Intelligence received indicates that the phishing scam commonly known as CEO fraud has been operating across some GP practices.

The fraud is perpetrated through the sending of an email to the Practice purporting to be from one of the practice partners, requesting invoices to be paid.

The fraudster will typically request that funds are transferred or an invoice paid, and apply an element of pressure to the request by requesting immediate or urgent payment to the fraudster’s bank account.

A  case study on how the fraud operates

An email was received by a finance team from an individual purporting to be a Director of Finance, requesting a large payment to be made as a matter of urgency into a bank account utilising the faster payment system. In some recent incidents the Director of Finance had been away from work or on annual leave suggesting the threat of this type of fraud can be heightened when CEOs or directors/senior partners are on annual leave.

The fraudulent email used name spoofing (using the correct name of the director) but a different email address. The primary email requesting initial payment was sent to the finance teams’ generic mailbox. With some of the fraudulent emails, both the generic mailbox and a member of the finance team were recipients, with the individual directly addressing the staff member by their name.

Information inadvertently given through out of office replies or social media platforms may have enabled the individual to obtain the names of finance staff. Social engineering techniques were used to build a rapport with the member of finance staff to induce payment.

The original email did not contain the invoice that the fraudster requested payment which was questioned by the recipient and a further email was sent attaching the invoice. Failing to attach the invoice in the first email may be a technique used to circumvent domain security features and induce correspondence with finance staff resulting in the fraudster obtaining further information and contact details.

Prevention advice

To protect against this type of fraud and ensure there are robust controls in place, please consider the following controls:

Ensure automated information provided by a generic mailbox does not divulge contact details or team contact details which can be used to facilitate social engineering techniques with staff.

Fraudsters can make an email appear to be from a genuine contact, such as a supplier or someone within your own organisation. Finance staff or staff responsible for paying invoices should be vigilant to any email requests from unknown email addresses purporting to be a senior member of the organisation by looking for any red flags in the email:

  • subtle changes to emails and domain names
  • poor use of language and grammar
  • urgency of the request
  • unusual form of address and signature activity
  • referencing people’s names who are not known
  • subject of the email having no correspondence to business activity
  • persistence of the emails.

Remember invoices should be scrutinised, and due diligence checks conducted on the supplier information already held on file.

For more information contact Melanie Alflatt, Director-Operations (Anti-Crime & IT Audit),  fraud@tiaa.co.uk