top of page

CEO Fraud through Social Engineering in Hong Kong: German SMEs underestimate threat









published on June 14, 2019 | reading time approx. 6 minutes


The demon under the painted skin: Part I


For years, the headlines in German newspapers have been piling up that companies and high-ranking executives have been cheated out of millions of dollars. Small medium-size enterprises weigh themselves often in deceptive security, since they consider themselves to be too small for such attacks. A fatal misjudgment.







Worldwide, the number of companies falling victim to increasingly sophisticated e-mail-based fraud attempts is increasing dramatically. This does not require sophisticated hacking techniques; on the contrary, the fraudulent scheme is almost captivating in its supposed simplicity. Just a few steps are enough to strengthen the security of your company against such attacks from outside significantly and to increase the chances of recovering your money in case of financial loss.


CEO Fraud - General Overview

In the broad gray area between professional hacking and the well-known prepayment fraud initiated primarily in Nigeria, also known as 419 (see footnote 1), a new scam has established itself in recent years as a mass crime based on "social engineering " (see footnote 2) , clever deception and the skillful use of publicly available information, with Hong Kong as the hub. These are CEO Fraud cases on the one hand and on the other hand, in a variant of the same, around Payment Diversion Fraud cases, which we will discuss in a separate article.


In CEO Fraud cases, the perpetrators contact company employees after detailed research and usually with fake e-mail addresses, pretend to be managers or suppliers and induce the employees to transfer large sums of money abroad under the pretense of a company transaction or a supposedly legitimate invoice. The transfer destination are usually banks in Hong Kong, but also directly in the People's Republic of China. Although this seems to be a very easy trick to see through, many companies are constantly transferring large amounts of money both domestically and abroad; therefore, such a transaction is not unusual for the financial accounting employee per se. The perpetrator's instructions usually indicate that an immediate transfer is required, although the reasons for the payment to be made vary. Mostly, it is a supposedly urgent and extremely sensitive transaction (e.g. to complete an important contract or to avert a major loss for the company).


Consultants and regulators are also often part of such a scenario. Perpetrators rely on the company internal relationship between the person responsible for the payment and the ordering "manager" to ensure that the payment order does not appear unusual. If the procedure does not work, perpetrators are intent on skillfully increasing the pressure or try to take advantage of the patriarchal management structures and strong hierarchical structures that exist in many companies, especially small and medium-sized ones, which in both cases leads to the order being executed without demand and, in the worst case, to existing process instructions, such as the dual control principle, being circumvented.



The technical term for such crimes in Chinese police circles is "Huàpí zhàpiàn", which means "fraud with painted skin". The Term is based on a story from the Liáozhāi Zhìyì, "the strange stories from the study", a collection of 500 myths and legends, folk tales, fables, contemporary anecdotes and criminal cases from the 17th century by the author Pu Songling.


In the story, a scholar named Wang falls for a beautiful homeless girl whom he takes in by the wayside and brings her at his home. A romance develops between the two of them, but the girl's beauty is only an illusion and turns out to be a "beautifully painted" skin under which a horrible demon ekes out an existence. Wang tries to chase the demon away, but the demon gets angry, tears Wang's heart out and eats it up.


The consequences in reality are less bloody, but no less frightening. According to estimates by the American Federal Bureau of Investigation (FBI), these and comparable offences have annual growth rates of well over 100 percent and caused USD 12.5 billion of damage (see footnote 3) between October 2013 and December 2018. This does not include the high number of cases that remain bogged down or are not reported. According to a major auditing firm, a representative survey of 500 German companies revealed that 40 percent of the companies questioned had been the target of a "CEO Fraud" attack at least once within the past 24 months, with the criminals succeeding in five percent of the cases. (see footnote 4)


Modus Operandi

The multistage scenario of the fraudulent scheme is usually as follows:


