How to Recognize and Prevent CEO Fraud in 2022

Laptop with 2 hands reaching out holding a contract that's being signed
Click here for a summary of this article!
How to Recognize and Prevent CEO Fraud - A Quick Guide

CEO fraud is a form of business email compromise (BEC). This scam involves scammers sending fraudulent emails to employees. In their emails, CEO fraudsters often request an urgent transfer of money.

Because of the urgency expressed in the emails, their “realness” and the (perceived) power of the sender within the organization, employees receiving these emails often act on them.

Inspect emails with requests of a financial nature (transfers, changing payment information, etc.) very carefully. Pay special attention to the following elements:

  • The sender: Often CEO fraudsters use email addresses that are very similar to the real address of a CEO or manager, but contain slight variations.
  • Links & attachments: Only click on links and open attachments you completely trust and if you fully trust the sender. BEC scammers often include links and attachments with malware in their emails in an attempt to steal your or your company’s data.
  • Urgency: Usually CEO scammers will express urgency in their emails. They might ask you to make a big transfer the same day and tell you it’s urgent. Also, they often claim to be too busy (“I’m in a long meeting”) to discuss the request in further detail.
  • Secrecy: CEO fraudsters will often make their victims believe what they’re about to do is “top secret“. For instance, they might say the fake merger they need money for is supposed to be a secret until it’s finalized. They do this to prevent employees from discussing fraudulent requests with colleagues or supervisors.

Do you want to learn more about CEO fraud, including tips on how to prevent it, and what to do if you’re a victim? Read the full article down below!

Scammers have targeted unsuspecting citizens online almost since the internet came into being. This phenomenon will likely not go anywhere soon. However, many scammers are choosing their victims more and more carefully nowadays and are also trying to catch some of the “biggest fish” out there by scamming (large) companies. This is known as CEO fraud.

But what is CEO fraud exactly? How does it work? How do you prevent CEO fraud as an employee or company? What should you do if you’re a victim? What are some examples of big companies falling victim to CEO fraud? Cases of CEO fraud are only expected to increase in 2022. Here’s what you need to know about it.

What Is CEO Fraud?

What is a CEO fraud iconCEO fraud is a (generally) sophisticated way to scam large companies and organizations. The goal is to deceive employees into transferring funds to scammers. To this end, the scammer will pretend to be the CEO, founder, or an important company employee.

The perceived difference in the hierarchy within the organization can make “lower-ranking employees” quite intimidated to do what they think their “CEO” wants them to do. Often, criminals will contact an employee by email, requesting an urgent wire transfer. The email might look like something in the example down below.

Fake email showing example of CEO fraud

Employees who are authorized to make payments or sign documents should be very aware of the dangers of CEO fraud. However, all employees within an organization can in theory be targeted. In fact, according to cybersecurity firm Barracuda, 77% of these attacks target employees outside of financial or executive roles!

Business Email Compromise (BEC)

Email with hacking icon, compromisedCEO fraud is a form of Business Email Compromise. This type of scam relies on manipulating people’s behavior using deception (social engineering) by sending an email that claims to come from someone within the company or a related party, such as a supplier.

This kind of fraud can and often does rely on very crafty techniques and strategies. Criminals can sometimes hack the CEO’s legitimate email account (or a manager’s account, for instance). Subsequently, they will monitor and analyze how the CEO or manager communicates. Now they can deceive others within the organization by using an email address and a way of being addressed that’s familiar to them.

CEO Phishing is Getting More and More Common

CEO phishing icon, two hooks with email iconAccording to Barracuda, the average organization experiences 700 social engineering email attacks per year. As discussed before, attackers don’t always impersonate the CEO, but sometimes other executives. Regardless of who they choose to impersonate, the damage is often devastating: according to the FBI, such scams can cost billions.

It’s very likely the real numbers are even higher. After all, not all attempts go reported. The same is likely true for many cases where the fiscal damage is relatively low.

Moreover, the increase in remote work post-pandemic has no doubt increased reliance on communications. Hence, there is a high probability that CEO fraud cases will only increase.


How Does CEO Fraud Work?

