CEO Fraud
Impersonation of senior executives to pressure staff into urgent, confidential payments.
Last reviewed: 1 June 2026
What this scam is
CEO fraud — also known as whaling, executive impersonation fraud, or business email compromise in its executive variant — is a targeted attack in which a fraudster impersonates a senior leader within an organisation (commonly a CEO, CFO, managing director, or equivalent) to instruct a staff member, typically in finance or accounts, to make an urgent and confidential payment to an external account.
The fraud is built on a specific psychological leverage point: the hierarchical authority of a senior executive combined with a veneer of secrecy that makes checking the instruction feel insubordinate. Finance staff who would otherwise follow careful dual-authorisation procedures often set them aside when they believe the request is coming directly and urgently from the top.
CEO fraud has evolved considerably. Where early versions relied on simple email spoofing, modern attacks use compromised internal email accounts, AI-generated voice clones, and even deepfake video calls to make the impersonation convincing. Fraudsters research their targets extensively — reading annual reports, LinkedIn profiles, company websites, and social media to understand organisational structure, personnel names, and ongoing business activity — before crafting a request that references real deals, real colleagues, or real upcoming transactions.
How it works
The attack begins with intelligence gathering. Fraudsters study the target organisation's public-facing information: who the CEO is, who runs finance, what major deals or acquisitions are in progress, when key executives travel. Social media and LinkedIn are particularly valuable, as they reveal reporting lines, staff names, and often whether the CEO is at a conference or travelling — precisely the moment when a 'while I'm unavailable' payment request becomes plausible.
The fraudster then contacts a finance or executive assistant by email from a spoofed or look-alike domain, or increasingly from a compromised email account. The message is crafted to feel authoritative and personal: it references a real or plausible confidential deal, explains why normal channels cannot be used, and instructs the recipient to transfer funds quickly and without telling colleagues.
In more sophisticated versions, the initial email is followed by a phone call from a convincing voice — either a human accomplice or an AI voice clone trained on publicly available recordings of the executive. Some attacks have used deepfake video conferencing to simulate a call with the CEO and a fake lawyer or financial advisor. Once the payment is made, the funds move quickly through multiple accounts, often internationally, before the fraud is discovered.
Why this scam works
CEO fraud exploits the natural reluctance of employees to question or delay a request from their most senior leader. In many organisational cultures, asking the CEO to confirm their identity or wait for a second approver feels inappropriate — even offensive. Fraudsters design the scenario to maximise this discomfort: the deal is urgent, confidential, and personally sanctioned by the boss.
The secrecy element is particularly effective. Instructions to keep the payment quiet — framed as protecting a sensitive acquisition or regulatory matter — remove the natural safeguard of a colleague sense-checking the request. By the time anyone else in the organisation learns about it, the payment has gone.
The fraud also benefits from the trust placed in internal communication channels. An email from the CEO's actual address, or a call that sounds exactly like their voice, triggers a fundamentally different response than a cold approach from an unknown contact. Social engineering here is not about technical deception but about exploiting well-established professional norms.
A typical pattern
A finance manager receives an email from an address matching the CEO's name, explaining they are in confidential negotiations for an acquisition that must remain undisclosed until signing. They ask for an urgent transfer of a significant sum to a third-party account 'to secure the deal'. The email requests the manager act quickly and not raise it with other colleagues yet. The manager, not wanting to delay or embarrass the CEO, processes the transfer. The CEO, when later contacted, has no knowledge of any such request.
Common red flags
- Urgent, confidential payment request attributed to a senior executive
- Explicit instruction to keep the request secret from colleagues
- Pressure to bypass dual-authorisation or normal approval procedures
- Sender address that is close to — but not exactly — the CEO's real address
- Request made while the executive is travelling, at a conference, or otherwise unavailable
- Reference to a sensitive acquisition, regulatory matter, or undisclosed deal to justify secrecy
- Follow-up phone call that reinforces urgency and discourages verification
- Payment destination is a new, unrecognised account or an overseas account
- Request arrives via a personal or messaging-app channel rather than official email
- Amount is unusually large or does not correspond to any known transaction
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
I'm finalising a confidential acquisition and need you to transfer [amount] to [account number] today. Keep this between us for now — I'll explain everything after signing.
Hi [name], I'm in back-to-back meetings and can't come to the office. I need [amount] sent urgently to a new account for a deal I'm closing. I'll send the details shortly — please clear your schedule to handle this.
This is [executive name]. I'm asking you to handle a sensitive payment of [amount] to [account]. Please do not involve [colleague] — this needs to stay quiet until Monday.
We have a compliance issue that must be resolved by end of business. You are authorised to transfer [amount] to the legal holding account below. Do not discuss this externally.
Please process payment of [amount] to [account]. I know it's above your usual limit but I've approved it — just use the override code. Don't wait for a second sign-off.
I'm on a call with our lawyers and I need you to wire [amount] within the hour. There's no time to go through the normal process — I'll ratify it when I'm back.
