You know the saying If it’s too good to be true, then it probably is? The same could go with If it’s too pressing to be true, it probably is when it comes to emails that you might receive “from” your “CEO” or other “superiors”, so today’s topic is related to CEO fraud emails. Let us learn more about it!

CEO Fraud Emails: Definition 

As my colleague Miriam explains: 

CEO fraud is a particular type of BEC (business email compromise) and online criminal impersonation. It’s when you receive an email that seems to be from your top boss (or CEO), asking you to do something on their behalf and keep it secret. If you’re not paying attention and you fall for it, hackers will be able to either gain access into the company’s systems or steal money from accounts and so on.

, where criminal impersonation refers to “to those cases of impersonation committed as part of an attempt to gain benefits, or to cause harm to their victim.”


Although the type of BEC we’re discussing today is called CEO fraud, there are other groups of employees that are seen as valuable targets given their roles and the access they have to funds and information: 

a. Executive Team 

Any member of the executive team of a company has a high value for malicious actors. They usually possess some financial authority, so if their accounts get hacked, cybercriminals gain access to various types of confidential information. 

b. Finance Department

Obviously, we cannot fail to mention the finance department when it comes to CEO fraud emails targets. The accounts of the CFO and anyone else who is authorized to transfer funds in the department can be used to the benefit of cybercriminals. 

c. HR

HR is the department that has access to all the people in an organization and manages a significant database. The HR employees might receive spoofed emails and end up sending confidential information such as social security numbers or email addresses to criminal organizations. 

ceo fraud emails - hr


d. IT

The IT manager and personnel are also valuable to criminal minds since they have authority over aspects like access control, password management and email accounts. If hackers obtain their credentials, they could get access to any part of an organisation. 


What are the most common CEO fraud emails scenarios? Well…

a. Wire transfer requests 

Cybercriminals are interested in two things: data and money. To get the latter, they will make research and learn as much as possible about their targets and then craft and send emails pretending they are their targets’ boss. The emails usually contain urgent requests for money and information about the account where the money needs to be sent. 

b. Tax fraud 

When cybercriminals have tax fraud in mind, they find out who handles employee information in an organization and then send fake emails pretending to be a senior executive or another legal authority figure demanding specific documents. 

c. Attorney impersonation

Cybercriminals can also use a combination of email and telephone fraud to meet their ends. They might send their targets an email pretending to be a senior leader and telling them that an attorney will contact them soon to discuss a very confidential, time-sensitive matter. 

d. Foreign suppliers

Another tactic used by malicious actors is to take advantage of long-standing wire-transfer relationships with suppliers. They will ask for funds that the targets, if they fall victims, will send to different accounts. 

e. Data theft

As I’ve already mentioned, cybercriminals are interested in data and money. They might reach out to the auditing or HR departments and ask for wage or tax statement forms or a list of personally identifiable information. 

CEO Fraud Emails: Examples

Some of the companies that have confronted with CEO fraud emails over the year are Xoom Corporation, Ubiquity Networks and Mattel. 

Xoom Corporation, an international money transfer company based in California, 

reported an incident where spoofed emails were sent to the company’s finance department. This resulted in the transfer of $30.8 million in corporate cash to fraudulent overseas accounts. The CFO resigned, and the company’s audit committee authorized an independent investigation by outside advisors. The company has implemented additional internal procedures, and federal law enforcement authorities are actively pursuing a multi-agency criminal investigation. Because of this. the company stock dipped by a jaw-dropping 14%, or approximately $31 million.

Ubiquity Networks, a wireless technology company based in San Jose, CA, dealt with an attack 

that involved both employee and executive impersonation. This attack, initiated by the company subsidiary in Hong Kong, resulted in the transfer of $46.7 million to third-party bank accounts belonging to the attackers. Once alerted, the company recovered $8.1 million of the total amount transferred. Also, an additional $6.8 million is expected to be recovered in due time. It is still in the process of recovering the remaining sum of $31.8 million and is cooperating fully with both United States Federal and overseas law enforcement authorities.

