Mandate & CEO Fraud

Mandate & CEO Fraud

Remote Working: the rise in Mandate & CEO Fraud

Most organisations are quite rightly operating a remote working strategy to help combat the spread of the corona-virus; however, during this time, please be aware and consider the risks of fraud too.

Fraudsters see no boundaries and do not discriminate. They are highly motivated, usually by financial gain. Inconceivably, they rationalise their decisions whilst the world is in lock-down, but they see an opportunity. Where there is an opportunity, there is also vulnerability and exploitation for cyber criminals and fraudsters to take advantage.

Your organisation’s workforce is now separated, working from home, with technology the only medium of keeping us all connected.  A simple verbal instruction is now done via email, or instant messaging. Consider these verbal instructions from a financial perspective. A CEO instructing the Finance Director to make a payment to a new supplier; or an employee requesting a change to their bank account for their monthly salary payment.  In our normal daily routines, these transactions and verbal discussions were much easier.

Yet, now that we are all working remotely, fraudsters will take advantage and we will no doubt see the rise in Mandate & CEO Fraud attempts.

CEO Fraud

CEO impersonation fraud will typically start with an email being sent from a fraudster to a member of staff in an organisation’s finance department.

The member of staff will be told by the fraudster who is purporting to be a company director, senior management or CEO that they need to transfer money to a certain bank account on the same day, often providing a seemingly satisfactory explanation for its urgency.

The member of staff will do as instructed, only to find out much later, that they have instead sent money to a fraudster’s bank account.

Fraudsters achieve the impersonation by using an email address that is very similar, but almost indistinguishable often changing one character in the email address/domain name to appear like the original.

  • Original: smith@abccorp.com
  • Fraud: smith@abcorp.com
  • Fraud: smith@abc-corp.com
  • Fraud: smith@abccorp.co.uk


Fraudsters may also spoof the sender’s actual address or by hacking into the CEO or manager’s work and even personal email account.

This type of CEO fraud is known as “whaling” and is a form of a “phishing” attack, as it is targeting a much bigger fish, rather than a number of smaller fish.

Mandate Fraud

The most common form of Mandate Fraud occurs when the accounts/finance department are contacted by the fraudster, usually by letter (with forged letterhead) pretending to be from one of your suppliers.

The letter or email (using the email method above) advises that they have changed their bank and requests you to amend the direct debit to reflect this. As a result, the bank mandate is amended to the account that was provided.

The next month you are contacted by your genuine supplier asking what has happened with the monthly payment; only for you to realise that this was a fraud.

In both forms, the fraudster will normally redistribute this money into other mule accounts and then close down the bank account to make it untraceable.

How can organisations protect themselves?

  • Awareness is key. Ensure all colleagues, not just finance teams, know about these frauds.
  • Properly verify contact from your CEO or senior members of staff to check that the instruction which they have received is legitimate.  Don’t do this by a replied email, as their account may have been compromised.
  • Notify your bank immediately if you see any unusual activity on your account or suspect fraud has occurred.
  • Always review financial transactions to check for inconsistencies/errors, such as misspelt names.
  • Ensure remote laptop/device systems are secure and updated.
  • Regularly update all antivirus software platforms.
  • Some organisations will have multiple domain names, it is vital that the finance team have a list of legitimate domain names to cross reference with.
  • Verify all invoices, as well as requests to change bank account details.
  • To check that a request is legitimate, contact the supplier directly using established contact details you have on file, preferably by phone. Again, don’t just reply via email as the account may be compromised.
  • Access to sensitive financial information should be carefully controlled. Dispose of confidential documents by shredding them.

For further information, visit www.tenintel.com/investigations, where you can find out how we support clients with fraud investigation and digital forensics support.

Email us at info@tenintel.com and follow us on LinkedIn and Twitter @TenIntelligence for all updates.


Our Intelligence | Your Assurance