The Public Prosecutor’s Office notes an increase in cases of CEO impersonation fraud over the last two years. Photo: Maison Moderne / Archives

The Public Prosecutor’s Office notes an increase in cases of CEO impersonation fraud over the last two years.  Photo: Maison Moderne / Archives

Caritas is not an isolated case. According to statistics from Luxembourg’s justice ministry, there has been an explosion in cases of CEO impersonation fraud over the last two years, the fault of which lies with technological progress and a degree of complacency.

The principle of CEO impersonation fraud is simple: trick an employee authorised to make company payments into making an unauthorised payment. It’s easy. Effective. And growing.

In response to a parliamentary question from MP  (déi Gréng), justice minister (CSV) and finance minister  (CSV) provided statistics on the number of CEO impersonation fraud cases reported since 2019. In 2023, the public prosecutor’s office recorded 12 cases and in 2024 (as of 11 November), 13 cases. This represents an explosion compared with the three previous years. Only one case was reported in 2029 and 2021, and two cases in 2020.

Reduced vigilance

The ministers blame this increase on “the ease of access to information about companies and their employees via the internet (open source) and the new technical means available to the perpetrators, such as spoofing telephone numbers and email addresses and instantly registering domain names or email accounts similar to the persons or companies targeted without having to prove a real identity, while using untraceable connections.”

And also some relaxation. “If we go back even further, we find some 30 cases in 2014, 35 in 2015 and then a stagnation between 12 and 15 cases per year between 2016 and 2018. This stagnation and reduction in the number of cases can be explained by the information and training campaigns that have been carried out within companies, as well as the introduction of technical and accounting resources that make it more difficult for the perpetrators,” says the ministers’ response.

Identity theft on a daily basis, according to the CSSF

While the question of the possible liability of banks in the execution of these frauds has been raised, the public prosecutor’s office has no statistics, as the possible liability of banks would have to be brought before the civil courts.

The Financial Sector Supervisory Commission (CSSF) has only been contacted in one case of CEO impersonation fraud. In this case, the fraud had been committed against a non-supervised entity. The entity concerned did not raise the banks’ liability in its exchanges with the CSSF. “However, it is worth noting that the CSSF is confronted on an almost daily basis with cases of identity theft in which ill-intentioned persons contact consumers in order to induce them to make payments,” states the ministerial response.

This article was originally published in .

Related articles