In the case of Mattel, a toymaker based in the United States, the CEO fraud was 

the result of a very sophisticated phishing email directed to an unnamed finance executive who was able to approve large cash transfers. The email was apparently written by the new CEO Christopher Sinclair. The cyber attackers conducted thorough research beforehand on the senior Mattel company staff members. As a result, this enabled them to understand the corporate hierarchy and payment patterns. Because of the sophisticated nature of the cyber attackers, they were able to lure over $3 million from Mattel to the Bank of Wenzhou, China. Mattel contacted the FBI as well as the bank in China; as result, the funds were subsequently returned. 

Even Heimdal™ Security had its fair share of CEO fraud attempt, when some hackers pretended to be our CEO Morten Kjaersgaard. You can find all the details about the incident in my colleague Miriam’s article, “Online Criminal Impersonation 101: Our Own Case of CEO Fraud”

CEO Fraud Emails: How to Recognize Them

ceo fraud emails


CEO fraud emails usually contain certain signs that should raise suspicions. Here’s what to look for: 

  • The sender’s domain name – it will be very similar to the recipient’s domain name, with small differences that are easy to miss if you’re not paying attention. 
  • Presence – or lack – of spelling errors. Today, cybercriminals have become more and more efficient and sophisticated, so phishing emails may not contain any blatant errors anymore. When errors appear, it’s clear that extra caution is needed. 
  • Personal touches and playing on your trust – the fraudulent emails may contain a familiar tone, references to the target’s habits, but also phrases like “I’m counting on you”.
  • A sense of urgency – people usually make poor decisions when they’re panicked, so the sense of urgency may appear directly in the subject line of the email. 
  • Authoritative tone – there’s a reason cybercriminals impersonate CEOs and other authoritative figures. Fraudulent emails may contain powerful phrases like “Please pay immediately”, which are hard to resist if you believe they come from a superior.  
  • New details about the account – if you receive other account details than the ones you have used so far, pay attention and don’t send money unless you make sure that the money will go to the right place. 

CEO Fraud Emails: Prevention 

When it comes to preventing CEO fraud emails, there are a few things you can try:

  • Security awareness training. All your employees should know about the dangers of CEO fraud emails and other types of cyberattacks, and also how to recognize the potential signs, what to do and how to report incidents.  
  • Policies and procedures. Make sure your company requires multiple layers of authorization, proper documentation and/or verbal approval before money or sensitive information transfers. 
  • Email security software. Cybersecurity awareness is essential, but unfortunately not enough – you still need proper email security software to keep your accounts, data and money safe.

We can help you here. Our Heimdal™ Email Fraud Prevention module can detect CEO and financial mail fraud, spot Insider Business Email Compromise, discover imposter threats, advanced malware emails. It uses 125 detection vectors to keep your email safe. The most important are: phraseology changes, IBAN / account number scanning, attachment modification, link execution and scanning, man-in-the-email detection. 

Heimdal Official Logo
Email communications are the first entry point into an organization’s systems.

Heimdal™ Email Fraud Prevention

Is the next-level mail protection system which secures all your incoming and outgoing comunications.
  • Deep content scanning for attachments and links;
  • Phishing, spear phishing and man-in-the-email attacks;
  • Advanced spam filters to protect against sophisticated attacks;
  • Fraud prevention system against Business Email Compromise;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Heimdal™ Email Fraud Prevention can learn the senders’ communication patterns and detect the smallest modifications. Both you as a user and the IT administrator will be notified when a fraudulent email enters your inbox, not to mention that a team of experts would be there for you 24 hours / 7 days a week, to analyze possibly dangerous isolated emails in order to avoid false positives. 

CEO Fraud Emails: Wrapping Up

CEO fraud emails are common in today’s business world, but they can be prevented and their consequences mitigated if you and your employees respect a few basic rules – of awareness and protection

You must also remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it. 

Drop a line below if you have any comments, questions or suggestions regarding the topic of CEO fraud emails  – we are all ears and can’t wait to hear your opinion!

How to Report Email Fraud: Learn What to Do If It Happens to You

Vendor Email Compromise (VEC): The Classic Business Email Compromise (BEC) Scheme with a Spin

Heimdal™ Security Launches Heimdal™ Email Security, the Solution against Business Email Compromise (BEC)

Online Criminal Impersonation 101: Our Own Case of CEO Fraud

Leave a Reply

Your email address will not be published. Required fields are marked *