CEO fraud: What it is and how to identify it

The term ‘CEO fraud’ may conjure the idea of an undercover boss snooping on employees to make sure they’re completing tasks and not goofing off on the clock. In reality, it’s a scam that can swindle people out of money. Learn how to recognize and prevent CEO fraud, sometimes known as whale fishing, to see how you can defend against a CEO fraud attack.

What is CEO fraud?

CEO fraud is when a criminal poses as a CEO online and attempts to persuade staff into transferring funds or making payments. These scams are commonly conducted via email, making them a form of phishing.

However, due to the amount of homework and research that these criminals will need to conduct to make their scam effective, CEO fraud is more accurately described as a sort of spear phishing. The FBI refers to CEO fraud as a type of scam called a “Business Email Compromise,” or BEC.

Microsoft Defender

Stay safer online with one easy-to-use app¹

¹Microsoft 365 Personal or Family subscription required; app available as separate download

Learn More

What happens in CEO fraud?

There are a few steps that a criminal takes when carrying out CEO fraud:

Identify a target

Criminals must first find a business to impersonate online. They may gather available information from the company website and do their research on the business and its executives, as well as a few internal processes.

Grooming

Here’s where the scamming happens. The criminals may carry out their scam by calling individuals who work in the company’s financial department and pretending to be an executive. This will typically happen when that executive is on vacation, to make the phone call seem more legitimate.

Email spoofing

Other ways that a criminal may target company officials or employees include a range of email operatives. They may do so by name spoofing, where an attacker uses the name of a known entity (like your CEO) but a different email address. Sometimes the email address used will be very similar to the actual address, but with a slightly different spelling, or a different domain (.org instead of .com).

Another form is name and email spoofing, where and attacker will use both the CEO’s name and their correct email address, though this fake email address is set up to forward incoming messages to another account while making it seem that all communication is legitimate.

Building trust

Scammers will attempt to gain trust through a range of social engineering techniques, often including one or more of these:

Phishing email attacks are often sent to company executives. They’ll typically include a link to some kind of malware that allows them to gain access to other company information, including contact lists, so that the criminals can trick other employees into transferring money or sharing sensitive information.
Spear phishing emails are more carefully researched and targeted. They’ll often reference specific projects and events to seem more legitimate and encourage another executive to continue communication.
Whale phishing, also called ‘executive whaling,’ is when the criminal impersonates the CEO (or another executive) and tries to pressure high-level employees into sharing sensitive information or transferring funds. The term ‘whaling’ is based on a size reference, in which the CEO is the biggest fish in a company’s pond.

Exchanging information

When the victim is appropriately convinced that they are conducting a legitimate business transaction or speaking to a direct superior, they’ll exchange the requested information with the scammers. They’re usually asked to provide financial information or given instructions for wiring money. This final step is when the funds are transferred to a bank account controlled by the scammers.

“The FBI refers to CEO fraud as a type of scam called a “Business Email Compromise,” or BEC.”

Identifying and protecting against CEO fraud

Recognizing a CEO fraud attack may be harder to do, especially when compared to common phishing emails. However, some of the hallmarks of this kind of scam include:

An urgent or threatening tone that encourages speedy action
Messages from executives who claim to be unavailable
Language that suggests a need for secrecy
Requests to transfer funds or information

Thankfully, you can prevent CEO fraud with a little common sense. Don’t allow for too much information about your company to be publicly available to potential criminals. This includes your own website, social media outlets, and even your own out-of-office responses. Make sure that the people in your company are trained to challenge (and not fall for) this sort of unusual financial requests. Lastly, if you receive an email from an executive making a strange, urgent request for money, check up on it by verifying any payment requests and make internal inquiries about the payment process to make sure it’s legitimate.

Email hoaxes and other scams have been around for ages; however, taking the steps to recognize a scam may save you a headache in the future. If something feels off or too good to be true, trust your gut and err on the side of caution.