CEO Fraud: A Dangerous Phishing Scam Targeting Businesses

CEO Fraud: A Dangerous Phishing Scam Targeting Businesses

Photo by <a href="">Vadim Bogulov</a> on <a href="">Unsplash</a>

CEO fraud, also known as business email compromise, is a type of phishing attack that targets businesses by impersonating high-level executives. This scam has become increasingly common in recent years and has cost companies around the world billions of dollars. According to statistics from the Federal Bureau of Investigation (FBI, 2019), identified global losses from CEO fraud now amount to $26 billion. The FBI found a 100% increase in exposed losses from this scam between May 2018 and July 2019. CEO fraud has been reported in all 50 U.S. states and over 150 countries around the world. Victim complaints filed with the FBI’s Internet Crime Complaint Center (IC3) show fraudulent money transfers have been sent to banks in approximately 140 different countries as part of this scam (FBI, 2019).

How the Scam Works

The scam typically begins with the cybercriminals conducting research on the company they plan to target. They identify key executives and study their communication styles and tendencies. Then the criminals craft a convincing email that appears to come from a high-level exec, usually the CEO or CFO.

The fake email requests an urgent money transfer, often to pay a vendor or supplier. The criminals rely on the authority of the executive position and the urgency of the request to bypass normal verification procedures. Since the email comes from a trusted source within the company, employees comply with the request and wire funds to the criminals’ account.

By the time the company realizes it’s been defrauded, the money is gone. The FBI reports that some CEO fraud scams have cost companies as much as $75 million.

Sometimes, they don’t even use spoof emails, but simply put the name in the subject line hoping you will make a mistake and not investigate it further.

Here are two examples:

Differing Techniques

Cybercriminals use various methods to carry out attacks, so understanding these techniques is crucial for prevention (KnowBe4). Phishing involves sending fraudulent emails posing as reputable sources to large groups of users in hopes of stealing sensitive information. Spear phishing targets specific individuals or small groups with emails containing some personalization. Executive whaling focuses on high-level executives to take money or data. Finally, social engineering manipulates people psychologically to divulge confidential details or access to funds, often by gathering intel from social media profiles. Being aware of these common attack vectors can help defend against them (KnowBe4).

Protecting Businesses from CEO Fraud

The most important defense against CEO fraud is employee education about phishing and verification procedures. Employees should be taught to carefully scrutinize any unusual financial requests, even if they appear to come from an executive.

Businesses should also implement policies requiring secondary confirmation for any transfers over a certain dollar amount. Requiring a confirmation phone call or in-person approval from the requestor can stop fraudulent payments.

Technical defenses like email authentication and activity monitoring can also help prevent phishing attacks and detect scams early before funds are lost. With vigilance and proper cybersecurity measures, businesses can protect themselves from this sinister scam.


The implications of these rising cyber threats for small and midsize businesses are clear. SMBs must make cybersecurity a top priority and investment. Implementing modern security tools, access controls, data encryption, system updates, and comprehensive employee training are essential to close vulnerabilities. Proactively communicating security measures to customers can also help rebuild trust after a breach. The costs of lax security are now unsustainable. SMBs that build their cyber resilience and promote their security readiness can gain a competitive edge and avoid becoming the next hidden victim of a devastating cybercrime. The time for SMBs to act and implement robust cyber defenses is now, before the costs and consequences grow even higher.

Fizen Technology

Interested in learning more? Contact us today, and let’s reshape the future, together.