CEO fraud — also called executive impersonation fraud or business email compromise via CEO spoofing — is one of the most financially devastating cybercrimes hitting organizations today. In 2025, CEO fraud helped push total BEC losses to $3,046,598,558 according to the FBI’s IC3 Annual Report. This guide explains exactly how CEO fraud works and what actually stops it.
A request arrives from the CEO’s email address. It’s urgent and confidential. It references a real deal your organization is working on. The wire needs to go out before end of business. Everything about it looks right. That is not an accident — it was engineered to.
CEO fraud is one of the most financially damaging forms of Business Email Compromise, helping push BEC to $3,046,598,558 in total reported losses in 2025 — second only to investment fraud among all crime types tracked by the FBI IC3 2025 Annual Report.
What Is CEO Fraud?
CEO fraud is a Business Email Compromise (BEC) attack in which criminals impersonate a senior executive — typically the CEO, CFO, or general counsel — via email to convince an employee to execute a fraudulent wire transfer, change payment information, or disclose sensitive data. The attack exploits organizational hierarchy: employees are conditioned to comply quickly with executive requests.
CEO fraud does not always require a technical system compromise. Many devastating attacks involve nothing more than a spoofed email address and a well-researched message — no malware, no hacking. The vulnerability being exploited is human, not technical.
How Does CEO Fraud Work? The Full Attack Chain
CEO fraud works by combining public intelligence gathering (reconnaissance) with either email account compromise or domain impersonation to deliver a fraudulent payment request timed to real business events for maximum credibility.
Step 1: Reconnaissance
LinkedIn reveals organizational structures, reporting hierarchies, and who holds financial authority. Company websites, press releases, regulatory filings, and real estate records identify upcoming transactions. Attackers look for: who can authorize wire transfers, what transactions are planned, when the executive will be traveling, and what the email naming convention looks like.
Step 2: Impersonation or Account Compromise
- Email impersonation: The attacker registers a look-alike domain or uses display name manipulation — the sender field shows the executive’s real name while hiding a fraudulent address. Many email clients show only display names by default.
- Email account compromise: More dangerous. The attacker gains actual access to the executive’s real account. Fraudulent messages come from the authentic account with real email history — there is no domain to catch.
Step 3: The Fraudulent Request
The attack lands at a strategic moment — aligned with a known payment window or when the executive is unavailable. The message carries urgency and confidentiality: “Don’t loop in anyone else on this.”
Step 4: Fund Extraction
Once the wire executes, criminals move within hours. Funds hit a mule account, are transferred out, and may be converted to cryptocurrency for additional obfuscation.
What Are Examples of CEO Fraud?
Common examples: a finance employee receiving a “confidential acquisition wire” request from a spoofed CEO email; an accounts payable clerk receiving updated vendor banking information appearing to come from the CFO; a payroll administrator receiving a direct deposit change from an impersonated executive assistant.
In each case, the attack is designed to appear as a routine but sensitive executive-level request that should be handled quickly and quietly. The “confidential” framing discourages the verification that would expose the fraud.
Why Does CEO Fraud Keep Working Despite Widespread Awareness?
CEO fraud persists because it exploits cognitive patterns — deference to authority, response to urgency, fear of appearing uncooperative — that awareness alone does not eliminate.
- AI-generated content has raised attack quality — grammatical errors that once flagged fraudulent emails are gone
- Remote work removed the in-person verification that once disrupted wire fraud attempts
- Verification steps are bypassed under executive pressure — the attack engineers exactly that pressure
- One success funds continued operations — a single well-executed attack can yield six to seven figures
How Do You Stop CEO Fraud?
The most effective controls: mandatory out-of-band verification for all wire requests, dual authorization above defined thresholds, DMARC enforcement, and organizational culture that treats urgency as a warning sign rather than a compliance trigger.
- Out-of-band verification — non-negotiable: Every wire request received by email is confirmed by phone using a number from your own records — not from the email. This applies to the CEO, the CFO, and every other executive.
- Dual authorization: Two independently acting employees required to approve wire transfers above a defined threshold.
- DMARC enforcement (p=reject): Prevents spoofed domains from reaching employee inboxes.
- Process adherence culture: Urgency is a warning sign, not a justification for skipping steps. Leadership must model this compliance from the top down.
- Full email address display: Configure email clients to show full sender addresses — not just display names.
What to Do If You’ve Fallen for CEO Fraud
- Call your bank’s wire fraud department right now and request a wire recall
- File a complaint at ic3.gov immediately — ask specifically about the IC3 Recovery Asset Team
- Do not modify or delete any email evidence — preserve everything exactly as-is
- Contact Rexxfield or another BEC investigation firm for emergency triage
- Notify legal counsel and insurance carrier immediately with timestamps
What Should Boards Know About CEO Fraud?
Boards have fiduciary responsibility for financial risk management. BEC at $3+ billion annually constitutes a material financial risk. Boards should ensure DMARC is implemented, dual authorization controls exist, regular BEC simulations are conducted, and incident response plans are documented.
Executive digital hygiene also matters: oversharing on LinkedIn — travel schedules, vendor relationships, deal activity — provides attackers with intelligence that makes CEO fraud more effective. A critical board question: does anyone hold unilateral wire transfer authority above a significant threshold? That single point of failure is one of the most exploited vulnerabilities in BEC.
Frequently Asked Questions
Is CEO fraud the same as BEC?
CEO fraud is a specific type of Business Email Compromise. BEC is the broader category including vendor impersonation, payroll fraud, attorney impersonation, and other variants. CEO fraud specifically uses senior executive identity to authorize fraudulent transactions.
What is whaling vs. CEO fraud?
Whaling targets senior executives as the victim. CEO fraud weaponizes the executive’s identity to target other employees. Whaling targets executives; CEO fraud impersonates them.
Can CEO fraud happen even with good email security?
Yes. Email security tools that filter known malicious content do not reliably stop well-researched CEO fraud using legitimate look-alike domains or compromised real accounts. Defense in depth — combining technical controls with process controls and training — is required.
How do attackers find their targets?
Entirely from public sources: LinkedIn, company websites, press releases, court records, real estate filings, social media. Attackers build detailed organizational maps from publicly available information — this is why executive digital hygiene matters.
If your organization needs help responding to CEO fraud or strengthening controls, contact Rexxfield at rexxfield.com/bec-urgent-next-steps or learn more about email impersonation investigations.
Source: FBI Internet Crime Complaint Center (IC3) 2025 Annual Report
