CEO Fraud: How Scammers Impersonate Your Boss via Email
The CFO received a text at 7:14 AM from a number she didn't recognize: "Hey Linda, it's Mark. Using my personal phone — my work phone is being repaired. I need you to process an urgent wire transfer this morning. Can you handle it?" Mark was the CEO. Linda had processed wire transfers at his request dozens of times. She confirmed by email — but the email address, she later realized, was mark.jensen@company-corp.com instead of mark.jensen@companycorp.com. She wired $380,000 to a bank in Hong Kong. The money was gone within hours.
What Is CEO Fraud?
CEO fraud — also known as executive impersonation or a subset of business email compromise (BEC) — occurs when a scammer pretends to be a company's CEO, CFO, or other senior executive and instructs an employee to transfer money, purchase gift cards, or share sensitive information like employee W-2 forms or customer data.
It's the most financially devastating form of email fraud. The FBI reported that BEC scams caused over $55 billion in losses globally between 2013 and 2025. The average loss per incident is $125,000, but individual cases have exceeded $60 million.
How the Attack Unfolds
Phase 1: Research. The attacker studies the target organization. LinkedIn reveals the CEO's name, the CFO's name, and the organizational hierarchy. The company website lists executives and board members. Press releases identify ongoing deals and projects. Social media shows when the CEO is traveling or at a conference — the perfect time to strike, because the real CEO is less likely to be reachable.
Phase 2: Initial contact. The scammer sends an email (or increasingly, a text message) that appears to come from the CEO. The message is typically brief and casual — it mimics how executives actually communicate:
Got a suspicious email?
Paste it here for an instant analysis.
Free · No signup required · Cmd+Enter to scan
"Linda, are you available? I need you to handle something confidential for me right away. Don't mention this to anyone else yet."
Phase 3: The request. Once the employee responds, the scammer introduces the financial request. It's always framed as urgent, confidential, and coming directly from the top:
"We're completing an acquisition that hasn't been announced yet. I need you to wire $245,000 to the following account for the legal retainer. This is time-sensitive and highly confidential — please process today and confirm when complete."
Phase 4: Escalation. If the employee hesitates, the scammer applies pressure: "I'm in meetings all day and can't take calls. This needs to be done before 3 PM. Are you able to handle this or should I ask someone else?" The implicit threat — being seen as uncooperative or incompetent — is often enough to override caution.
Why Employees Fall for It
CEO fraud exploits authority bias. When the CEO asks you to do something, you do it. Questioning the CEO feels insubordinate, especially when the request is framed as confidential and urgent. The scammer deliberately creates conditions where the normal verification process — asking a colleague, checking with the CEO directly — feels inappropriate or impossible.
Companies with hierarchical cultures, where employees are expected to comply quickly with executive requests, are particularly vulnerable. Organizations where the CEO regularly makes ad-hoc financial requests create an environment where these scam emails blend seamlessly with legitimate ones.
Red Flags
Unusual communication channel. If the CEO normally emails from their work address and suddenly texts you from an unknown number or emails from a different address, verify independently.
Requests for secrecy. "Don't mention this to anyone" is a red flag. Legitimate business transactions involve multiple people. A request to bypass normal processes and keep it secret is designed to prevent you from verifying.
Wire transfers or gift cards. Legitimate businesses don't buy hundreds of dollars in gift cards as a standard financial process. And urgent, unplanned wire transfers to new accounts should always be verified through a second channel.
The email address is slightly off. Compare the sender's email address character by character with the real executive's address. Look for substituted characters (rn for m, 1 for l), extra or missing letters, and different domains.
How to Protect Your Organization
Implement verbal verification for all wire transfers. Every wire transfer request, regardless of who it appears to come from, must be confirmed by a phone call to a known number. This single policy stops CEO fraud cold.
Establish dual authorization. Require two authorized individuals to approve any payment over a defined threshold. The person who receives the request should not be the same person who authorizes the payment.
Train employees regularly. Run simulated CEO fraud attacks and provide immediate feedback. Employees who have experienced a realistic simulation are dramatically more likely to catch the real thing.
Create a culture where questioning is safe. If employees fear repercussions for verifying a CEO's request, they won't verify. Leadership must explicitly communicate that verifying financial requests is expected, not insubordinate.
CEO fraud succeeds because it exploits the gap between authority and verification. Close that gap with clear policies, and the scam fails every time.
Received something suspicious? Check it now for free →