The "Fake President’s Fraud" - Simple to stop and yet still ongoing



Many have been victimized by the scam commonly known as the "Fake President's fraud" over the past years in Europe and North America. The perpetrators of this fraud have pocketed hundreds of millions of dollars from organizations of all kinds over the past five years. As an example closer to home, the Coop Fédérée was scammed for $5.5M in August 2014 through this ploy (click here for more).


Information gathering process


Social engineering

Fraudsters use false pretenses to communicate with various people at the targeted organization, most often by phone, to ask for bits of information from each, information which is subsequently combined to form a complete profile that allows them to orchestrate their attack:


“I have to send a communication to the CEO, President - CFO (a person with the authority to authorize money transfers), could I have his or her name, phone number and email address please?”


"I’m calling on behalf of so and so conference organizer (which is likely to be of interest to the CEO, President, CFO of the targeted organization) and I would like to confirm his or her presence at such and such date.”

"I'm calling from so and so travel agency and I would like to confirm the dates of departure and return of the CEO, President, CFO in connection with his or her vacation.”


"I’m calling from the Bank and I would like to confirm the name and position of the person or persons authorized to initiate electronic wire transfers in your organization."


"Who should I contact to obtain the payment of my invoice? "And if that person is absent, who else?


The combination of this information allows scammers to obtain the name of the senior executive with authority to initiate wire transfers at the targeted organization, his or her e-mail address, when he or she will be out of the office and who's in charge during his or her absence.


Phishing emails

Another way for scammers to gather the required information is to send phishing emails that appear to come from known institutions that contain hyperlinks (hidden or visible) with the goal of collecting the personal information of the recipients, such as their log-in information at the office, or to install malicious software on their workstations in order to record keystrokes or break into the computer network of the targeted organization.


Once one of the recipients of these phishing emails "takes the bait", clicks on the fraudulent links and provide the requested information, the scammers have enough information and tools in hand to go forward with their scheme or break into the computer network of the targeted organization and get all kinds of confidential information allowing them to perpetrate various frauds at the expense of the targeted organization: theft of funds, theft of trade secrets or intellectual property, etc.


The attack

Regardless of the method used to obtain the relevant information, the ultimate goal of this fraud scheme is to appropriate funds of the targeted organization.

The usual ploy is to determine when the person responsible to authorize transfers of funds is out of the office as well as the identity of an assistant who may also authorize transfers of funds in the absence of the former and to place this person under pressure...


The most frequently used approach is to send an email to the assistant that gives the appearance of coming from his or her absent superior and to develop a plausible scenario to encourage the assistant to wire money internationally to an account under the control of the fraudsters. The most common scenario is to inform the assistant that his or her superior is actively working on an ultra-confidential matter, such as the acquisition of a company, and that funds must be transferred immediately in order to not lose this great opportunity which might no longer be available in short order.


Naturally, the fraudsters insist that everything must remain ultra-confidential and that the assistant must act urgently. The email sent to the assistant typically contains the name of a fictitious lawyer and indicates that he or she will communicate with the assistant in the following minutes to give him or her  the information needed to transfer the funds. A call from a fictitious number follows shortly thereafter and information related to the transfer of funds is then communicated to the assistant who, unfortunately too often, blindly follows the fraudsters’ instructions and transfers funds electronically. Immediately upon arriving at its destination, the wired funds are immediately transferred to other financial institutions around the world and, too often, disappear forever...


How to counter this fraud scheme: simple common sense...

Employees must be instructed to use a healthy dose of skepticism when answering phone calls from unknown people asking for information about company personnel which can then be used against the targeted organization. As a general rule, it is prudent to instruct employees not to provide the information requested but rather to ask the name of the person calling, his or her telephone number and inform that person that someone will call back shortly to provide the requested information. Generally, scammers just hang up and move on to another target and those who call for legitimate reasons have no objection to provide a call back number.


Furthermore, employees with any kind of authority to transfer funds should be instructed never to do so on the sole basis of an email from a superior (or, in such cases, with the appearance of coming from a superior). They should be instructed to call and actually talk to this superior in order to confirm the request received by email before acting upon such instructions.


Employees must also be informed that any email received that has the appearance of coming from organizations or institutions with which they or your organization do not do business with and that require them to confirm or update confidential information are inevitably phishing emails. They must be instructed to avoid clicking on any link whatsoever, to forward these emails to the IT Department and to delete them afterwards.


It is also prudent to instruct employees to avoid clicking on any hyperlink contained in any e-mail received, unless they are absolutely certain that these emails come from a legitimate source. The simple gesture of hovering the mouse pointer over the name of the sender, without clicking, reveals his or her email address. Often the e-mail addresses so revealed do not correspond to the real e-mail addresses (domain name, etc.) of the organizations or institutions which they are purported to come from.


If employees receive unsolicited emails that appear to come from an organization or institution with which they or your organization actually do business with and are tempted to know more, instruct them to avoid clicking on any hyperlink contained in these emails and to enter the website address of the organization or institution that appears to be the sender of these emails directly in the address bar of their web browser in order to avoid being transferred to a pirated website, whose only goal is to steal their username and password. As a general rule, legitimate institutions and organizations do not ask their users to confirm their confidential information by e-mail.


What to do if an employee has taken the bait

Time is of the essence. Call your banker as soon as possible so that they can attempt to cancel or reverse the wire transfer(s). There is very little time to act. As a general rule, fraudsters transfer the money to multiple international destinations immediately upon receiving it from their victims. Once the money has been scattered to multiple jurisdictions, it becomes very difficult to recover. It is prudent to block access to your network until you are reasonably certain that it has not been compromised.


At Lepage Marcil Davil Forensic Accountants Inc., we can assist you in running simulations and providing training to your employees in order to avoid these fraud schemes. We can also provide advice and put a team of experts together to attempt to limit your damages.


For more information concerning the above or the services we offer, you can reach me at luc.marcil@lmd-cpa.com or at 514-866-4649.


Luc Marcil, LL.L. CPA, CA, CA•IFA, CFF

Managing Director

Lepage Marcil David Forensic Accountants Inc.

  • LinkedIn - White Circle
1000, rue De La Gauchetière Ouest
Bureau 2400
Montréal (Québec) Canada
H3B 4W5
514-664-4747
© 2019 Lepage Marcil David Juricomptables inc.