The increasing risk of Singapore CEO identity theft
By Peter JacksonIt's early morning on a Thursday when the secretary of the CEO of a well respected Singapore-based company gets a phone call from her boss. He's at the airport, on his way to speak at a high-profile conference in Hong Kong. The CEO tells his secretary something urgent has come up -- an important invoice needs to be paid without delay, there might even be legal implications if this isn't done ASAP. He was meaning to get to it last night, but he was at his daughter's school play. She was a unicorn, and was the star of the show. The CEO provides instructions and the account name and number. He expects this to be taken care of by close of business.
The secretary dutifully gets onto the job. She calls the guys from finance and explains the situation. This has to take priority, or there will be consequences. The invoice is paid straight away. Okay, it was a little unusual, and bypassed a few company protocols but the right result was achieved. Problem solved, the supplier is happy, the CEO is happy, and the lawyers don't need to be called.
Except there was no supplier. And it wasn't the CEO who called. It sounded like the CEO, his English accent was perfect, the school play and all the details were correct...but it wasn't him and the company has just lost a significant sum of money.
So is this one of the more unusual risks for businesses in Singapore? You might be surprised, and your organisation might be exposed to a far greater level of risk than fire or natural disasters...both of which you are probably much more prepared for in your BCP. Most people assume, not without good cause, that employee theft is a much greater threat, but there is growing anecdotal evidence that CEO and C-suite identity theft is on the increase -- not only in Singapore, but internationally.
Why this works
First and foremost, these fraudsters are very, very good. They should not be underestimated. They use a relatively simple plan relying on timing and using the authority of key people.
They target certain business segments which are culturally prone to this risk -- the more hierarchical, the better. These are organisations where often owners, executives, and senior managers' orders/requests are not questioned by staff -- and in Singapore this is a not unheard of scenario.
A culture of complacence makes the business actually do the hard work for the fraudsters. These are also businesses where key people are required to have a high-public profile.
An embarrassed code of silence
This is happening in Singapore. However, one of the problems of quantifying just how often this occurs and how much money is stolen is that this is a crime which goes unreported. After all, this is embarrassing -- especially because it involves the leaders of the business. Is the CEO going to want to front up to the board, shareholders, and possibly the media to discuss how his identity was stolen? Unlikely.
Again, anecdotally, businesses are more likely to pass this off as a 'cost of doing business' rather than taking action or making announcements about these incidents. Regrettably this further encourages the fraudsters as their risk is substantially reduced in, effectively a conspiracy of silence, between the criminal and the victim.
How you stop CEO identity theft
Most of the information required to steal a senior executive's identity can be found online. A CEO's Facebook account is a gold mine of information -- as are the accounts of his wife, mother, children, close staff....the list goes on. Speeches he has made (which the business might post on YouTube) and interviews with the media can also give away accents, mannerisms, and favorite phrases. Often A CEO's movements can be worked out by events he is to attend -- in the above case a conference.
With this information those committing the fraud can be 100% believable.
There are a number of simple ways this sort of risk can be minimised:
1. Make the information needed to commit the theft of an identity as hard to get as possible. Lock down personal social media accounts using the security settings provided by most platforms.
2. Have a bottleneck in your internal systems that cannot be bypassed. From what I have heard, in Singapore, if this type of fraud is uncovered and prevented internally, it is usually by an alert finance team. So...keep them aware of this risk.
3. Make this threat part of your risk assessment planning and process. If a transfer of this nature is part of your business (or might be required), consider having a verbal password known only to the director and their PA that can be used as authentication. No password...no transfer.
4. Although this will be painful -- report any incident or loss. Keeping quiet only increases the risk for others, being a good corporate citizen sometimes means informing other businesses about mutual risks.
Unfortunately, for most businesses, identity theft -- especially of a senior executive -- will fall between the risk management cracks. It isn't a cyber or IT risk, nor is it HR or finance. However, this doesn't stop it from being real and on the increase. In Singapore, where many executives have regional responsibilities and where people come and go on a regular basis, this is a real risk which needs to be protected against.