The Human Layer Security Summit is back. Save your spot today.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

What is CEO Fraud? How to Identify CEO Email Attacks

  • 14 January 2021

Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.

  • What is CEO Fraud?

    CEO fraud is a type of cyberattack in which a fraudster impersonates a company executive via email. This could be your CEO, CFO, Head of HR — or anyone with the power to ask employees to make payments.

Typically, the attacker will target an employee at a target organization and trick them into transferring them money.

A CEO fraud email will usually urgently request the employee to pay a supplier’s “invoice” using new account details. Cybercriminals use sophisticated techniques and meticulous research to make the attack as persuasive as possible. 

Why do cybercriminals impersonate CEOs and other high-level executives? Two reasons:

  • Power: CEOs have the authority to instruct staff to make payments.
  • Status: Employees tend to do what CEOs ask. No-one wants to upset the boss.

CEO fraud vs. other types of cybercrime

There’s some confusion about CEO fraud and how it relates to other types of cybercrime. Let’s clear a few things up before looking at CEO fraud in more detail.

CEO fraud is related to the following types of cybercrime:

CEO fraud is not to be confused with “whaling”: a phishing attack where the cybercriminal targets — rather than impersonates — a CEO or other senior company employee.

More on that in this article: Whaling: Examples and Prevention Strategies.

How do CEO fraud attacks work?

There are three main ways cybercriminals can compromise a CEO’s email account:

  • Hacking: Forcing entry into the CEO’s business email account and using it to send emails.
  • Spoofing: Sending an email from a forged email address and evading authentication techniques.
  • Impersonation: Using an email address that looks similar to a CEO’s email address.

A CEO fraud attack usually involves one of the following types of cybercrime:

  • Wire transfer phishing: The attacker asks the target to pay an invoice.
  • Gift certificate phishing: The attacker asks the targets to buy them gift certificates
  • Malicious payload: The email contains a malware attachment

Like all social engineering attacks, CEO fraud attacks exploit people’s feelings of trust and urgency. When the CEO is “in a meeting” or “at a conference” and needs an urgent favor, employees don’t tend to second-guess them. 

Here’s how a CEO fraud email might look. Now, for the sake of the example, imagine your boss is Thomas Edison. Yes, that Thomas Edison.

In this example of CEO Fraud, the hacker is impersonating Thomas Edison and is encouraging the target to make a fraudulent wire transfer.

There are a few things to note about this CEO fraud email:

  • Note the subject line, “Urgent request,” and the impending payment deadline. This sense of urgency is ubiquitous among CEO fraud emails.
  • The fraudster uses Thomas’s casual email tone and his trademark lightbulb emoji. Fraudsters can do a great impersonation of a CEO by scraping public data (plenty is available on social media!) or by hacking their email and observing their written style.
  • Cybercriminals do meticulous research. Thomas probably is in Florida. “Filament Co.” might be a genuine supplier and an invoice might even actually be due tomorrow.

There’s one more thing to note about the email above. Look at the display name — it’s “Thomas Edison”. But anyone can choose whatever email display name they want. Mobile email apps don’t show the full email address, leaving people vulnerable to crude “display name impersonation” attacks.

That’s why it’s so important to examine the sender’s email address and make sure it matches the display name. Remember: on mobile, you’ll have to take an extra step to view the email address. But, it’s worth it. 

It’s important to note that the difference between the display name and email address won’t always be easy to spot. Why? Because fraudsters can create look-a-like email addresses via “domain impersonation”. Let us explain.

An email domain is the part of the email address after the “@” sign. A cybercriminal impersonating Bill Gates, for example, might purchase a domain such as “” or “”. 

Likewise, using “freemail impersonation”, a more unsophisticated attacker might simply set up an email account with any free email provider using the CEO’s name (think “[email protected]”).

We explain domain impersonation in more detail – including plenty of examples – in this blog: Inside Email Impersonation: Why Domain Name Spoofs Could be Your Biggest Risk.

How common is CEO fraud?

It’s undeniable that cybercrime is on the increase. FBI statistics show that the total losses from cybercrime rose from $1.5 billion in 2016 to $4.3 billion in 2020. Business Email Compromise (BEC) has also “increased, grown in sophistication, and become more targeted” due to the COVID-19 pandemic, according to Interpol.

But what about CEO fraud itself? CEO fraud once dominated the cybercrime landscape. However, there is some evidence that cybercriminals are moving away from CEO fraud and towards a broader range of more sophisticated social engineering attacks.

The FBI’s Internet Crime Complaint Center (IC3) estimates the global losses associated with BEC at over $28 billion in the period from 2016-20 and cites a 61% increase in BEC incidents over the same period.

But this figure doesn’t distinguish CEO fraud from other types of BEC. The IC3’s 2019 cybercrime report suggests while CEO fraud previously dominated BEC, cybercriminals now impersonate a broader range of actors, including vendors, lawyers, and payroll departments.

These days, employees don’t only have to be wary of CEO fraud attacks. They also need to watch out for more advanced cybercrime techniques like Account Takeover (ATO), deepfakes, and ransomware.

But CEO fraud is still a big deal. In December 2020, the Bank of Ireland warned of an increase in Brexit-related CEO fraud attacks. The bank’s staff were reportedly dealing with two to three CEO fraud attacks per week, with some attacks compromising millions of euros.

Want to know how to protect yourself and your business from CEO fraud? Read our article: How to Prevent CEO Fraud Attacks.

[if lte IE 8]
[if lte IE 8]