29.04.2025 - The NCSC is observing an ongoing wave of CEO fraud attempts. Over the past week, the NCSC has received an increasing number of reports of criminals posing as senior local government staff attempting to persuade employees to buy gift cards or make payments online. This week's report highlights the latest methods being used, explains why local government is being targeted and provides information on how communal authorities (and everyone else) can protect themselves.
Due to the public nature of their work and the large amount of information on their websites, these institutions are an attractive target for scammers. Over the past week, the NCSC has received a growing number of reports of such attacks. This week's report describes the two main approaches used by the scammers: encouraging employees to buy gift cards and urging them to make online payments.
CEO fraud phishing scams: Gift cards and direct payments
In CEO scams directed at local government employees, criminals typically pose as senior government staff – for example as the head of a communal government or division, or president of a communal parliament – and send employees an email with the aim of manipulating or pressurising them into entering into a financial transaction or buying a gift card.
A tactic we are currently observing and which appears to be widespread involves asking employees to purchase online gift cards, for example from Apple, Google Play or Steam. In the email, the scammers claim that the employee's line manager is in a meeting and urgently requires a gift card as a present or for a business matter. Victims are instructed to purchase the gift card, often for several hundred francs, and then email the scammers the card's code. Their money is gone the moment the scammers redeem the gift card.
Another method used by the scammers is to instruct employees to make direct payments to a bank account. Here, too, the scammers pose as a senior government official and ask the employee to make an urgent payment to a bank account that is usually abroad. The amounts requested are often below the internal approval threshold in order to avoid internal verification.
How does the scam work?
Most attacks follow this pattern:
1. The scammers gather information in advance: The scammers gather information about the structure of the local government institution and individual employees in advance, for example from the website or from social networks.
2. They contact their victim: The scammers then contact their victim, usually by email using a fake or similar sender address. Sometimes they use free email addresses, such as first name.surname.commune@outlook.com.
3. They manipulate their victim: Using social engineering methods, they pretend to be authoritative and create time pressure by insisting the job is 'urgent' and must be carried out 'immediately'. They also insist on confidentiality in order to avoid inquisitive enquiries or internal controls.
4. They give clear instructions: The scammers give their victims clear instructions to purchase gift cards and send them the codes or to make online payments.
Recommendations
If you have made a payment, immediately contact the bank through which you made it. They may still be able to stop it. We additionally recommend that you contact the cantonal police responsible for your place of business and file a criminal complaint.
Organisational measures
- Verification: You should check all unusual requests for payments or gift cards by email and have them confirmed by the sender via a separate, known channel (e.g. phone call to another internal number, verification in person). Do not reply to the email and do not use the contact data contained in the message.
- Procedures: Your organisation should have clearly defined procedures for money transfers, in particular for exceptional transactions. Money transfers should be approved by at least two people. Ensure that these procedures are strictly followed by all employees. Define clear rules and limits on responsibilities.
- Awareness: Provide regular training to all employees, particularly those in financial and managerial positions. Make them aware of the dangers of CEO fraud, phishing and social engineering.
- Information management: Limit the amount of information about your organisation and employees on your website, particularly about those who work in financial positions.
Technical measures
- Email security: Use robust spam and phishing filters. Email administrators should configure sender verification mechanisms (e.g. SPF, DKIM, DMARC). Configure the email environment in such a way that employees are notified if emails come from external sources.
- Authentication: Use strong passwords and two-factor authentication (2FA) whenever possible.
Current statistics
Last week's reports by category:
Last modification 29.04.2025
