Protect your business from fraud

CEO fraud is a type of scam where a criminal pretends to be a company’s CEO or some other executive. Under this false identity, the criminal contacts an employee of the company and asks them to urgently complete a credit transfer or some other payment transaction. Typically, these instructions are sent to someone authorised to make payments, but fraudsters may also target other employees who then pass the instructions along.

The contact usually comes via email, text message or a messaging app, and the request is often framed as urgent and confidential. Fraudsters sometimes exploit periods when key decision-makers are away, such as holiday seasons. 

Criminals are increasingly using AI and deepfake technology to make these scams more convincing. To protect your business, ensure employees have high security awareness and clear procedures for handling suspicious requests.

• If you receive payment instructions by email, don’t follow them without verification. Confirm through another channel, such as a phone call, that the request is genuine. 
• If in doubt, consult a colleague.
• Provide regular staff training on recognising risks and adopting secure ways of working.
• Establish clear internal procedures for handling payment requests and invoices received by email.
• Always contact your bank if you have received payment instructions from a scammer or if you suspect you have been scammed. Report attempted scams to the National Cyber Security Centre.

Fake invoices are sent by scammers requesting payment for a product or service that the targeted person or company has not ordered or that has not been delivered. Fake invoices are often sent by email. Someone posing as a seller may also call and demand money over the phone, claiming that the company has concluded an agreement with them.

If criminals gain access to an e-invoicing service, a fake invoice can even arrive as an e-invoice. Always be cautious with unexpected or unusual invoices and verify their authenticity before making any payment.

• Check every invoice carefully. Confirm whether your company has actually purchased the product or service.
• Search the internet for information on the sender of any unexpected invoice. You may find reports and experiences from others about fraudulent invoices.
• Inspect the sender’s email address closely when an invoice arrives by email.
• Make sure your company has clear invoicing procedures and instructions for paying invoices and train your employees to follow them.
• Report attempted scams to your bank and the National Cyber Security Centre.

Fraudsters can infiltrate a company’s email system by stealing employee log-in credentials through phishing. Once they gain access, they monitor email communications and exploit business transactions and invoicing processes to carry out fraud. 

If invoices are sent via email, attackers can intercept them, obtain invoice templates and send altered invoices to business partners. The bank account details on the invoice are changed so that the payments will go to an account controlled by the fraudsters. Because these altered invoices and emails come from a legitimate, compromised address, the payer may trust the details without questioning them.  

• Verify account details for familiar payees. Check if the bank account number matches previous invoices.
• Confirm any changes to payment details through a separate channel. For example, if notified by email, verify by phone.
• If you suspect unauthorised access to your organisation’s systems, contact your IT support immediately. 
• Report attempted scams to your bank and the National Cyber Security Centre.

Criminals use emails, text messages and phone calls to steal online banking credentials or company log-in details. With these credentials, they can access online banking or financial management systems. 

Phishing messages often appear to come from trusted sources such as banks, authorities or business partners. These scams rely heavily on manipulation – criminals create a sense of urgency to make you act the way they want. The goal is to get the recipient to click a link, open an attachment or disclose sensitive information that can then be misused.

• Never share your online banking credentials over the phone. Remember that representatives of the police, your bank or the authorities will never ask you for your online banking credentials.
• Never log in with your online banking credentials via unexpected links you received by email or text message. Confirm the legitimacy of any message with your bank before acting on it.
• Avoid clicking links or opening attachments if the message seems suspicious or creates a sense of urgency.
• Treat unexpected payment requests with caution – even if they appear to come from a familiar source. Always confirm the legitimacy of a request and its content before acting on it.
• Provide staff training on recognising signs of phishing and acting safely in different situations.