To be or not to be your CEO. That is the question.

Would you be able to spot a deep fake video of your CEO? Companies should prepare for the next wave of cybercrime in which criminals use AI-based software to impersonate voices and images. In this frightening new world, rigorous processes are key to managing a swift response to fraud, says Joe Hancock

How well do you know your CEO? This year criminals used AI-based software to impersonate a chief executive’s voice to defraud a UK-based energy firm out of €220,000. Experts believe the fraud was the first to be reported in Europe in which criminals clearly drew on AI, so companies should be prepared. The next wave of cyber fraud is expected to be ‘spear phishing’ – attacks that target individual CEOs and their companies using AI-generated voices, deep fake videos and more.

Cyber fraud is a booming business. It is predicted to cost the global economy $6 trillion by 2021 and can affect anyone or any company. It used to be considered a legal or revenue-protection problem, but these days it increasingly involves chief information officers, chief technology officers and chief information security officers. And rightly so. My own experience, however, indicates that many organisations are simply not prepared. There is a widespread failure to recognise that financial fraud is a risk that comes under their watch.

Without doubt, there is a need for more education about financial fraud, including the rapidly evolving technological weapons available to criminals and what can be done in terms of protection. But equally important is the need to establish effective anti-fraud processes within organisations. All too often, we see the window to recover funds has long since closed because responsibilities were unclear and processes not followed.

Speed is of the essence to combat cyber fraud, but you can only be quick if you know what to do. First, identify those who must be told of possible frauds – this may vary according to how big the fraud is. Make sure those people know they are responsible and that they understand the next steps. Our advice is always to follow the money first and investigate afterwards because this maximises the chances of recovery. Only if you have the resources should you attempt the two in parallel.

In a small company, the person assigned to dealing with fraud may have several other responsibilities; in a large organisation, the chances are it will be the chief information security officer. Again, our advice is to make sure you address the risk to your organisation with the appropriate level of resources and build fraud risk management into other risk-management processes such as tech, cyber, data and environmental risk.

Hold regular workshops to keep staff informed and alert about the risk of fraud and make them aware of how phishing and spear phishing are used to get emails, passwords and bank details. Explain how fraudsters access personal details to try to trick a victim and how they can impersonate customers, suppliers, banks, senior staff members and even the tax authorities.

Employ real-time threat software that can raise an alert when something goes wrong. Have processes within the accounts department to check payments and use two-person authorisation for larger transfers and payments. Whatever processes you put in place, ensure all staff realise the importance of following them at all times.

Foster a culture of care – and make sure that anyone who questions a payment or email that turns out to be bona fide is not made to feel bad, and is perhaps even rewarded. Time and again, a fraud is successful because people haven’t followed process, particularly when the order for payment has come from a senior member of staff. The natural inclination is to obey the hierarchy.

Next time you hear from the CEO it might not be by email; it might be a FaceTime call. You might be asked to transfer £20,000 to a Swiss bank account and congratulated at the same time on your recent wedding. Just because it looks like the CEO doesn’t mean it is the CEO. And just because you got married recently and the company gave you a nice gift, it doesn’t mean the CEO knew about it. The fraudsters did their research. Think twice. Think process.

Joe Hancock is Partner and Head of Cyber at Mishcon de Reya

Keep reading

...
Sovereign & States Disputes and Enforcement Summit 2025!
We are delighted as Media Partner to be able to promote the ThoughtLeaders4 FIRE “Sovereign & States Disputes and Enforcement Summit 2025!” Uniquely bringing the Sovereign Disputes and FIRE communities together to address the latest in Sovereign & States Disputes and Enforcement. In-person Date: 29th & 30th January 2025 Venue: The Law Society, 113 Chancery Lane, London
Read
...
Offshore Alert – Bangkok – 5 and 6 March 2025. Book NOW!
We’re thrilled to partner with OffshoreAlert for their Second Annual Asia-Pacific Conference on March 5-6, 2025, at the prestigious Siam Kempinski Hotel Bangkok. This highly anticipated event brings together top-tier investigators, insolvency practitioners, asset recovery attorneys, and intelligence specialists from around the world. Attendees will gain actionable insights, explore innovative solutions, and expand their global
Read
...
Economic Crime Prevention DACH Summit Returns – 18-19 March 2025! BOOK NOW!
Economic Crime Prevention DACH Summit Returns – March 2025! Industry experts Simon Plüss (Head Export Controls and Sanctions, SECO), Vanessa Sisti (Assistant Chief, FCPA Unit, US DOJ), Sara Chouraqui (Joint Head of Fraud, Bribery and Corruption, UK Serious Fraud Office), and Kevin Mosley (Deputy Chief, Bank Integrity Unit, US DOJ) will headline the 4th Annual
Read
...
2nd Annual IBA Asset Recovery Conference- Madrid – 4-6 December 2024 – IFG Exhibitors!
We are delighted to be sponsoring the 2nd Annual IBA Asset Recovery Conference in Madrid – 4 – 6th December 2024. The theme of this year’s conference is ‘Tackling and conquering impediments to asset recovery’. Topics will include: Tackling and conquering common (and uncommon) defences raised in attempts to defeat asset recovery strategies and proceedings
Read