Fake CEO Urgent Wire Transfer Email Script (BEC)
A business email compromise (BEC) attack impersonates a senior executive asking an employee to make an urgent, confidential wire transfer — typically while the real executive is travelling or unavailable.
Last reviewed: 1 June 2026
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Hi [name], I'm in a meeting and can't talk. I need you to process a confidential wire of [amount] to the account below by 3 pm today. Do not discuss with anyone yet.
This is time sensitive — it's for a pending acquisition and legal has approved it. I'll explain fully when I'm back. Account: [account details].
Please do not go through the usual approval process this time — the deal is sensitive. Just get it done and I'll sign off retroactively.
If you can't reach me, proceed anyway. The [company] representative is waiting. Delay will cost us the deal.
What the scammer wants
To impersonate a trusted authority figure and bypass normal financial controls by using urgency, secrecy, and status — directing a payment to an account the scammer controls before anyone questions the instruction.
Red flags in the message
- Request from a senior figure to act before normal approvals
- Instruction to keep the transfer confidential
- Urgency tied to a deal that cannot wait
- Email address close to but not exactly the real executive's domain
- Sender unavailable to confirm by phone on a known number
- Request to skip the usual two-person authorisation process
- Bank details never used before or provided only in this email
- No supporting documentation beyond the email itself
A safe response
Always verify any unusual payment instruction by calling the sender on a known number — not one in the email. Any request to bypass normal controls or maintain secrecy is a strong signal to pause and verify regardless of apparent seniority.
What not to send
- Wire transfers to unverified accounts
- Payments processed outside normal approval channels
- Confidential company or bank information to the email sender
What to do if you already replied
- Contact your bank immediately to attempt to recall the wire transfer
- Alert your IT and finance teams — the email account may have been compromised
- Preserve all email headers and correspondence for investigation
- Report the incident to your national fraud authority and consider legal advice
- Review your organisation's dual-authorisation controls for wire payments
Evidence to preserve
- Screenshot the full message or call details
- Note the sender number, email, or profile
- Save any links (without clicking) and payment details
- Record dates and times