Social engineering

The scourge of impersonation fraud

White collar crime continues to eat away at the economy in both Switzerland and around the world. The most widespread fraud case remains asset misappropriation, accounting for nearly 70% of reported fraud worldwide. This was the observation made by the auditing firm PwC in its survey “Global and Swiss Economic Crime Survey 2014”.
 
Within the area of asset misappropriation, there is also the specific case of impersonation fraud, CEO fraud, or CEO impersonation fraud, known in France as “fraude au president”. This fraud has affected 10% of the French companies surveyed by PwC. It has caused damage of over 350 million euros, according to the Office central français pour la répression de la grande délinquance, or French Serious Financial Crime Office, which identified 700 successful or attempted cases between 2010 and 2014. Other countries are also affected by this scourge – the European Fraud Institute has also issued an alert.
 
This impersonation type fraud involves a well-oiled mechanism. An individual poses as a senior executive and asks an employee from the accounting or financial department to make an emergency international bank transfer for a highly confidential transaction. This crime is based on a prior social engineering phase, in which white collar criminals develop a thorough understanding of the environment within the targeted business and use a series of techniques allowing them to manipulate their victims. The goal is to extort money or information from users by phone, mail (e-mail or traditional), instant messaging, or direct contact. Social engineering is based on the use of persuasion and exploitation of the naiveté of workers by posing as a company employee, technician, or director.
 

A long preparation

Criminal organisations often hide behind these scams, which require long preparation periods to convince employees to respond. The perpetrators create a detailed analysis of the target company, its organisation, its strategies, and communications tools, by obtaining information about officers, advisers, lawyers, and other workers. They absorb its culture by studying messages from its managers to employees, or internal newsletters. They intercept the managers’ details, and their signature on official documents found on the internet. They investigate employees' private lives, including executives, through social networks that allow them to obtain personal details (date of birth, marital status, children's names, etc.).
 
Criminals use their powers of persuasion and even psychological pressure, citing the confidentiality of the transaction and the urgency of the situation, even threatening dismissal if the order is not carried out. Some fraudsters have a gift for imitating the voice of the person they are impersonating, learning the persons’ favourite sayings or phrases. They also employ techniques to prevent the police from finding them.
 
The social engineering phase may be more involved, with scammers going as far as introducing an accomplice into the target company to better understand how it works. There are several variants of the fake transfer scam. For example, individuals may pose as suppliers and communicate a change of payment details for the bank the company is currently making payments to, an executive who makes a strictly confidential acquisition, or technicians who come to update the bank's software and request a test transfer to make sure it works.

Overview

37%

More than one in three Swiss companies surveyed by the auditing firm PwC in 2014 has been a victim of fraud in the previous 24 months. In 2013, this figure was 18%.

52%

This is the percentage of frauds reported in Switzerland which consist of a theft of an amount less than CHF 100,000. In 40% of cases, the amounts are between 100,000 and 5 million francs. In 4% of cases, they exceed 5 million.

32,7%

This is the increase in cases of economic crime identified by KPMG in Switzerland between 2013 and 2014. The auditing firm identified 77 cases that year.

 

CEO fraud: A user’s manual

The scammer contacts an accountant at the targeted company by email or phone, posing as the CEO or a senior executive. Claiming an urgent and confidential transaction (tax audits, foreign acquisition), the scammer then requires the employee to make a transfer to an account located abroad as soon as possible.

 
 
 
 

The canton of Vaud on alert

This phenomenon is unprecedented and is becoming more sophisticated every day. Employees are on the front line, and the impact can be dramatic both for the employee and for the company. All businesses and all industries are affected, whether small businesses or publicly-traded companies, as the French press has noted (see insert). The Swiss press and Swiss companies are much more discreet about the subject. Does this mean that Switzerland is safe from this type of fraud? Definitely not. From the local press, we know that 13 cases of "CEO fraud" were identified in early summer 2014 in the Canton of Vaud, but we do not know the amounts involved.
 
In the wake of "CEO fraud”, “trade directory fraud” has also hit Switzerland. Sixty Swiss-German companies received promotional offers to register with professional pseudo-registers, complete with forms whose typography resembles that used by the Confederation, with a commitment to pay a monthly subscription of 95 francs over a minimum period of 24 months with a company generally headquartered abroad.
 
