CEO fraud--also known as business email compromise, fake president fraud and a whaling attack--involves tricking an employee authorised to make company payments into paying a false invoice or making an unauthorised money transfer. Illustrative photo: Shipman Northcutt/Unsplash (2019)

CEO fraud--also known as business email compromise, fake president fraud and a whaling attack--involves tricking an employee authorised to make company payments into paying a false invoice or making an unauthorised money transfer. Illustrative photo: Shipman Northcutt/Unsplash (2019)

The €61m CEO fraud allegedly perpetrated on the charity Caritas is one of the highest ever after the one perpetrated on the Belgian bank Crelan in 2016. But it is not a unique case. Here’s how it works.

It used to take place on Fridays around 4pm. Just before a well-earned weekend. A phone call would put pressure on the accountant to make a transfer as quickly as possible, as his boss was in the process of completing the best business deal of his life. Finally caught by the authorities in 2015, the Franco-Israeli Gilbert Chikli has often been presented as the pioneer of this type of scam.

Last May, it took the for that company to avoid a scam in which Teams, Whatsapp, YouTube and artificial intelligence faking the CEO's voice had been used by the fraudsters. Earlier this year, in Hong Kong, an employee was after a video call with a deep-faked CFO and other deep-faked executives.

Times may change, but the main principles remain the same.

1. Social engineering

The first step, contrary to what you may read, is not an email sent to the financial director, but extensive information gathering months beforehand: who is who, who does what... In the case of Caritas, it is not difficult to find the organisation chart, the annual and financial reports or the various press releases. What makes this fraud particularly odious is that the director general of Caritas himself published the dates of his business trips, his itinerary and the follow-up to his travels, since he placed his initiative in the context of an appeal for donations to combat child poverty.

2. The attack

Once a simple phone call, attacks are becoming increasingly sophisticated. But the idea is, based on a credible scenario, to put the financial director or the person in charge of finance under extreme pressure to carry out a banking operation as quickly as possible, even if this means not respecting the security protocols in place. By email, the scammers either take control of the CEO's mailbox or create another address with an almost identical name.

According to 100.7 public radio, more than 100 transfers were made in the space of a few months, requiring two loans, with a third application apparently rejected by one of the two Luxembourg banks.

This is unusual, but not unique: in 2021, the French property group Sefri-Cime made 40 transfers over several weeks for a total of €38m to the accounts of various companies in Europe. The modus operandi was that a bogus lawyer had called the accountant to tell him about a company takeover with the agreement of the CEO. A few minutes later, the accountant received a fake email from the CEO confirming the fake lawyer's story.

3. The response

This is the great unknown. In 2016, the Belgian bank Crelan lost €70m, only to find out months later during a routine financial audit. It all depends on the credibility of the story and the means used to put pressure on financial managers, but the common factor in the success stories is the circumvention of existing rules in the face of urgency.

Two dates in the Caritas case: the annual report was published on 21 February, and the CEO himself announced on 29 May that he would be on an 800km trek from Saint-Jean Pied-de-Port to the cathedral of Santiago de Compostela until 5 July. And that's where it all came to a head.

Last month, Ferrari thanks to one of its executive directors who found the message, from a number other than the one he had from CEO Benedetto Vigna, a little strange. And even the sound of his voice. He then asked him to talk about a book they had discussed a few days earlier, and the crooks suddenly disappeared.

And then?

Afterwards, every case is different. CEO and financial directors dismissed. No sanctions. Complaints for lack of vigilance against the bank in their country that authorises the transfer(s), or complaints against all the banks involved as provided for under European law and provided that the final destination of the funds is in Europe. Activation or not of the freezing of assets by the investigating magistrate with the help of Eurojust, if the facts are discovered early enough. Anything is possible. "We still only know 1% of what happened," says an expert speaking on condition of anonymity. And yet there is an urgent need to restore a semblance of confidence.

Read the original French version of this article . Updated 8 August 2024 to clarify that a third bank loan application was rejected and that an industry expert said 99% of the case remains unsolved.

Related articles