CEO Fraud
CEO Fraud

Protect your business from CEO impersonation fraud

Kelly Fung
CEO fraud, also known as Executive Phishing or Business Email Compromise, is a type of cybercrime in which the attacker impersonates a CEO, CFO, or other company executive. It is a dangerous form of attack because the impersonator relies on the authority of the CEO to obtain extremely sensitive information or to acquire finances. These fraudsters use some simple IT tricks that may cost you a lot of money.

CEO fraud happens more often than you think

According to an FBI report released in 2020, the Internet Crime Complaint Center (IC3) of the FBI received 19,369 complaints involving Business Email Compromise that amounted to a total loss of approximately $1.8 billion. According to the FBI, these types of cybercrimes are on the rise – especially now that so many people are working from home.

In 2018 The Boston Globe uncovered that Save the Children, a nonprofit organization, lost about 1 million USD in an event of email impersonation fraud. Cybercriminals compromised an organization employee’s email account and sent out fake invoices and documents, leading the organization to send money to a fraudulent entity in Japan.

Toyota, a supplier of auto parts, fell victim to CEO impersonation fraud attacks and lost 37 million USD in 2019. Cybercriminals tricked and persuaded an executive in the company’s financial department to make a wire transfer, according to CPO magazine.

More recently, a cybercriminal even used artificial intelligence-based software to impersonate a chief executive’s voice and demanded a fraudulent transfer of €220,000 ($243,000) to a Hungarian supplier of a U.K.-based energy firm.

But it’s not just big organizations that are being targeted. Even smaller (family) businesses are at risk. In many cases, smaller firms are also being hit by these attacks. Since many cases of online crimes and fraud go unreported, both the number of incidents and the resulting actual losses are likely much higher than we currently know.

In this blogpost we’ll cover how CEO fraud attacks work and how you can easily see through their tactics.

What is CEO Fraud?

Cybercriminals will often use the email account of a trusted senior executive at a company (like a CEO) — or an email address that looks very similar — to trick an employee into transferring them money or extremely confidential information. The attacker pretends to be a trusted person to guarantee that the target does what they’re told. Many smart, well-intentioned employees are reluctant to question a request from their CEO and will simply comply with their requests.

CEO fraud is not to be confused with “whaling”: a phishing attack where the cybercriminal targets a CEO or other senior company employees, rather than impersonating them. CEO-fraud also differs from phishing because cybercriminals also implement other kinds of social engineering strategies, like phone scamming.

How CEO fraud attacks work

Like all social engineering attacks, CEO fraud attacks exploit people’s feelings of trust and urgency. When the CEO needs an urgent favor, employees don’t tend to second-guess them..

There are two main ways cybercriminals can get access to a CEO’s email account:

The seven most common CEO fraud attack scenarios

Awareness is key when it comes to prevention. That’s why we’ve made an overview of the most common CEO fraud attack scenarios:

  1. Wire transfer phishing: An employee receives a message from a hacked or spoofed email account of a CEO to pay an invoice.
  2. Gift certificate phishing: The attacker asks the targets to buy them gift certificates (for example, as a surprise to a fellow employee).
  3. Malicious payload: The email contains a malware attachment (phishing).
  4. Money transfer to a foreign supplier: This scam is targeting long-standing wire-transfer relationships with a supplier but asks for the funds to be sent to a different bank account.
  5. Fraudulent invoices: Company suppliers receive fraudulent invoices from an impersonated executive which, you guessed it, they request to be paid to an alternative bank account.
  6. Confidential information: The cybercriminals pretend to be lawyers or executives dealing with confidential and time-sensitive business manners and request classified information.
  7. Data theft: A “top executive” requests the HR department, accounts, or auditing department to send all wage or tax statement forms or a company list of personally identifiable information.

E-mails are often followed up by phone calls from a person who may sound very trustworthy and who asks the employee to accelerate the payments. Upon payment, the cybercriminals will retransfer the amounts to accounts with other banks.

How to prevent CEO fraud

It is important to provide company employees with security awareness education and knowledge that reinforces the importance of paying attention to email addresses, company names, and requests that have even a hint of suspicion.

Sometimes all it takes is paying close attention to emails, website URLs, text messages, or voicemail details, and spotting that there’s a spelling error or that a slightly different email address is used.

It is also wise to have company guidelines in place when it comes to money transfers. For example, a guideline could be that employees should use multi-factor authentication for payment requests. These guidelines should be noted down in an Acceptable Use Policy.

Protect your company against CEO fraud

The CEO impersonator will often try to put pressure on the employee by setting tight deadlines. To do an accurate impersonation of the CEO, they often do very meticulous and detailed research, and take advantage of situations where the executive in question is not easily accessible – for instance, if he or she is on holiday or at a conference. So, what can you do when you receive an email as an employee and suspect CEO fraud?

So, there you have it. An overview of what CEO fraud is and what you can do to prevent this from happening to your company. But what should you do if your company falls victim to CEO fraud?

Urgent steps you need to take if your company is victim of CEO fraud

We mentioned before that an unauthorized transfer of funds, a breach of confidential information, and a system being infected by malicious malware can all fall under CEO fraud.

In case of a fraudulent money transfer, you should:

If a malware attack happens, you should contact the IT department immediately. Your company’s IT team can stop the infection from spreading or from compromising your or the company’s personal data.

If there was a breach of confidentiality, it’s best to contact the Data Protection Officer (DPO). The DPO knows all the necessary protocols on how to respond internally and publicly, since you must report it to authorities within 72 hours.

We hope this article will help you and your team prevent CEO fraud from ever happening in your company. The best way you can ensure this is by training your team and making them aware of CEO Fraud.

Consider looking at this free e-book we have written about how your team can become your best defense against cyberattacks and data breaches.

Subscribe to our newsletter

Receive updates containing free templates, tools, and news from CyberPilot.

Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.


Contact us

You are always welcome to contact us
for an initial and informal chat about your cyber security challenges.