Compromised businesses: rise of the CEO scam in Malta

Malta has seen a rise in what are commonly referred to as CEO scams over the past year, as the European Union scrambles to put in place a system to monitor and combat such crime.

Such scams usually involve a company accountant or financial controller receiving an email from the company’s CEO (chief executive officer), with instructions for them to transfer money to a particular bank account.

“It’s normally something related to some shipment which has gotten stuck somewhere or a deposit on a property,” Inspector Timothy Zammit, head of the Malta Police Cybercrime Unit, told MaltaToday.

He said there were two ways this could happen. In some cases, the company’s systems are compromised, allowing the criminal to get unauthorised access to the company’s emails and employee profiles.

“The other, which is quite interesting, is social engineering,” said Zammit. “We notice that through platforms like LinkedIn or the company website one can identify a company’s CEO and what his email is, as well as that of the financial controller.”

This then allows the attacker to create an email address, which is almost identical to the CEOs.

Such scams differed from the rest because they involved a lot more effort and planning, and were also targeted at a particular company or individual rather than the masses. The pay-off was also much bigger according to Zammit, who said the Cybercrime Unit had dealt with cases where companies had lost upwards of €250,000.

Zammit wouldn’t commit to a single figure for the combined amount of money lost in Malta but insisted it was definitely “a couple of million”.

Malta is not alone in experiencing a rise in such scams, said Zammit, who added that Europol had also started treating such cases in the same way that it does serious organised crime.

“Europol has even opened what we refer to as a focal point on CEO scams,” said Zammit.

“It’s basically a repository of information which every country contributes to. Then in cases where we get crossmatches we undertake joint operations.”

Given the sophisticated nature of the scam, Zammit said that reported instances of failed attempt were also shared with Europol in order to have as much information available as possible.

He said that people have lost “tens of thousands” through such scams with one company in particular having been defrauded out of over a quarter of a million Euros.

Normally targets are people who have a private accountant or people who have made investments with a stock broker, who might receive an email on their clients’ behalf, asking them to sell stock and transfer the money to a specific bank account.