The Charity Commission has published an alert for charities warning them about an increase in people impersonating senior figures to make fraudulent requests for money.
CEO fraud involves the impersonation of this senior figure, usually the chief executive, who then makes subsequent requests for the transfers of funds. Action Fraud, the UK’s national fraud reporting centre, has reported an increase in this type of fraud.
The Charity Commission said that most recent reports of this type of fraud has involved targeting of schools where fraudsters have falsely claimed to be the head teacher or principal.
The regulator has advised charities to look out for requests to their finance department or staff with authority to transfer funds, usually from a “spoofed or similar email address to that of the subject being impersonated”.
It said that there have been some reported instances where fraudsters have called up to make themselves appear legitimate. In addition, a second fraudster may be introduced who poses as a lawyer or regulator. The caller may claim to be based in another country.
It said: “With a strong social engineering element, the fraudster often requests that they, as the CEO, are not contacted further by the financial officer as they are busy.
“Alternatively the fraudster may pick occasions when the real CEO is on holiday, preventing the financial officer from checking the validity of the request.”
Protection and prevention advice
The regulator has called on charities to review their internal procedures regarding how transactions are requested and approved, especially those in relation to verifying validity.
It said that that they should check email addresses and telephone numbers when transactions are requested, and if in doubt request clarification from an alternatively sourced email address/phone number If an email is unexpected or unusual, then don’t click on the links or open the attachments.
The Commission said that charities should not be afraid to question details when being tasked to transfer money at short notice.
It advised that sensitive information posted publicly, or disposed of incorrectly, can be used by fraudsters to perpetrate fraud. “The more information they have about you, the more convincingly they can purport to be one of your legitimate suppliers or employees. Always shred confidential documents before throwing them away,” it said.