The perpetrator secures an Internet domain name which is visually very similar to that of the target company or its suppliers/business partners and only differs by omitting, replacing or adding individual letters or numbers or by changing the ending, for example from "com" to "net". A particular perfidious trick here is to simply replace certain letters with letters that look deceptively similar. For example, the letter "L" in its lowercase variant "l" can easily be replaced by a capital "I". For the layman, the dizziness, which is also called "Spoofing" by experts, is almost hardly recognizable. Experts refer to Spoofing, for example, as forging the header of e-mails in order to disguise the origin of the mail. Social media and networks are a real treasure trove for obtaining initial information about the target company. Social media portals such as Xing or LinkedIn are particularly attractive to offenders because they provide information about business relationships or the identity and function of employees to find, with a particular focus on senior finance and corporate management staff. Other sources may include the Commercial Register, the Company's website or other publicly available sources. The perpetrators make use of so-called "social engineering" to obtain the name and e-mail address of an employee of the target company who is usually entrusted with the execution of transfers. This is often done by contacting him by telephone to find out whether the managing director is present or absent. In other cases, the perpetrator calls employees of a company and pretends to be a bank employee who has questions about a bank transfer. There are no limits to the imagination in this respect. The aim is usually to obtain the names and e-mail addresses of the persons responsible in the finance department.


The collection of data described above helps the perpetrator to manipulate and to pretend to be an insider of the company. In addition, he confuses his victim with technical jargon, builds up sympathy with apparently mutual colleagues through small talk or exploits authority aspects by, for example, making references to supervisory authorities such as the Federal Financial Supervisory Authority (BAFIN). If the victim is unwilling to cooperate, the perpetrator usually threatens to involve their superiors. With this seemingly simple approach, it is not uncommon for perpetrators to obtain the desired information with only a few attempts. With these, the perpetrator has two essential tools of fraud in his hands: the name and e-mail address of a person authorized to make transfers. The format of the company's e-mail addresses can be found out by a simple Google search.


In simple terms, the procedure described is a kind of puzzle, which allows experienced offenders to make the necessary preparations for their fraud attempt within a few hours.


The next step is to send an almost deceptively genuine e-mail with the fake domain name to the person authorized to instruct transfers. Due to the very cleverly created resemblance of the e-mail address, the affected employee believes to receive an e-mail from his CEO asking him to immediately send a transfer to a specific bank account - of course together with a plausible explanation why the money should be transferred.


Hong Kong as a hub

Nevertheless, a part of China, but contractually secured until 2047 by the political status of "one country, two systems" vis-à-vis the People's Republic, Hong Kong, with its business-friendly banking environment and extremely liberal economic system, represents a breeding ground for such transactions. The uncomplicated establishment and closure of companies and high transaction volumes are nothing unusual for an international trading metropolis. Many of the perpetrators resident in the PRC, who have dummy companies and bank accounts in Hong Kong, take advantage of the aforementioned status and geographical proximity to the People's Republic for their criminal purposes. As a rule, the fraudulently collected funds remain in Hong Kong for only a short time before they are then distributed in a star-shaped manner to accounts in Hong Kong, but mostly abroad - with the main focus on the PRC. This circumstance makes prosecution even more difficult. For this reason, it is imperative that the highest degree of urgency be applied when initiating replacement measures.


How to protect your company

We recommend the following preventive measures to companies:


Introduce an internal control system (ICS) in which all important protective and action measures for managers and employees are stored.

Accompanying the introduction of the ICS: Regularly sensitize and train the company's employees, in particular employees of the finance and accounting department, in order to raise awareness of the problem.

Check which information about your company is public or where and what you and your employees publish in connection with your company. The less internal information you disclose on the company website, the better your company is protected. The publication of internal e-mail addresses or direct extension numbers, especially in financial accounting, is seen by fraudsters as an invitation. Don't give out any information or follow any instructions in case of unusual or dubious contacts, even if you feel pressured.


In the event of a claim, inform your bank, the police and your lawyer immediately.


1. Section 419 is the criminal law section that dealt with prepayment fraud in Nigeria prior to the adoption of the Prepayment Regulation No. 13 in 1995.

2. Social engineering (actually "applied social science", also "social manipulation") is called interpersonal influencement with the aim of inducing certain behaviors in individuals, for example, to reveal confidential information, purchase a product or release funds. (Source: Wikipedia)

3. FBI Public Service Announcement I-071218, "Business E-Mail Compromise the 12 Billion Dollar Scam

4. PriceWaterhouseCoopers, Economic Crime in Germany, 2018

Payment Diversion Fraud in Hong Kong through Social Engineering

The demon under the painted skin: Part II


In our two-part article on white-collar crime, we give you a brief overview of so-called Payment Diversion Fraud. In addition to CEO fraud, this is a relatively simple scam that mercilessly reveals where there are weak points and points of attack in the company. We would like to start with an overview of the possible crime process.