In the Canton of Vaud, the Crime Prevention Division of the cantonal police drafted a notice titled “Social engineering: A risk for small businesses”. It states that "local businesses based in the Canton of Vaud are regularly the target of scams and fraud attempts"

Practical advice

To protect against social engineering techniques, companies need to make their employees aware of this crime and establish or review adequate control procedures:

  • The caller's identity must be systematically cross-checked
  • The caller in question must be systematically contacted following a call or emailed to verify
  • that he or she is the right person
  • The information provided should be checked
  • The person approached must question the pertinence of the information requested by the speaker, and use common sense by not hesitating to speak to peers and check with management

Tightening of insurance conditions

The increasing number of cases of CEO frauds affects the fraud insurance market, which is faced with a risk of frequency and intensity. But the spirit of this type of protection is to cover specific incidents, not frequently committed ones. We are seeing a tightening of purchasing of insurance and insurance terms. 
 
Insurers have two options: 
 
  • This type of fraud will continue to be covered under the general terms and conditions but the potential policyholder must answer specific questions relating to social engineering. The insurer reserves the right to exclude certain guarantees or limit them by amendment if it finds that the procedures and controls are insufficient;
  • Losses due to a transfer instruction given by a person who has passed him- or herself off for another are excluded, in the absence of authentication and cross-verification to protect the integrity of the communication and authenticate the transmitter. 

 

 

2015, or the explosion in Switzerland

If French-speaking Switzerland, and Geneva in particular, was hit hard in 2015 by an acceleration of scams during the last quarter, the scourge has now spread to all of Switzerland.

Geneva

More than 100 complaints made to the financial police in 2015.
30 cases of CEO fraud for overall damages of 6 million francs
70 cases of agency fraud for a total amount of 800,000 francs
Agency fraud consists of communicating to a tenant a fake change in agency and its accounting department to unduly collect rent.

Neuchâtel

Nearly 15 attempts in 2015 totalling several hundred thousand francs.

Vaud

Fifteen fraud cases reported between October and December 2015, four of which succeeded in scamming more than 500,000 francs.

Valais

Nearly 15 attempts recorded in 2015, though scammers were unsuccessful.

Freiburg

15 fraud attempts recorded in 2015, though none was successful.

Bern

Over ten scams in 2015 for an amount of 400,000 francs.

 

Precedents in France

In January 2012, the publisher Media-Participations suffered at least 30 telephone attacks. The group's president, Vincent Montagne, called the financial director of Dargaud Suisse, asking him to make an urgent transfer of 987,000 euros to an HSBC account in Hong Kong to finance an acquisition in Asia. He forbade her from talking about it to the head of the Swiss subsidiary. The financial director called her Parisian counterparts, as the transfer amount exceeded the authorised ceiling. The discovery that the person making the call was an impostor stopped the process. The next day, Vincent Montagne received a call from a man identifying himself as Commander Girard:  "We know that you were attacked. Go ahead and transfer, it will allow us to catch the perpetrators red-handed." After Vincent Montagne checked with his police contacts, it appears that this Commander Girard did not exist. Société Générale, the bank for Media-Participations, then received a call from a fake Vincent Montagne, claiming he was contacting them from the headquarters of the financial police, and ordered them to make the credit transfer in order to catch the criminals. Again, the hoax was uncovered.
 
In October 2013, Fendi, affiliate of the LVMH luxury group, claimed nearly 930,000 euros in damages after being deceived through the transfer of the rent on its boutique on Avenue Montaigne in Paris to an account in Slovakia.
 
In July 2015, the identity of the CEO of the French small business BRM Mobilier, active in the field of the development of libraries and media centres, was usurped. Someone was able to convince an employee, after multiple emails and phone calls, to make payments to an account in Asia, claiming it was for a major and necessary financial transaction for the company. The CEO discovered in early September that more than 1.6 million euros had been stolen. As a direct consequence, the company found itself on the edge of bankruptcy.
 
On 30 October 2014, the CIC bank was held liable and convicted by the Paris Commercial Court to repay the fake transfer of 100,000 euros that had been done in the case of Etna Industries, a small business in the Paris area. The bank was flagged for its breach of its duty of care and carelessness. The CIC has appealed this decision. In this case, the head of the Etna’s accounting department received an email purporting to come from the head of the group, asking him to make a transfer of 500,000 euros for the confidential acquisition of a company in Cyprus and calling every thirty minutes to inquire about the progress of the operation. The accountant asked four banks to make such transfers. Three of the four banks refused to transfer the funds, confirmation calls from authorised signatories having alerted Etna’s management. But it was too late. The CIC bank proceeded with the transfer without prior verification.
 
Sophie Di Meglio
Special Risks Director - Swiss Risk & Care
Article published in march 2016