There are two main strategies that CEO fraudsters use to scam companies. The first is by sending an email from a domain (the part that comes after “@”) that’s virtually identical to the actual domain name of the company or contains only very slight variations.

Infographic showing main strategies used in CEO fraud

The above is called domain spoofing. This can be done in exceptionally crafty ways. For instance, there is a large company that operates all over Europe and sells consumer electronics, called MediaMarkt. Can you easily spot the difference between “[email protected]” and “[email protected]”? This example shows just how similar CEO fraudsters can make different domains look.

The second CEO fraud strategy is arguably even more dangerous: actually hacking an employee’s corporate email account, or even worse, an executive’s email account to send credible scam emails and get authorized employees to make fraudulent payments.

There are different ways these hacks can happen. A common one is spearfishing: a calculated phishing attack that targets one specific employee. Scammers will mislead the employee by sending him an email that addresses him/her correctly and contains a credible story. They’re prompted to click on a link or attachment that contains dangerous malware. This dangerous malware actually allows criminals to hack the victim’s accounts, such as their email.

Fake email mockup showing example of CEO confirm receipt fraud

The attachment included in the fraudulent email above actually contains malware. Upon clicking the file it will prompt you to download a data-stealing executable.


Recognize CEO Fraud

Recognizing CEO fraud is essential to avoid significant losses. Criminals often create compelling emails that make it hard to spot CEO fraud. However, there are a few red flags that give them away.

Frequently used Business Email Compromise strategies

Before business email scammers attack an employee, they do their research. Once they know the person and what their responsibilities are and what they are authorized to do and what not, they will approach them with a “fitting” request.

For instance, an account manager will most likely not be able to transfer millions of dollars without authorization. However, scammers might get them to purchase a few gift cards for “business partners” or to be written off as entertainment expenses. They might get the manager to change some payment information, providing the criminals with an easy way to drain a company.

Depending on their target, CEO fraudsters generally try to get their victims to do one of the following things:

  • Transferring money for an (obviously fake) merger, to pay shareholders, or for some sort of project
  • Purchasing gift cards, claiming that these are for partners or colleagues
  • Changing payment information because of a made-up issue or change experienced by a beneficiary
  • Getting them to pay fake invoices which are carefully crafted based on current company projects or previous invoices

Email warning signs

Apart from the CEO fraud strategy used, there are usually other warning signs within a CEO spear-phishing email. As such, we recommend paying attention to the following elements of the emails you receive:

  •  The sender: CEO fraudsters often try to fool recipients by sending their emails from a domain (the part after “@”) that’s very similar to the actual domain of a company. Inspect the exact email address that the email came from, before taking any other action. Most email providers, such as Gmail, allow you to see the email address by clicking on the sender’s name.
  • Links: Be mindful of any links you find in the email. After all, many spear phishers use malicious links to spread malware or steal login details. Be especially careful when you see shortened links (such as bit.ly links). You can check the destination of a link by just hovering over it. We also strongly recommend checking if a link is safe by running it through a tool built to do just this: such as Norton Safe Web.
  • Attachments: Just like links, attachments are also often used to spread malware and steal information. As such, only open attachments when you expect them and from sources you trust.

Warning signs in the email text

The texts and messages in CEO fraud emails often share some common characteristics, which we’ll list below.

  • Authority: The emails rely on displaying (fake) authority, by urging someone to do something (rather than requesting) much like a supervisor would do. In other words, the criminals will abuse the position in the company hierarchy of the person they’re imitating.
  • Secrecy: The fraudster stresses you’re not supposed to discuss his request with colleagues or managers. He’ll claim that it’s supposed to be a surprise or secret. He might claim for instance that he needs you to buy some gift cards as a surprise for some colleagues or partners.
  • Urgency: Whatever the request, the fraudster will stress it needs to happen fast. After all, giving the employee little time to think clearly is an important part of the scam working. They will also stress the task given to the employee is very important. The employee thinks that they are going to play an important role in executing the strategy.
  • Flattering the victim: Although pressure is an important element of these scams, so is praising the victim and making them believe they’re special. The criminals will tell them they’re the only ones who “can be trusted with this task.”
  • Assurance (“everything’s okay” ): Generally the criminals will come up with an excuse for not being able to discuss the assignment in more detail. “The CEO” might claim to be in an important meeting. To assure the victim everything is okay, they might come up with a fake verification method. For instance, they could give the employee the phone number of a fake law firm. Since these people work together with the scammers, they will obviously assure the employee everything’s okay.

