Skip to main content


Home CEO fraud

CEO fraud

(also business email compromise, executive impersonation fraud, whaling)

What is CEO fraud?

CEO fraud is a sophisticated cybersecurity threat where fraudsters impersonate high-ranking executives to deceive employees, clients, or vendors into committing fraudulent actions, often involving financial transactions.

This type of scam relies on tricks and carefully written emails that look real, tricking people into giving up sensitive information or ignoring security measures. CEO fraud is a clever and targeted attack that can cause businesses to lose money and damage their reputation. According to the FBI, CEO fraud is now a $26 billion scam.

In CEO fraud, the people behind it thoroughly research their targets to learn about the organization's structure, essential employees, and ongoing business. With this knowledge, they send convincing emails pretending to be CEOs, CFOs, or other top executives to manipulate employees into doing urgent and unauthorized things.

For instance, these emails might ask for the recipient to make a money transfer, change their payment details, or share sensitive information like bank account or login details. The emails often use psychological tricks, like making the message seem urgent or using the authority of the individual being impersonated, to pressure people into doing what they want without raising suspicion.

CEO fraud exploits human weaknesses and finds ways around average security measures. The people behind it carefully write their messages and use fancy techniques like pretending to use the same email address or website as the company. They might also hack into real email accounts to fool people even more.

See also: email spoofing, spear phishing, whaling, social engineering

Protecting against CEO fraud

  • Be cautious of emails asking for personal information.
  • Do not click on links or open attachments from unknown senders.
  • Double-check unusual requests with the CEO directly.
  • Use strong passwords, extra security checks, and email filters.
  • Tell your IT security team immediately if you get suspicious emails.