Skip to content Accessibility

Attention! Investment scams are spreading. See more at: Investment fraud

CEO scam

CEO scam, or CEO fraud, means emails seemingly sent by the CEO – sometimes even from what appears to be their email address – to the CFO or accountant of the company (or some other employee who may be involved in making payments according to the website or LinkedIn). The CEO scam is an attempt to manipulate an employee of a company into transferring money to an account designated by a fraudster.

CEO scams target accountants/chief financial officers because they control the flow of money and make payments in the organisation. The CEO is usually the most senior manager whose orders must be fulfilled, and often, others do not dare to ask any further questions. Often, these employees have very busy schedules and are under a lot of pressure, which means that the sender and payment details in the email are not verified. CEO scam emails also tend to stress the urgency of getting something done today or right now.

A CEO scam generally works as follows:

Step Example
The content of the first email is short and specific: ‘Are you at your desk?’ ‘Is it possible to make a quick payment?’ or ‘Can you make an international bank transfer today?’.
If you reply to the email, you will receive detailed instructions on how to make the payment.
The accountant/CFO makes the payment requested by the fraudster.

CEO scams are simple and robust enough, so an organisation can defend itself against these as follows:

  1. Establish rules and procedures in your organisation for processing payments (requirements for the underlying document, approvals, invoice verification):
    • Please note! To verify the legitimacy of the payment/invoice, you should call the person who sent the request for payment (for example, the CEO) at their previously known phone number or a phone number published on the organisation’s website.
  2. Train the staff on internal procedures and general cyber hygiene:
    • Payment rules and procedures: what they are and why.
    • How to recognise phishing:
      • the email stresses urgency or uses some other method for evoking a psychological reaction;
      • warnings added by the email server that the letter has been sent from outside the organisation, etc.;
      • the name and email address of the sender do not match;
      • a different reply-to address;
      • unusual delivery times, often outside working hours;
      • a desire to make an unusually large payment without a clear explanation for the payment or a payment order;
      • (often unnoticed) small grammatical mistakes.
    • Teach the users the steps to take if they receive a scam email.
  3. Make it as difficult as possible for criminals to spoof the email addresses of your organisation (keywords SPF, DKIM, and DMARC).
  4. Protect email addresses displayed on the website from spam bots.