T he NHS Counter Fraud Authority (NHSCFA) is aware of of numerous recent instances of CEO fraud across various NHS entities, with one culminating in an illicit gain of approximately £30,000. Anatomy of the Fraud The finance team receive correspondence purportedly from the organisation’s DOF, urgently requesting a substantial remittance to a designated bank account via the faster payment system. In some recent cases, including the successful £30,000 theft, the DOF had been absent from work or on annual leave, suggesting heightened vulnerability during such periods. The fraudulent communication employed name spoofing, using the DOF’s legitimate name but an unaffiliated email address visibly unconnected to the NHS domain. The primary request was directed to the finance team’s generic mailbox, with some instances also directly addressing specific team members by name. Inadvertent information divulged through out- of-office automated replies or social media may have enabled the perpetrator to obtain finance staff identities. Social engineering tactics were then deployed to cultivate rapport and coerce payment. The initial email omitted the purported invoice, prompting a follow-up with the attachment. This tactic could circumvent domain security measures while eliciting further staff engagement and data. The invoice itself exhibited numerous red flags. The fraudster persistently pursued payment through multiple email reminders.
Prevention Guidance To safeguard against such fraud and bolster organisational defences, the following controls merit consideration: Ensure generic finance mailbox automated replies do not disclose staff contact details exploitable for social engineering attacks. Be wary of emails appearing to originate from genuine contacts like suppliers or internal executives. Finance personnel should remain vigilant for red flags like:
• • • • • • • •
Subtle email/domain discrepancies
Poor grammar/language use
Urgency emphasised
Unusual salutations/signatures References to unfamiliar individuals Subject irrelevant to operations
Missing expense coding Persistent follow-ups
The following actions should be considered to help prevent such emails from being received:
•
Implement monitoring systems for system alert messages highlighting potential fraudulent traits within emails. Implement relevant Standard Operating Procedures and mandated training addressing ad-hoc and expedited payment requests.
•
•
Regularly review and clear junk mail folders of non-essential items.
•
Foster cross-departmental collaboration between counter fraud, finance, and IT security to ensure teams are alerted when executives like the CEO/DOF are on leave. Scrutinise invoices rigorously, conducting supplier due diligence against existing records. This could include:
•
• • • • •
Sparse details in descriptions Missing purchase order numbers
No expense coding
Absence of company logos Company name discrepancies
Through awareness, vigilance and robust preventative measures, NHS organisations can fortify their defences against the pernicious threat of CEO impersonation fraud.
COUNTER FRAUD | SCRUTTON BLAND | 7
Made with FlippingBook Learn more on our blog