What is CEO Fraud?
CEO fraud is also known as “Business Email Compromise” (BEC) and “Fake President Fraud” (FPF). In this case, the perpetrators use false identities and impersonate, for example, the managing director of a company (CEO), a senior executive or a trading partner, and induce an employee to transfer a usually large sum of money abroad, often to China, Hong Kong or Eastern European countries.
Accordingly, this scam is explicitly targeted at companies, not private individuals. Any company of any size can fall victim to such fraud. However, the larger the company, the more attractive it is likely to be for the perpetrators. This is due to the higher financial resources and the more extensive corporate structures and complexity, which lowers the probability of detection for the perpetrators. On the other hand, medium-sized to small companies often have no compliance department or only a poor one, so security standards are significantly lower here, making it easier for the perpetrators to carry out the crime and thus also represents a non-negligible incentive.
Forms of CEO Fraud in Germany and Elsewhere
Typically, the perpetrators proceed in such a way that they send a falsified e-mail to an employee of the company, which gives the credible impression that it comes from a member of the company management. In it, the employee is instructed to transfer a certain amount of money to a bank account, usually abroad, often referring to the secrecy and urgency of the matter. To make the forgery as authentic as possible, scammers research company internals in advance – this is done via publicly accessible sources, such as homepages, business reports, trade register excerpts or advertising brochures, and social networks. Social networks are used in particular to find out information about individual employees, their functions and activities in the company, and personal details to contact them under a false identity.
In addition, there is also the possibility that it is not a fake e-mail account but a real account, which the perpetrators have hacked illegally beforehand. It essentially becomes impossible for the affected employee to recognise the account in this case. Similarly, the perpetrators may not be looking to transfer money but for the employee to send sensitive data, such as data from the HR department, accounting or controlling. This data is then misused to gain economic or other advantages.
In a broader sense, CEO fraud also includes cases in which it is not the e-mail accounts of executives that are hacked but those of employees. These accounts are then used to communicate with business partners and request payment of an invoice to the fraudsters’ bank account. Another scam is that the fraudsters pose as a supposed supplier and ask for payment of an invoice amount to an alternative account, which also belongs to the fraudsters.
As can be seen, the fraudsters are highly inventive. They are always looking for new ways, usually to obtain large sums of money, but also sensitive data, and thereby cause considerable damage to the companies. Often, the deceived employees who send the requested data and/or sums of money are threatened with severe professional and possibly legal consequences.
Prevention of CEO Fraud in Germany
Apart from purely technical security precautions, an important and goal-oriented approach is to sensitize and educate employees to create and sharpen an appropriate awareness of the problem of this type of fraud. They must be informed about the fraud schemes described above so that they can recognize the deceptions. In-house coaching and regular training courses are ideal for this purpose. In addition, company management should pay close attention to what information is made public, especially concerning information that individual employees disseminate on social networks. In addition, internal control mechanisms offer further protection, which should, in any case, intervene in the event of dubious payment instructions or data transmission requests.
Should such a fraudulent scheme nevertheless be successful, your company, or you as a possibly (co-)liable managing director, can only exonerate yourself under liability law if you have sufficiently informed and trained your employees. Otherwise, in the event of damage, you may, in any case, be jointly liable, as courts have already decided in some cases – although this determination as well as the specific amount of joint liability depends on the individual case and is at the discretion of the court so that no abstract limits can be set here. To avoid such joint liability, it is advisable to establish comprehensive compliance management within the company.
As a full-service law firm, Schlun & Elseven Rechtsanwälte offers you a clear perspective and comprehensive legal advice in this area. Therefore, please do not hesitate to contact our legal experts in compliance matters. Our team will work with you to lead your company successfully and in compliance with the law into the future.
Conduct and Legal Assistance in Cases of CEO Fraud in Germany
You should first remain calm if you suspect that your company has fallen victim to fraud despite all security precautions. Even if there is a prevailing belief in society that the perpetrators cannot be identified anyway and the criminal charges are therefore not filed, this does indeed correspond to reality in some cases. For this reason, companies should take preventive measures. However, this is not always the case. Given the often large amount of damage alone, a criminal complaint is worthwhile in any case. Generally, it is advisable to change all passwords for accounts and contact the respective financial institution.
Additionally, it would be best to gather all indications and evidence that could be of importance for the investigating authorities. After all, if it is a scam perpetrated by a specialized gang, a large number of victims can often contribute to this and subsequently be compensated if it is uncovered. To this end, it may be worthwhile to contact our experienced legal experts. They will be able to tell you what information is relevant to the criminal investigation and provide you with an overview of your legal options.
If you are not the injured party but the asset-owning and deceived employee of the company, the question arises, in addition to the potential civil liability, whether you may also have committed a criminal offence. In such constellations, the criminal offence of breach of trust under § 266 (1) German Criminal Code (StGB) comes into consideration, which can be punished with a custodial sentence of up to five years or a fine. A person is liable to prosecution for breach of trust who;
“abuses the power conferred on them by law, by commission of an authority or legal transaction to dispose of the assets of another or to make binding agreements for another, or whoever breaches their duty to safeguard the pecuniary interests of another which are incumbent upon them by reason of law, by commission of an authority, legal transaction or fiduciary relationship, and thereby adversely affects the person whose pecuniary interests they were responsible for.“
Accordingly, the offence has two alternatives: the abuse variant (Alt. 1) and the breach of trust variant (Alt. 2). Due to the underlying fraud and the associated voidability of the legal transaction (under § 823 (2) BGB in conjunction with § 263 (1) StGB), there is no sufficiently effective obligation on the part of the aggrieved company, so that criminal liability is ruled out. However, there is still the possibility of the breach of trust variant, which goes further than the abuse variant. In this case, the required breach of duty of the act, i.e. the transfer of funds, is likely to be problematic and debatable.
Not every breach of duty relevant under civil law is automatically sufficient for criminal liability. Instead, a serious breach of duty on the part of the employee is required. When this can be assumed depends on the individual case and cannot be determined in the abstract. For this very reason, it is advisable in any case to seek experienced and competent legal counsel who can provide you with the best possible advice in such a case.
If you find yourself in such a situation, do not hesitate to contact our criminal law experts at Schlun & Elseven Rechtsanwälte immediately. They will work closely with you to develop an effective defence strategy for your individual case. To do so, please use the contact options below.