Payment Diversion Fraud - General Overview


In contrast to CEO fraud, where the perpetrators pretend to be members of the board of directors, the perpetrators pretend to be suppliers or business partners of the target company and entice employees to transfer payments for goods or services to accounts other than the usual ones by means of fake messages by creating a supposed new bank account.


Typically, this is done by using a domain name that is deceptively similar to that of an actual supplier of the target company, or which is actually the e-mail account of a supplier who has been compromised by the fraudsters in advance of the crime by introducing malicious software or by phishing was captured. With Payment Diversion Fraud, the perpetrators simply need to know who is supplying the target company.


Thanks to social engineering, this is often easier than expected and is illustrated by the following example:


As part of a transparency offensive that is intended to lead to the assumption of corporate responsibility, increased cooperation in national and international trade, and ultimately to better implementation of social and environmental standards in production countries, leading German discounters and retailers have started to disclose the addresses of their textile suppliers on the Internet. Since these suppliers often can be located in countries in the pan-Asian or even African region and since they are often companies with limited awareness of cybercrime, compliance and IT security structures, it is much easier for offenders to engage in social engineering. Alternatively, the smuggling of malicious software or phishing - the attempt to obtain financial data and other personal information from unsuspecting computer users via fraudulent e-mails and copies from legal websites - is also used to gain access to the data relevant to them.


Once the perpetrators have gained control of communications between the supplier and the target company by means of fake or "hacked" accounts from the supplier, their chances of success are much higher, since the funds only need to be diverted to another bank account under the perpetrators' control, while all other information fits the usual payment procedure of the target company, which is contacted by a "supplier known to him".


The timely detection risk of such Payment Diversion Fraud is extremely manageable: Often the matter only comes to light when the aggrieved company is reminded by its true supplier for the payment of outstanding receivables. The victims are often small and medium-sized companies. The sums involved in the offence are in the five to six-figure range. But for the involved enterprises it can come still worse: Depending on the case constellation, in particular in the case of identity theft by means of malware, a violation of the basic data protection regulation (DSGVO) may also come into consideration. Companies have a maximum of 72 hours from obtaining knowledge of a data mishap1 in order to display it accordingly. Data breakdowns within the meaning of the Regulation include in particular unauthorized disclosure of data, e.g. misdirected e-mails or unauthorized access to data, e.g. access by hackers or by unauthorized employees or third parties.


In the worst case scenario, both the actual supplier (identity theft) and the damaged company (misdirected e-mail due to deception or access to data by unauthorized third parties (fake invoice) can still get caught in the "maelstrom" of the DSGVO.


Violations of the DSGVO can be subject to fines of up to EUR 10 million or 2 percent of consolidated sales.


Examples of a data mishap:


Destruction of data (e.g. data was deleted/destroyed, cannot be recovered);

Loss of data (e.g. stolen laptop, encrypted data by ransomware); 

Unauthorized disclosure of data (e.g. unintentional publication on the Internet, unintentional access from outside to an internal database, misdirected mail or e-mail); and

Unauthorized access to data (e.g. access by hackers or unauthorized employees).


According to Art. 33 para. 1 DSGVO, after the occurrence of a data breach, the responsible persons are required to report the data to the supervisory authorities. It should be noted that reporting to the authorities generally constitutes self-incrimination, which in turn may lead to possible criminal prosecution. In addition, the authorities require a minimum content, which should be assessed by lawyers and experts before sending the report in order to minimize possible risks.


How to protect your company

We recommend the following preventive measures to companies:


1. introduce an internal control system (ICS) in which all important protective and action measures for managers and employees are stored.


2. accompany the introduction of the ICS: sensitize and train the company's employees, especially employees of the finance and accounting department, on a regular basis in order to raise awareness of the problem.


3. check what information about your company is public or where and what you and your employees publish in connection with your company The less internal information you publish on the company website, the better the company is protected. Fraudsters regard the publication of internal e-mail addresses or direct extension numbers - especially for financial accounting - as an invitation.


4. do not disclose information or follow instructions in the event of unusual or dubious contacts, even if you feel pressured.


5. inform your bank and your lawyer immediately in the event of a claim 1 Art. 4 No. 12 EU-DSGVO: "Violation of the protection of personal data" means a breach of security which, whether accidental or unlawful, leads to the destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.

14 June 2019

Author: Marc Andreas Tschirner (Registered Foreign Lawyer (GER))

bottom of page