CEO Fraud on Slack
Impersonators use Slack direct messages to pose as a company leader, exploiting the workspace's trusted atmosphere to demand urgent, confidential transfers.
Part of: CEO Fraud
Last reviewed: 1 June 2026
Slack's closed-workspace feel makes a direct message from the chief executive seem inherently genuine, which CEO fraud turns to its advantage. The informal tone and rapid pace of Slack chat reduce the careful scrutiny that a formal payment request would normally receive.
An attacker who compromises an account or joins as an external connection can present themselves as the leader and reach finance staff directly. The combination of authority, urgency, and a private channel isolates the target and discourages a second opinion.
How this scam works on Slack
After entering the workspace, the attacker studies channels and profiles to identify finance staff and learn the executive's style. They open a direct message posing as the leader, building brief rapport before introducing the request.
The ask follows the CEO fraud template: an urgent confidential transfer, a vendor account change, or sensitive information needed before a deadline. The direct-message setting keeps colleagues out of view, and the leader persona pressures the employee to comply quickly.
If the employee acts, the funds reach the criminal's account. The breach often surfaces only at reconciliation or when the genuine executive denies sending the message.
Common red flags
- A Slack direct message from a leader asking for an urgent payment
- An unfamiliar external account using a recognisable executive name
- Demands for confidentiality and speed that bypass normal approvals
- Pressure to act before consulting a colleague
- A request to change supplier banking details via chat
- A tone that does not match the executive's usual communication
How to protect yourself
- Verify any payment request by phone, never through Slack alone
- Identify and limit external connections in the workspace
- Require multi-factor authentication for all members
- Keep approvals in an auditable system rather than informal chat
- Encourage staff to openly question urgent financial messages
- Review admin and integration access for unexpected accounts
How to report it
- Report the suspicious account to your workspace administrator
- File a report with your national cybercrime or fraud authority
- Alert your bank immediately if a payment was sent
Frequently asked questions
Is a Slack message from my CEO automatically trustworthy?
No. A workspace can be entered through a compromised account or an external connection, and display names can imitate any leader. Treat urgent or confidential payment requests on Slack exactly as you would a suspicious email, and verify by phone.