What is CEO Fraud?

CEO fraud is a sophisticated email scam that cybercriminals use to trick employees into transferring them money or providing them with confidential company information.

Cybercriminals send savvy emails impersonating the company CEO or other company executives and ask employees, typically in HR or accounting to help them out by sending a wire transfer. Often referred to as Business Email Compromise (BEC), this cybercrime uses spoofed or compromised email accounts to trick email recipients into acting.

CEO fraud is a social engineering technique that relies on winning the trust of the email recipient. The cybercriminals behind CEO fraud know that most people don’t look at email addresses very closely or notice minor differences in spelling.

These emails use familiar yet urgent language and make it clear that the recipient is doing the sender a big favor by helping them out. Cybercriminals prey on the human instinct to trust one another and on the desire to want to help others.

CEO fraud attacks start with phishing, spear phishing, BEC, and executive whaling to impersonate company executives.

How Common is CEO Fraud?

CEO fraud is becoming an increasingly common type of cybercrime. Cybercriminals know that everyone has a full inbox, making it easy to catch people off-guard and convince them to respond.

According to the FBI and the Internet Crime Complaint Center (IC3), CEO fraud is $12 billion scam. Research and statistics collected by the IC3 between October 2013 and May 2018 underscore the serious nature of CEO fraud:

Domestic and international incidents
Domestic and international exposed dollar loss ($B)
Total U.S. victims
Total U.S exposed dollar loss ($B)
Total non-U.S. victims
Total non-U.S. exposed dollar loss ($M)

CEO fraud is a cybercrime that knows no boundaries, it has been reported in 50 U.S states and 150 countries with wire transfers being sent to 115 different countries. CEO fraud is a global cybercrime that impacts all types and size of businesses.

It’s critical that employees understand the importance of carefully reading emails and verifying the email sender’s address and name. Cyber security awareness training and continual education is instrumental in reminding people of the importance of being cyber aware when it comes to emails and the inbox.

How Does CEO Fraud Happen?

Cybercriminals rely on four key tactics to commit CEO fraud:

Asset 1


Phishing is a cybercrime that uses tactics including deceptive emails, websites and text messages to steal money, tax information, and other confidential information. Cybercriminals send a large number of emails for example to different company CEOs, hoping to trick one or more recipients into responding. Depending on the phishing technique, the criminal might then use malware or another method to gain access to the CEO’s email account, contact list, or confidential information that can then be used to send targeted CEO fraud emails to unsuspecting recipients.

Asset 2

Spear Phishing

Spear phishing attacks use very targeted emails against individuals and businesses. Before sending a spear phishing email, cybercriminals use the Internet to collect personal data about their targets that is then used in the spear phishing email. Recipients trust the email sender and request because it comes from a company they do business with or references an event that they attended. The recipient is then tricked into providing the requested information, which is then used to commit further cybercrimes, including CEO fraud.

Asset 6

Social Engineering

Social engineering relies on the human instinct of trust to trick people into giving up confidential information. Using carefully written emails, text messages, or phone calls, the cybercriminal wins the victim’s trust and convinces them to provide the requested information or for example, to send them a wire transfer. To be successful, social engineering only needs one thing: the victim’s trust.

Asset 4

Executive Whaling

Executive whaling is a sophisticated cybercrime in which criminals impersonate company CEOs, CFOs, and other executives, hoping to trick victims into acting. The goal is to use the executive’s authority or status to convince the recipient to respond quickly without verifying the request with another colleague. Victims feel like they’re doing something good by helping out their CEO and company by for example, paying a third-party company or uploading tax documents to a private server.

These CEO fraud techniques all rely on one key element – that people are busy and don’t pay full attention to emails, website URLs, text messages, or voicemail details. All it takes is missing a spelling error or a slightly different email address, and the cybercriminal wins.

It is important to provide company employees with security awareness education and knowledge that reinforces the importance of paying attention to email addresses, company names, and requests that have even a hint of suspicion.

What Are Some Examples of CEO Fraud Attacks?

Phishing simulations help you identify which employees are prone to CEO fraud attacks, and to demonstrate how easy it is for anyone to be tricked by a cybercriminal.

How To Prevent CEO Fraud

1. Educate your employees about the four CEO fraud tactics. Take advantage of free phishing simulation tools to educate and identify phishing, social engineering, and CEO fraud risk.

2. Use proven security awareness training and phishing simulation platforms to keep CEO fraud attack risks top-of-mind for employees. Create internal cyber security heroes who are committed to keeping your organization cyber secure.

3. Remind your security leaders and cyber security heroes to regularly monitor employee cyber security and fraud awareness with phishing simulation tools. Take advantage of CEO fraud microlearning modules to educate, train, and change behavior.

4. Provide ongoing communication and campaigns about cyber security, CEO fraud, and social engineering. This includes establishing strong password policies and reminding employees about the risks that can come in the format of emails, URLs, and attachments.

5. Establish network access rules that limit the use of personal devices and the sharing of information outside of your corporate network.

6. Ensure that all applications, operating systems, network tools, and internal software are up-to-date and secure. Install malware protection and anti-spam software.

7. Incorporate cyber security awareness campaigns, training, support, education, and project management into your corporate culture.

Learn how important it is to change behaviors and empower employees to be the first line of defense against CEO fraud. Download, read, and share this free ebook: The Human Fix to the Human Risk.

What is Phishing Simulation?

Phishing simulation is the best way to raise awareness and understanding of CEO fraud risks.

Phishing simulation uses real-world examples in an interactive format to identify which employees are at risk for CEO fraud scams and phishing.

CEO fraud relies on phishing techniques to gain access to the company email system and uses social engineering techniques to convince employees to act as requested.

People see first-hand how cybercriminals use savvy techniques to steal personal and corporate information. Real-time CEO fraud and phishing simulations are an accessible way for any organization to educate people and increase alertness levels to cybercrime scams and techniques.

Phishing simulation allows you to easily incorporate cyber security awareness training into your organization.

How Can Phishing Simulation Help Prevent CEO Fraud?

Phishing simulations are an accessible and informative way to show employees how easy it is be a victim of CEO fraud.

Using real-world examples and simulated phishing attacks, employees realize why it is important to verify email addresses and to confirm requests for funds or tax information before responding.

Phishing simulations empower your organization with 10 primary benefits against CEO fraud and other cyber security threats:

1. Measure the degrees of corporate and employee vulnerability

2. Eliminate the cyber threat risk level

3. Increase user alertness to CEO fraud, phishing, spear phishing, social engineering, and executive whaling risk.

4. Instill a cyber security culture and create cyber security heroes

5. Change behavior to eliminate the automatic trust response

6. Deploy targeted anti-phishing solutions

7. Protect valuable corporate and personal data

8. Meet industry compliance obligations

9. Assess the impacts of cyber security awareness training

10. Segment BEC and phishing simulation

To learn more about CEO fraud and the best ways to keep your organization cyber security aware, take advantage of our free cyber security awareness resources:

Contact us at 1-866-889-5806 or at [email protected] to learn more about CEO Fraud.

Terranova Security is committed to delivering people-centric training that makes your organization cyber security aware.