
EXAMPLE OF CEO FRAUD MAIL - TODAY
Aan: Bert
Roelof,
Kun je een internationale betaling uitvoeren.
Het is een betaling naar Mexico van $250.000.
Onderstaand de bankgegevens. Wil je de betaling z.s.m. uitvoeren, het heeft haast.
Bank of Mexico
ABG Trading Inc.
Account #3244790287
Swift code: TGFDREBH
Bank address: Solidaridad Nacional, Gustavo A. Madero,
06059 Ciudad de México, Distrito Federal, México
Groeten
Jan
Belava B.V.
Van: Jan de Haan <[email protected] Verzonden op ma 15-10-2018 16:06
Aan: Roelof Jansen
Onderwerp: Betaling
CEO FRAUD: HOW IT’S DONE
│ CEO- and Invoice fraud│ Classification: open10
Company mailserver
Finance
employee
Criminal
Logging on to the
mailserver using CEO’s
accountname and
password
The finance employee
executes the requested
payment
Amount transferred to criminal’s
account
Bank / PSD2 license
holder
Payment request email from
CEO’s email-account to
finance employee
│ CEO- and Invoice fraud│ Classification: open11
• .rn instead of .m
FALSE DOMAIN NAMES
CEO FRAUD ALTERNATIVE METHOD
│ CEO- and Invoice fraud│ Classification: open12
Finance
employee
Criminal
The finance employee
executes the requested
payment
The payment amount will be
transferred to the criminal’s account
Bank / PSD2 license
holder
Alternative process: the criminal sends the e-mail in the
name of the CEO directly to the finance employee by an
emailadress with a false domainname
OPERATIONAL LEVEL: INVOICE FRAUD
│ CEO- and Invoice fraud│ Classification: open13
Company mailserver
Sales employeeEmployee
of the customer
CriminalThe criminal logs on, using the
useraccount of a (sales-)
employee and starts reading all
email conversation
The criminal detects an email
conversation with a customer that
wants to place an order.
When an order payment has to be
issued, the criminal sends an e-mail
with false payment information to the
customer.
EXAMPLE OF INVOICE FRAUD MAIL
│ CEO- and Invoice fraud│ Classification: open14
Aan: Bert
Hi Harm,
Our account number has been changed, can you please make the payment for the pending order with the
account details below.
Bank of Mexico
ABG Trading Inc.
Account #3244790287
Swift code: TGFDREBH
Bank address: Solidaridad Nacional, Gustavo A. Madero,
06059 Ciudad de México, Distrito Federal, México
Best regards
Pete Smith
Van: Pete Smith <[email protected]> Verzonden op vr 5-10-2018 12:04
Aan: Harm Blokker
Onderwerp: Re: Order 56278
│ CEO- and Invoice fraud│ Classification: open15
- Acting fast
- Direction
- Communication
- Logging
- Interviews
- Modus Operandi
- Identification
- In compliance
HOFFMANN INVESTIGATION METHOD
│ CEO- and Invoice fraud│ Classification: open16
• Organisational measures
• Technical measures
• Human (behaviour) measures
PREVENTION
QUESTION:
│ CEO- and Invoice fraud│ Classification: open17
How can we influence employee
behaviour in order to prevent
fraud?
Motivation, Capacity,
Opportunity
QUESTION:
│ CEO- and Invoice fraud│ Classification: open18
What is your biggest concern
about fraud in your
organisation?
www.hoffmann.nl
VERTROUWEN IS GOED, HOFFMANN IS BETER
Top Related