Common variations
- Email spoofing using a look-alike or typosquatted domain
- Compromised real executive email account used to issue instructions
- AI voice clone of the CEO making a phone-based payment request
- Deepfake video call simulating a board meeting or private call
- Executive assistant targeted with instructions to arrange payments on behalf of the CEO
- CFO impersonation targeting the CEO's direct reports
- Tax authority variant: fraudster poses as the CFO directing staff to prepare an urgent tax payment
How to verify before you act
The most reliable defence is a standing policy that no payment — regardless of who requests it — bypasses dual authorisation and out-of-band verification.
Practical verification steps: - Always verify unusual payment requests by calling the requesting executive on their known, pre-existing mobile or office number — not a number provided in the message itself. - Use a code word or pre-arranged challenge procedure for out-of-hours or urgent requests, agreed with senior leadership in advance. - Enforce dual authorisation: two named, independently acting staff members must approve any transfer, and urgency is not a valid reason to waive this. - If the request involves an acquisition or confidential matter, verify with your CFO or legal counsel through separate channels before acting. - For voice or video requests, use a brief challenge question only the real executive would know, and be aware that AI voice cloning technology means phone-based identity verification alone is no longer sufficient. - Build a psychologically safe culture: staff should be explicitly told that pausing to verify an executive payment request is the right action, never an act of insubordination.
Payment methods used
- Bank transfer
- Crypto
Who is usually targeted
- Finance staff
- Executive assistants
- New employees
What to do immediately
- Do not process the payment — pause and verify regardless of the urgency conveyed
- Call the executive directly using a pre-existing, independently sourced phone number
- Escalate immediately to your line manager and CFO if the request bypasses normal controls
- If a payment has already been sent, call your bank's fraud line immediately to request a recall
- Preserve the original email with headers, any call recordings, and payment records
- Report the fraud to your national fraud authority and your bank
- Notify your IT security team in case an internal email account has been compromised
How to prevent it
- Mandate out-of-band verbal verification (via a pre-existing phone number) for any payment requested outside normal workflows
- Enforce dual authorisation for all payments above a threshold — explicitly state that no executive can override this control
- Create a culture where questioning an unusual payment request is explicitly encouraged and rewarded, not stigmatised
- Brief senior leaders so they understand their identity may be used in fraud — and ask them to reinforce verification norms publicly
- Train finance and executive-assistant staff to recognise urgency + secrecy + payment as the classic CEO fraud pattern
- Enable email authentication (SPF, DKIM, DMARC) on your own domain to prevent easy spoofing of internal addresses
- Establish a pre-agreed verbal challenge-response protocol for out-of-hours payment requests
- Restrict financial approval to named, authorised individuals whose credentials cannot be overridden by email instruction alone
Evidence to preserve
- Original email and full headers (before forwarding or deleting)
- Any voicemails, call logs, or recordings related to the request
- Bank transfer records and the account details provided
- Screenshots of any messaging-app or SMS conversations
- Internal payment approval records and audit trail
- The requesting account's sent items if a real account was compromised
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How do we defend against CEO fraud?
Mandate out-of-band verification for all unusual payment requests, enforce dual authorisation that cannot be overridden by seniority, and build a culture where staff are explicitly encouraged to pause and verify — even when the boss appears to be asking urgently.
Can a phone call from a real-sounding voice be faked?
Yes. AI voice cloning technology can produce highly convincing imitations of a specific person's voice using only a few minutes of publicly available audio. A convincing phone call is no longer proof that you are speaking with the real executive. Use a pre-agreed challenge question or call back on a known number.
What if the CEO becomes annoyed that we're questioning the request?
A culture where finance staff are supported in verifying executive payment requests — and where the CEO explicitly endorses that policy — is the most effective long-term defence. If the real CEO is frustrated by a brief verification step, that is a training conversation. If the 'CEO' becomes hostile, that is itself a fraud signal.
Is CEO fraud the same as business email compromise?
They overlap. Business email compromise (BEC) is the broader category covering any fraudulent use of business email to divert payments. CEO fraud is a specific variant that relies on executive impersonation and authority exploitation, but it often uses BEC techniques such as email spoofing or account compromise.
How do we know if our CEO's email account has been compromised?
Signs include unexpected login alerts, rules set to forward or delete messages, sent items the executive doesn't recognise, and reports from contacts of unusual emails. Report suspected compromise to your IT security team immediately and change credentials.
Do staff who authorise payments in good faith face personal liability?
Legal exposure varies by jurisdiction and circumstance. In many cases, an employee who follows a fraudulent instruction reasonably and in good faith will not face personal liability, but the organisation may bear the loss. This makes prevention through policy — not blame — the priority.
How much do CEO fraud losses typically run to?
Individual losses vary widely, from thousands to millions. High-value targets include companies known to be engaged in mergers, acquisitions, or large capital transactions, as these provide plausible cover for large transfers.
What is whaling, and is it different from CEO fraud?
Whaling refers to phishing attacks specifically targeting high-value individuals (executives, board members). CEO fraud is usually the inverse: using the CEO's identity to target finance staff below them. Both terms are sometimes used interchangeably in broader usage.