An email lands from the CEO, marked urgent, asking finance to wire money to a new supplier or pay an invoice immediately, and to keep it quiet because of a pending deal. This is business email compromise, often called CEO fraud: criminals impersonate a senior executive or trusted partner to pressure an employee into moving money or sensitive data before anyone stops to check. It targets businesses of every size, and it works by exploiting trust, hierarchy, and time pressure rather than technical hacking skills alone.
How the Scam Usually Works
Criminals research a company through its website, press releases, LinkedIn, or a data breach, learning who the CEO, CFO, and finance staff are. They then either spoof an email address so it looks almost identical to the real one, compromise an actual email account, or register a lookalike domain that differs by a single letter. The message typically arrives when the real executive is known to be traveling or unavailable, making a quick phone check harder.
The request usually involves a wire transfer, a change to bank details for an existing supplier, gift card purchases, or an urgent invoice payment. The language stresses confidentiality, time sensitivity, and authority: "handle this personally," "don't loop in the team yet," "I'm in meetings all day but need this done now."
Common Red Flags
- Urgency and secrecy: pressure to act immediately and to avoid normal approval steps or discussion with colleagues.
- Slightly off email address: a domain with a swapped letter, an extra word, or a free webmail address used instead of the company domain.
- Unusual payment details: a new bank account, a different country, or a request to use gift cards or cryptocurrency.
- Tone mismatch: wording, greeting, or signature that doesn't match how this person usually writes.
- No phone contact: the request only ever arrives by email or chat, with the sender "unreachable" if you try to call.
- Late-day or off-hours timing: messages sent right before a bank closes or a holiday weekend, reducing the time available to verify.
Verify Before You Pay
The single most effective defense is a simple rule: never approve a payment or change bank details based on an email alone, no matter how senior the sender appears to be. Pick up the phone and call the requester using a number you already have on file, not one provided in the email or message. If it's genuinely urgent, a two-minute call will not cause a problem; if it's fraud, that call ends the attempt.
Other useful verification steps:
- Check the sender's full email address, not just the display name, and compare it letter by letter with previous legitimate emails.
- Confirm any change to supplier or executive bank details through a second channel, such as a known phone number or an in-person conversation, before updating records.
- Ask a colleague to independently review unusual or high-value payment requests, especially ones that ask to bypass normal approval.
- Be suspicious of any request to keep a transaction confidential from other staff, since real business urgency rarely requires secrecy from your own finance team.
Strengthen Your Internal Process
Technical and procedural safeguards reduce how often these attempts succeed:
- Require dual approval for wire transfers above a set amount, with no exceptions for "urgent" requests.
- Set up a mandatory callback procedure any time bank account details change for a supplier or employee.
- Use email authentication tools your IT provider or email service recommends to reduce spoofed messages reaching inboxes.
- Train staff, especially finance and administrative teams, to recognize urgency and secrecy as warning signs rather than reasons to move faster.
- Limit how much detailed organizational information, such as reporting lines and travel schedules, is publicly visible online.
If You Suspect an Attempt or Have Already Paid
If you catch a suspicious request before paying, do not reply to the email; instead, verify independently as described above and alert your IT or security team so they can check for a compromised account. Save the message headers and any attachments in case they're needed later.
If a payment has already been sent, contact your bank immediately and ask them to attempt a recall or hold on the transfer; speed matters, as funds are harder to retrieve once they've moved through several accounts. Report the incident to your local police or the relevant financial-fraud reporting channel in your country, and inform your bank's fraud department directly rather than relying only on general customer service.
Before Working With New Partners
CEO fraud sometimes overlaps with fake supplier scams, where fraudsters impersonate a new business partner rather than your own executive. Before wiring money to any new supplier or partner, verify their registration through your country's official company or business registry, look for independent reviews or a company lookup tool, and confirm their contact details through more than one source. A short delay to confirm legitimacy costs little; an unrecoverable wire transfer can cost a great deal.
Business email compromise relies on speed and pressure to bypass judgment. A calm, consistent verification habit, especially a simple phone call to a known number before any payment or bank-detail change, remains the most reliable way to stop it.