CEO fraud and Business Email Compromise, explained
Some of the costliest scams don't involve viruses or hacking at all. They rely on a simple trick: convincing an employee that an urgent request is coming from a trusted boss or supplier. This is known as CEO fraud, or more broadly Business Email Compromise (BEC).
What is CEO fraud and BEC?
Business Email Compromise is a scam where a criminal impersonates someone your company trusts — a senior manager, a supplier, a lawyer, or a colleague — to trick an employee into transferring money or sharing sensitive information.
CEO fraud is a well-known version of this. The scammer pretends to be the chief executive or another senior leader and asks a member of staff — often in finance or HR — to make an urgent payment or send confidential data.
Unlike mass phishing, these attacks are targeted and personal. There's usually no dangerous link or attachment, which is exactly why they slip past spam filters and catch people off guard.
How the scam usually unfolds
The criminals often do their homework first, reading public information from your website, social media, and press releases to sound convincing. A typical attack looks like this:
- An email arrives that appears to be from the CEO, using their name and writing style.
- It carries a sense of urgency and secrecy: "I'm in a meeting, I need this handled discreetly and quickly."
- The request is to transfer funds, change a supplier's bank details, or send documents such as payroll data.
- Follow-up messages apply gentle pressure so the employee doesn't stop to check.
The pressure to please a senior leader, combined with a tight deadline, is what makes this scam so effective.
Common variations
- Fake invoice — a supplier's email is spoofed to request payment to a new bank account.
- Payroll diversion — a message pretends to be an employee asking to update their salary bank details.
- Gift card scam — a "boss" asks staff to buy gift cards and send the codes.
Warning signs
You can catch most of these attacks by pausing on a few details:
- A change in tone, unusual phrasing, or a slightly different email address.
- A request that bypasses normal procedures — "just this once, skip the usual approval."
- Pressure to act fast and quietly, discouraging you from confirming with others.
- Any change to bank account or payment details, especially at the last minute.
- A reply-to address that doesn't quite match the sender.
Simple habits that stop it
Technology helps, but good habits are your strongest defence:
- Verify out of band. For any payment or change of bank details, confirm by phone or in person using a known number — never by replying to the email.
- Follow a dual-approval rule. Require a second person to sign off on payments above a set amount.
- Slow down on urgency. Treat "urgent and confidential" as a reason to check, not to rush.
- Confirm bank detail changes with the supplier through an established contact.
- Make it safe to ask. Employees should feel comfortable questioning a request, even one that appears to come from the top.
If something feels wrong
Trust your instincts. It's completely acceptable to pause a payment and confirm before acting. If you suspect a scam, contact your finance and IT teams straight away — and if money has already been sent, alert your bank immediately, as fast action can sometimes recover the funds.
How GottaPhish helps
CEO fraud and BEC rely on urgency and impersonation to push employees into authorising payments before they verify — and GottaPhish, together with our expert support team, helps you address exactly that. Our realistic simulations recreate the urgency and impersonation tactics criminals actually use, so employees learn to pause and verify before acting, backed by practical awareness training and dashboards that show where your organisation is most exposed. Our support and experts team works hands-on with you to design believable scenarios, set up campaigns, and interpret the results, turning a costly blind spot into a confident, well-prepared team.
