'How to' guides

CEO fraud attacks and how to stop them


According to a survey conducted by the UK Government, one in four businesses experienced an impersonation attack in the last 12 months. Attacks are bad news for companies, which suffer financial loss, reputational damages, data loss and disruption as the result of successful CEO fraud.

So, what is a CEO fraud attack, how does it occur, and how can your organisation protect itself? 

What is a CEO fraud attack?

Sometimes referred to as business email compromise (BEC), a CEO fraud attack is where cybercriminals masquerade as senior business leaders via email to trick employees into sending them money or sensitive company data.

Hackers usually pose as senior members of a business because they have more authority to request confidential information or unauthorised wire transfers from employees.

A real-life example of CEO fraud

The UK's NCC Group was targeted by a CEO fraud attack in 2015. 

In a blog post, the company revealed that hackers had registered the 'nccgrrouptrust.com' domain, which is similar to the actual domain. The cybercriminals then emailed a senior member of the finance team, asking them to oversee a 'professional service expense'.

Luckily, NCC Group managed to block the attack before it became a serious financial issue.

How does CEO fraud happen?

CEO fraud attacks are often the result of a senior business leader falling for a whaling attack. Whaling is a form of spear phishing that focuses on higher-profile individuals.

Hackers email senior leaders, posing as clients or other contacts, in an attempt to trick them into sharing their credentials. Usually, a whaling email will contain a link to a spoofed website where the victim can enter their login details.

Once the victim enters their details, the hacker can use them to compromise the email account and send impostor emails to staff. This is known as account takeover (ATO). 

A variation of a CEO fraud attack happens when a cybercriminal creates a similar or 'spoofed' email address to the original - for instance, 'simon@c0mpany.com' instead of 'simon@company.com'. Knock-off email addresses are often enough to fool employees into thinking the emails originated from a legitimate person.

How to detect CEO fraud attempts

With the threat of CEO fraud attacks increasing, everyone in the organisation must be vigilant and learn how to recognise the typical signs of an attack:

1. The sender pressurises you

Hackers don't want to give their victims too much time to think, so they employ social engineering techniques to apply pressure and make the recipient believe the request is urgent. By impersonating a senior member of the business, hackers know their time-sensitive demands are more likely to be fulfilled by staff who want to do a good job.

2. The email was sent from a mobile device

Cybercriminals frequently create the impression that the CEO is off-site, possibly without access to a laptop, by sending emails from a mobile device. Greater credibility is given to strange emails, perhaps containing spelling or grammar mistakes, as employees assume that the CEO is in transit and unable to check over the contents of their urgent request.

3. Unusual demands

Fraudsters know that employees are less likely to challenge a task that has come directly from a senior leader within the business. Therefore, they can get away with making some unusual requests.

Your business likely has processes in place to deal with sensitive data sharing or money transfers. So, when an email appears from an executive asking for company data or a wire transfer, you should treat it with caution. Confirm the email's legitimacy with the sender using a different contact method.

How to prevent a CEO fraud attack

We’ve listed three top tips on CEO fraud prevention:

1. Check the sender email address

Hackers can set the 'From' name to your CEO's name, but it may not match up with the email address. Hover over the email address to reveal the sender. If it doesn't match up with the 'From' name, something phishy is happening.

2. Question unusual requests

You must question the source of the email if it's asking for an urgent payment transfer or sensitive data. To verify the authenticity of a suspicious email, speak to the sender directly using a different method of contact.

3. Cybersecurity training

Employee awareness is imperative in defending your business. Put clear policies in place and run regular cybersecurity workshops with your staff (particularly those in HR and Finance) so they're clued up on the latest scams.

4. Technology

Intelligent anti-phishing solutions such as Egress Defend have a unique advantage. Defend uses machine learning to analyse not only the content of emails, but the context too. That means it can alert users to sophisticated and context-driven phishing attacks such as CEO fraud in real-time. 

Learn more about CEO fraud attacks

Don’t give the cybercriminals what they want.

Stay one step ahead of their ever-evolving tactics and defend your business by visiting the Egress phishing hub today. 

You might also be interested in ...

Stop phishing emails across all devices: Mobile, desktop, web and tablet

Find out how Egress Defend protects your people from advanced phishing threats on any device. 

Why is zero-trust so important in cybersecurity?

Learn more about zero trust for email and why it's the best line of defense against sophisticated cyber attackers.

Spear phishing attacks: Top 7 signs to watch out for

Spear phishing is a major risk for US businesses. Discover the 7 signs you need to look out for.