CEO email fraud costing billions to businesses

What should you do if an employee unwittingly authorises the transfer of company funds to a scammer’s account?

If your CEO sends you an email request to transfer a few million dollars from the company coffers into an offshore account, then your business might be the target of a sophisticated email scam.
 
This form of “business email crime”, where hackers impersonate the email account of a company’s head honcho and send requests for staff to transfer company funds offshore has cost companies over US$2 billion in the past two years, according to the US Federal Bureau of Investigation.
 
Also known as “CEO fraud”, the FBI says that while the average loss is around $120,000, some companies have been duped into wiring up to $90 million into offshore accounts.
 
But if your employee unwittingly authorises the transfer of your precious company funds to the scammer’s accounts, employers may find themselves without a legal footing to discipline that staff member, says employer lawyer Ben Burke.
 
“Whether an employer could discipline an employee who authorises a payment or transfer of company funds in reliance on a bogus request or instruction would depend on whether the employee complied with the company’s policies, procedures and processes for payments and transfers of company funds,” Burke says.
 
If an employee acted in good faith and complied with relevant company policies, procedures and instructions, it is unlikely the company could take action against the employee, says Burke, partner at Baker & McKenzie.
 
“Employers must implement clear and comprehensive policies, procedures and processes for authorising payments and transferring company funds,” Burke told HC Online.
 
“These policies, procedures and processes should include appropriate checks and authorisations which ensure any request for payment of money or transfer of company funds is genuine and complies with relevant legal requirements,” he says.
 
He says Australian employers should beef up their policies and procedures or risk falling victim to these scams.
 
Employers need to critically assess the risks they are exposed to and develop appropriate policies, procedures and processes, including cyber security policies and protections, to effectively manage these risks,” Burke says.