CEO Fraud on Microsoft Teams
Attackers impersonate a senior leader within Microsoft Teams, using the platform's trusted internal feel to pressure staff into urgent, confidential payments.
Part of: CEO Fraud
Last reviewed: 1 June 2026
Microsoft Teams carries an aura of internal trust that CEO fraud exploits directly. A chat that appears to come from the chief executive feels authoritative and immediate, and the platform's role in everyday work makes an unexpected leadership message seem routine rather than suspicious.
Attackers reach staff either by compromising an account or by using external-guest access with a recognisable display name. Either way, the goal is the same: to leverage the authority of the executive persona and the speed of chat to obtain a payment before the request is properly checked.
How this scam works on Microsoft Teams
Having gained a foothold, the attacker reviews the organisation chart and recent conversations to identify finance staff and learn the executive's communication style. They then send a direct chat posing as the leader, sometimes continuing a believable thread.
The message requests an urgent and confidential payment, a vendor account change, or sensitive data, citing a deal or deadline that cannot wait. The chat format pressures the employee to respond at once, and the instruction to stay discreet keeps colleagues out of the loop.
If the employee complies, the funds move to a criminal-controlled account. Because the request came through a trusted internal tool bearing the leader's name, it is rarely challenged until the real executive disowns it.
Common red flags
- A Teams chat from a leader requesting an urgent or secret payment
- An external-guest account displaying a familiar executive name
- Pressure to bypass standard approval steps because of a deadline
- Instructions to handle the matter confidentially
- Phrasing or behaviour that differs from the executive's norm
- A vendor bank-detail change requested only through chat
How to protect yourself
- Verify executive payment requests by phone on a known number
- Clearly label and restrict external-guest accounts in Teams
- Require multi-factor authentication on all Teams accounts
- Keep payment approvals in an auditable workflow, not chat
- Empower staff to question senior requests without fear
- Confirm any bank-detail change through an independent contact
How to report it
- Report the impersonating or compromised account to IT security
- File a report with your national fraud or cybercrime centre
- Notify your bank immediately if a payment was made
Frequently asked questions
Can someone outside my company message me on Teams pretending to be the CEO?
Yes. External-guest access lets outsiders join chats, and display names can be set to match a real executive. The platform shows which account sent a message, not whether that account belongs to the genuine person. Verify payment requests by phone.