Preventing CEO Fraud

Now that you know examples of CEO fraud and the warning signs, the next step is learning to prevent it. There are different methods to protect yourself from these scams, but the most important one by far is raising awareness within your entire organization about these scams.

Below we’ll give some specific tips for both employees and companies on how to prevent CEO fraud.

Tips for employees

As an employee at a (large) organization, you’re very likely to receive multiple CEO phishing emails during your career. Therefore, below we’ve listed some tips on preventing CEO fraud.

  • Always check out the sender. Click on the name of the sender to see their full email address. Check for any abnormalities.
  • If the sender mentions a bank account in the email or in an invoice, always check whether the account number is among the ones currently known by the finance department.
  • Keep educating yourself on the latest spear-phishing and CEO scams.
  • Do discuss suspicious emails with a colleague or superior, even if the mail claims you shouldn’t. If you are let in on a company secret, you’ll most likely have to sign a non-disclosure agreement.
  • Ideally, discuss a suspicious email request with the email’s sender or the one they’re imitating (by call or private meeting). It might seem daunting to contact your CEO or manager, but it’s still the best way to prevent CEO fraud.

Tips for companies

As a company, it’s almost impossible to completely protect yourself against CEO scams and other social engineering attacks. After all, a company’s security is generally only as strong as its weakest link (employee). Therefore, training your employees to recognize CEO fraud is crucial. Apart from that, be sure to follow the tips down below.

  • Establish clear protocols and rules in place for transferring large amounts of money. There should also be a double verification system for big transfers.
  • Create and enforce clear rules and guidelines for changing payment details. Ideally, contact the partner, supplier, or a related party whose payment info is being changed directly for verification.
  • Make two-step verification mandatory for every employee’s email account. That way, even when criminals obtain their login details, they won’t be able to access their accounts.
  • Organize a security audit of your own organization. You can do this yourself, by sending your employees a phishing email unannounced at an unexpected time. Subsequently, it’s important to provide additional training to employees who fell for the scam. Alternatively, you could procure the services of a company specialized in these audits, such as Cofense. They offer both security audits and anti-phishing training.
  • Make sure your organization invests sufficiently in cybersecurity. You might consider purchasing some tools are software that specializes in preventing phishing and CEO fraud, such as the ones offered by Cofense.

What to Do if You’re a CEO Fraud Victim

CEO fraudsters are exceptionally crafty in the way they trick their victims. As such, it’s highly likely at some point one of your employees becomes a victim of CEO fraud. If you’ve been a victim of CEO fraud, here’s what you can do.

Infographic showing what to do if you are a CEO fraud victim

  1. Gather all the evidence you have and report the crime to the police. Also, report the estimated damages. If you are from Europe, refer to this website by Europol. Here you can click on the country you live in to find out what organization to contact and how. If you are from the US, please report the crime to the FBI’s Internet Crime Complaint Center.
  2. Contact the company’s bank as soon as possible (the person assigned to contact the bank or the CEO should do this ideally). Sometimes, if the bank is contacted very quickly after a fraudulent transaction, they can still undo it. In any case, you should notify the bank so the same criminals can’t execute follow-up attacks on your bank account.
  3. Notify your company’s IT department of any attacks or phishing emails. Send them the emails concerned to help them prepare for future attacks. This way they can tighten up security. Or at least they can discuss what the next steps should be with their supervisor.
  4. Also notify any third parties that might face risk after your systems have been compromised, such as suppliers and other companies whose (sensitive) data you have on file.
  5. The CEO fraudsters might have breached your systems. They might have used malware in a spearfishing email to hack an employee’s PC and subsequently gain access to other PCs in your network. Therefore, it’s crucial your IT department thoroughly checks your systems for malware after any attacks. If they are unable to do so, you’ll have to procure the services of a professional.

