What is CEO Fraud? How to Identify CEO Email Attacks

Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.

As we’ll explain below, there are several different methods used by cybercriminals to carry out a CEO fraud attack. But they all have one thing in common: money.

Most often, a CEO fraud email will urgently request the employee to pay a supplier’s “invoice” using new account details. Cybercriminals use sophisticated techniques and meticulous research to make the attack as persuasive as possible. 

Why do cybercriminals impersonate CEOs and other high-level executives? Two reasons:

• Power: CEOs have the authority to instruct staff to make payments.
• Status: Employees tend to do what CEOs ask. No one wants to upset the boss.

CEO fraud vs. other types of cybercrime

There’s some confusion about CEO fraud and how it relates to other types of cybercrime. Let’s clear a few things up before looking at CEO fraud in more detail.

CEO fraud is related to the following types of cybercrime:

• Social engineering attack: Any cyberattack in which the attacker impersonates someone that their target is likely to trust.
• Phishing: A social engineering attack conducted via email (there are other forms of phishing, such as “smishing” and “vishing” via SMS and phone).
• Spear phishing: A phishing attack targeting a named individual.
• Business Email Compromise (BEC): A phishing attack conducted via a hacked or spoofed corporate email account.

These types of cyberattack all utilize email and impersonation—two critical elements of a CEO fraud attack.

CEO fraud is not to be confused with “whaling”: a phishing attack where the cybercriminal targets—rather than impersonates—a CEO or other senior company employee.

More on that in this article: Whaling: Examples and Prevention Strategies.

CEO Fraud techniques

As explained above, CEO fraud is related to Business Email Compromise. That’s because the attacker needs to make it look like they’re a senior employee of your company—so any email they send must appear to have come from a company account.

There are three main ways cybercriminals can compromise a CEO’s email account:

• Hacking: Forcing entry into the CEO’s business email account and using it to send emails. This is the CEO fraud technique that’s most difficult to detect.
• Spoofing: Sending an email from a forged email address and evading authentication techniques such as DMARC.
• Impersonation: Using an email address that looks similar to a CEO’s email address. This can take the form of a “display name impersonation attack.”

Once the threat actor has taken control of a CEO’s email account—or has convincingly impersonated their email address—they use one of the following techniques to attack the target organisation:

• Wire transfer phishing: The attacker asks the target to pay an invoice. According to the FBI, businesses lose billions of dollars per year via this type of phishing attack.
• Gift certificate phishing: The attacker asks the targets to buy them gift certificates. Gift certificates can be harder to trace than a bank transfer. Check out this (hilarious) example “from” Tessian’s own CEO.
• Malicious payload: The email contains an innocent-looking attachment that installs malware on the target company’s systems.

Anatomy of a CEO fraud attack

Now let’s take a look at an example of a CEO fraud attack to help you better understand the process.

Like all social engineering attacks, CEO fraud attacks exploit people’s feelings of trust and urgency. When the CEO is “in a meeting” or “at a conference” and needs an urgent favor, employees don’t tend to second-guess them. 

Here’s how a CEO fraud email might look. Now, for the sake of the example, imagine your boss is Thomas Edison. Yes, that Thomas Edison.

There are a few things to note about this CEO fraud email:

• Note the subject line, “Urgent request,” and the impending payment deadline. This sense of urgency is ubiquitous among CEO fraud emails.
• The fraudster uses Thomas’s casual email tone and his trademark lightbulb emoji. Fraudsters can do a great impersonation of a CEO by scraping public data (plenty is available on social media!) or by hacking their email and observing their written style.
• Cybercriminals do meticulous research. Thomas probably is in Florida. “Filament Co.” might be a genuine supplier and an invoice might even actually be due tomorrow.

There’s one more thing to note about the email above. Look at the display name — it’s “Thomas Edison”. But anyone can choose whatever email display name they want. Mobile email apps don’t show the full email address, leaving people vulnerable to crude “display name impersonation” attacks.

Cybercriminals can also set up a fake email domain impersonating your company’s real domain name. The domain is the part of the email address after the “@” sign. A cybercriminal impersonating Bill Gates, for example, might purchase a domain such as “micros0ft.com” or “microsoft.co”. 

Likewise, using “freemail impersonation”, a less sophisticated attacker might simply set up an email account with any free email provider using the CEO’s name (think “bill.gates@gmail.com”). It sounds crude, but such attacks really can work.

We explain domain impersonation in more detail – including plenty of examples – in this blog: Inside Email Impersonation: Why Domain Name Spoofs Could be Your Biggest Risk.

How common is CEO fraud?

It’s fair to say that cybercrime has gone into overdrive in recent years.

Data from the FBI’s Internet Crime Complaint Center (IC3), released March 2021, shows a record-breaking number of cybercrime complaints in 2020.

The IC3 reports a 69% increase in the number of complaints since 2019, with reported losses exceeding $4.1 billion dollars. The main cause of cybercrime reported to the IC3 was—you guessed it—phishing.

So it’s clear that cybercrime, particularly phishing, is pervasive—and increasingly so.

But what about CEO fraud itself? CEO fraud once dominated the cybercrime landscape. However, there is some evidence that cybercriminals are moving away from CEO fraud and towards a broader range of more sophisticated social engineering attacks.

In 2020, the FBI noted that while CEO fraud previously dominated BEC, cybercriminals now impersonate a broader range of actors, including vendors, lawyers, and payroll departments.

And a report by UK Finance suggests that while CEO fraud is still among the main eight types of fraud attacks targeting consumers and businesses, there was a 14% percent drop in CEO fraud attacks between the first half of 2020 and the first half of 2021. (So it’s not all doom and gloom…)

These days, employees don’t only have to be wary of CEO fraud attacks. They also need to watch out for more advanced cybercrime techniques like Account Takeover (ATO), deepfakes, and ransomware.

But CEO fraud is still a big deal. And as with all other types of social engineering attacks, there’s evidence that CEO fraud attacks are becoming more sophisticated and easier for threat actors to carry out.

For example, in March 2021, a CEO fraud “phishing kit” was discovered that enabled cybercriminals to easily host fake Office 365 login pages in the cloud storage tool Backblaze.

Want to know how to protect yourself and your business from CEO fraud? Read our article: How to Prevent CEO Fraud Attacks.