CEO fraud: The new form of defrauding commercial enterprises

15. March 2017

A method of fraud already known in the USA that is increasingly spreading in Germany. Both the Federal Criminal Police Office and the Federal State Criminal Police Office Baden-Württemberg have issued first warnings first warnings. In this new type of transfer fraud, employees from accounting departments or payment transaction departments are instructed in manipulated e-mails by their supposed supervisors to transfer large amounts of money into foreign bank accounts.

What does “fraud” mean?

The term fraud is an Anglo-Saxon term and cannot be directly translated into German. Rather, the term is understood as a collection of various types of economic crimes such as e.g. tricking, swindle or deception. However, nowadays the term fraud is increasingly used as a synonym for, among other things, the aforementioned types of economic crimes. At the same time, in German-speaking countries, the term “dolosus Handlung” (malicious act) is a term which comes close to the word fraud. This is understood as the intentional act, toleration or omission, which causes harm to the company or third parties (see Quentmeir, 2012, Praxishandbuch Compliance, page 64).

The range of economic criminal acts that fall under the term fraud seems inexhaustible. The economic and technological developments of recent years have taken fraud to new levels. Some examples that fall under the term fraud are listed in the following diagram:

To illustrate why economic criminal acts occur, the so-called “fraud triangle’ according to Dr. Donald R. Cressy provides a helpful first approach.

What is CEO fraud?

The Federal Criminal Police Office as well as the federal state criminal police offices have already repeatedly warned about this new method of fraud. In this case, fraudsters “spy” on companies they want to attack and represent themselves as managing directors, members of upper-management or partners, with the aim of having larger amounts of money transferred into an account, mainly abroad.

  1. Social Engineering

    At first, the fraudsters gain extensive information about the company they want to defraud. For this, they use information published in economic reports and the commercial register, but also the company’s website for their research. Social networks or recruiting platforms also offer fraudsters opportunities to gain “insider knowledge”, e.g about the function, responsibilities and other personal information about the company’s employees.

  2. Fraud approach

    Mit Hilfe dieser Information bzw. ihrem verschafften Insiderwissen nehmen Betrüger in der Regel in Form von fingierten E-Mails Kontakt mit Mitarbeitern auf, wobei sie sich als Geschäftsführer, Führungskräfte oder auch Handelspartner ausgeben. Um diesen E-Mails Nachdruck zu verleihen werden oftmals With this information or the acquired insider information the fraudsters usually contact employees in manipulated e-mails pretending to be the managing director, a senior executive or even a trade partner. To lend more credence to these e-mails, they often phone the employees beforehand. In these phone conversations, they refer to the impending e-mails. The structure and the layout of the e-mails correspond to the structure and layout of the corporate e-mails. Only minor deviations can be named here, such as e.g. slightly changed e-mail addresses and obscured telephone numbers, which are, however, easy to overlook.

    In these e-mails, the fraudsters instruct the employees, mainly from the accounting /payment transaction departments to transfer a large amount of money into foreign accounts under a fictional pretext. These accounts are often based in Asia or also Eastern Europe and were set up under a false name. As soon as the payments are received in these accounts, they are cleared out and closed.

Prevention of CEO fraud

How do you protect yourself from such a scam?
You and your employees and colleagues should pay close attention to e-mails which instruct payments of at least 5-digit money amounts and scrutinize these. Do not hesitate to contact the sender of the e-mail, even if this is a member of the board or a managing director. Another possibility is the regular review of publicly accessible information about the company. This also includes personal posts of employees in social networks about the company. Also, the introduction of internal control mechanism such as the 4-eyes principle or specifying limits for transfers can certainly protect you from CEO fraud.

There are a few other prevention and security measures. You are welcome to contact us about this. We will assist you in the implementation of fraud prevention and fraud detection measures.

Do you have questions about other compliance topics?

Q_PERIOR offers consultancy and support across all industries on topics such as e.g. securities compliance, economic sanctions, anti-money laundering (AML), outsourcing, data protection, fraud, internal control systems, legal compliance and also governance, risk & compliance applications.

Read more


With Q_PERIOR, you have a strong partner at your side.
We look forward to your challenge!