Famous CEO Fraud/Business Email Compromise Cases

Finally, we’ll discuss some big CEO fraud/BEC scams to give you an insight into how these scams usually start and unfold. BEC scams often target billion-dollar corporations, and sometimes even governments!

Toyota Business Email Compromise scam

We start off with one of the biggest BEC scams ever committed. On August 14, 2019, scammers convinced an employee at the finance and accounting department of Toyota’s European subsidiary (Toyota Boshoku Europe N.V.) to transfer a whopping 37 million dollars (about 4 billion yen) to another account!

The exact details of the case are unknown. However, some sources speculate the malicious party made the employee essentially panic into paying. They allegedly did this by claiming Toyota’s production would be slowed down significantly if payment wasn’t made swiftly. Creating this sense of urgency is a common CEO fraud and phishing trick.

Cinema giant Pathé invents new genre with “double CEO fraud”: cyberdrama

The next case serves just as well to show that even huge multinationals can fall victim to CEO fraud. In a way, this case concerns “double CEO fraud.” After all, someone pretending to be the CEO of the French parent company tricked the CEO of their Dutch subsidiary. They claimed they needed a hefty sum for the acquisition of a competitor in Dubai.

The Dutch CEO was rightfully suspicious and discussed the matter with the CFO (Chief Financial Officer). After explaining to the criminals’ additional verification was needed, the scammers provided this, or rather, they sent another fake but very cleverly-worded email from a different account that the Dutch CEO fell for. The total damages of all the fraudulent payments amounted to about 22 million dollars. This happened back in 2018.

Puerto Rican government victim of phishing

This next scam shows that not just organizations and companies can fall prey to CEO fraud and spear-fishing scams. The same thing can happen to government institutions.

On January 17, 2020, Puerto Rico’s Industrial Development Company lost over $2.6 million in a phishing scam. They were contacted by a malicious party, presumably posing as a partner or beneficiary. The criminals asked them to change a bank account tied to remittance payments. A Puerto Rican government official obliged, causing the devastating financial loss.

Scammers Are Getting More Creative By The Day

These examples ought to show you that scammers are getting more and more creative by the day. CEO fraud is a serious problem, especially for smaller businesses that simply can’t afford such losses. Other types of fraud are also becoming popular, such as help desk fraud or WhatsApp scams. It’s important to remain up to date with what’s happening so you can keep yourself safe.

CEO fraud - Frequently Asked Questions

Do you have a specific question about CEO fraud? Have a look at our FAQ down below. Simply click on a question to see the answer. Is your question missing? Just leave us a reply with your question and we’ll get back to you as soon as possible!

CEO fraud is a form of phishing where the victim, an employee, is tricked into transferring (large) funds to a scammer. This is done by sending an email in which the scammer impersonates the CEO or a high-ranking manager of a company. In their email, they’ll request either a direct transfer, a change of existing payment information or use other tricks to steal money. CEO fraud is a form of Business Email Compromise (BEC) and social engineering.

Business Email Compromise (BEC) is an umbrella term for manipulating employees or important figures in a company into what the scammers want them to do by sending them a deceiving email in which they impersonate someone else. As such, CEO fraud is a type of Business Email Compromise. However, BEC also concerns cases where scammers pose as a beneficiary of a company and claim their bank account has changed, or as a supplier, for instance.

Preventing CEO fraud is no easy feat since these criminals are getting craftier by the day it seems. Nevertheless, there are a few tips you can follow to make it much less likely you’ll become a victim:

  • Always carefully inspect the email address that the email you received comes from. Often CEO fraudsters use an email address that’s slightly different from the person they’re impersonating.
  • Discuss suspicious emails with your supervisor or colleagues. Ideally, discuss the request you received by email in person or by phone with the email’s (impersonated) sender.
  • Create and enforce clear rules when it comes to making payments and changing payment info in your organization.
Tech journalist
Nathan is an internationally trained journalist and has a special interest in the prevention of cybercrime, especially where vulnerable groups are concerned. For VPNoverview.com he conducts research in the field of cybersecurity, internet censorship, and online privacy. He also contributed to developing our rigorous VPN testing and reviewing procedures using evidence-based best practices.