You know the saying If it’s too good to be true, then it probably is? The same could go with If it’s too pressing to be true, it probably is when it comes to emails that you might receive “from” your “CEO” or other “superiors”, so today’s topic is related to CEO fraud emails. But first things first!

What Is CEO Fraud?

CEO fraud is an advanced email scam used by malicious actors to dupe employees into transferring money to a bank account owned by the attacker or giving away sensitive business information. In this type of cyberattack, hackers posing as a company’s CEO or other executives send sophisticated emails asking employees, usually in HR or finance, to help them out by making a bank transfer.

This sophisticated spam it’s a type of Business Email Compromise (BEC) that uses spoofed or hacked email accounts to deceive users. In order to avoid suspicion and examination, the bogus emails frequently describe an extremely urgent situation.

Who Is Exposed to CEO Fraud Emails?

Although the type of BEC we’re discussing today is called CEO fraud, there are other groups of employees that are seen as valuable targets given their roles and the access they have to funds and information: 

Executive Team 

Any member of the executive team of a company has a high value for malicious actors. They usually possess some financial authority, so if their accounts get hacked, cybercriminals gain access to various types of confidential information. 

Finance Department

Obviously, we cannot fail to mention the finance department when it comes to CEO fraud emails targets. The accounts of the CFO and anyone else who is authorized to transfer funds in the department can be used to the benefit of cybercriminals. 


HR is the department that has access to all the people in an organization and manages a significant database. The HR employees might receive spoofed emails and end up sending confidential information such as social security numbers or email addresses to criminal organizations. 


The IT manager and personnel are also valuable to criminal minds since they have authority over aspects like access control, password management and email accounts. If hackers obtain their credentials, they could get access to any part of an organization. 

Most Common CEO Fraud Emails Scenarios

Wire Transfer Requests 

Cybercriminals are interested in two things: data and money. To get the latter, they will make research and learn as much as possible about their targets and then craft and send emails pretending they are their targets’ boss. The emails usually contain urgent requests for money and information about the account where the money needs to be sent. 

Tax Fraud 

When cybercriminals have tax fraud in mind, they find out who handles employee information in an organization and then send fake emails pretending to be a senior executive or another legal authority figure demanding specific documents. 

Attorney Impersonation

Cybercriminals can also use a combination of email and telephone fraud to meet their ends. They might send their targets an email pretending to be a senior leader and telling them that an attorney will contact them soon to discuss a very confidential, time-sensitive matter. 

Foreign Suppliers

Another tactic used by malicious actors is to take advantage of long-standing wire-transfer relationships with suppliers. They will ask for funds that the targets if they fall victims, will send to different accounts. 

Data Theft

As I’ve already mentioned, cybercriminals are interested in data and money. They might reach out to the auditing or HR departments and ask for wage or tax statement forms or a list of personally identifiable information. 

 How to Recognize CEO Fraud Emails

CEO fraud emails usually contain certain signs that should raise suspicions. Here’s what to look for: 

  • The sender’s domain name – it will be very similar to the recipient’s domain name, with small differences that are easy to miss if you’re not paying attention. 
  • Presence – or lack – of spelling errors. Today, cybercriminals have become more and more efficient and sophisticated, so phishing emails may not contain any blatant errors anymore. When errors appear, it’s clear that extra caution is needed. 
  • Personal touches and playing on your trust – the fraudulent emails may contain a familiar tone, references to the target’s habits, but also phrases like “I’m counting on you”.
  • A sense of urgency – people usually make poor decisions when they’re panicked, so the sense of urgency may appear directly in the subject line of the email. 
  • Authoritative tone – there’s a reason cybercriminals impersonate CEOs and other authoritative figures. Fraudulent emails may contain powerful phrases like “Please pay immediately”, which are hard to resist if you believe they come from a superior.  
  • New details about the account – if you receive other account details than the ones you have used so far, pay attention and don’t send money unless you make sure that the money will go to the right place. 

Examples of CEO Fraud Emails

Some of the companies that have dealt with CEO fraud emails over the years are Heimdal™ Security, Ubiquity Networks, and Mattel. 

The Heimdal™ Security Case

Several of our employees received emails that seemed to come from our CEO Morten Kjaersgaard, asking them to reply to them with some financial data. Of course, the text mentioned the urgency and secrecy of the project. But upon a closer look, everyone could tell that even though the name of the sender is that of our CEO, the address it was coming in from was That is in no way a legitimate address. Furthermore, if you look carefully, the email contains several spelling mistakes which are tell-tale signs of foul play.

Good morning [employee name] ,

I need you to manage a high priority situation with my Attorney [lawyer name].
It’s about a prime concern deal for the group, regarding a foreign corporation bid acquisition.

[Lawfirm name] lawyers offices ordered me that do not treat this case from Headquarters but use a foreign subsidiary to avoid leaks and insiders trading.
I did choose you to take control this operation with my lawyer and I.

No one else except us must be informed at this time.
Regarding this case the Financial Markets Authority has warned us that we must communicate only by email until the public announcement should made within the next few weeks.

First of all [employee name] provide me immediately the available cashflow of our bank account in UK.
Also give me another phone number which on you are comfortable to talk with him.

As soon as I receive those information, I will share with you further instructions.

Best regards,

Morten Kjaersgaard

Take a look at the text we replaced in the brackets. The hackers were using the names of very prominent (and legitimate) attorneys and law firms, as a way of adding credibility to the claim.

In other widespread cases, hackers simply invent law firms to start with. This way, if you contact the so-called attorneys to verify the claim, you’re talking to the initial hackers and, of course, they will confirm their own story.

In our case, this attempt of CEO fraud was a poorly executed one. The email of our CEO was not correct, the text was full of mistakes, and the pretext laughable. But attacks like these still manage to go through, and businesses lose money and sensitive data to such attackers every day. Stay vigilant, informed, and safe.

Ubiquity Networks

The wireless tech company based in San Jose, California, was exposed to an attack that included both employee and executive impersonation. This attack, launched by the corporation’s Hong Kong subsidiary, resulted in the transfer of $46.7 million to the hackers’ third-party bank accounts. After being notified of the incident, the company was able to immediately get back $8.1 million of the total amount transferred.


In the case of the American multinational toy manufacturing company, the CEO fraud was the consequence of a highly sophisticated phishing email sent to a finance executive who could authorize large cash transfers. The email was supposedly written by the new CEO, Christopher Sinclair. The hackers did extensive research on senior Mattel company employees in advance. Hence, they were able to understand the hierarchy in the organization as well as the payment habits. The malicious actors were able to redirect over $3 million from Mattel to the Bank of Wenzhou, China. Following the attack, Mattel contacted the FBI as well as the financial institution in China, and the money was eventually returned.

CEO Fraud Emails: Prevention

When it comes to preventing CEO fraud emails, there are a few things you can try:

Security awareness training

All your employees should know about the dangers of CEO fraud emails and other types of cyberattacks, and also how to recognize the potential signs, what to do and how to report incidents.  

Policies and procedures

Make sure your company requires multiple layers of authorization, proper documentation and/or verbal approval before money or sensitive information transfers. 

Email security software

Cybersecurity awareness is essential, but unfortunately not enough – you still need proper email security software to keep your accounts, data, and money safe.

How can Heimdal Help Preventing CEO Fraud?

We can help you here. Our Heimdal Email Fraud Prevention module can detect CEO and financial mail fraud, spot Insider Business Email Compromise, discover imposter threats, and advanced malware emails. It uses 125 detection vectors to keep your email safe. The most important are: phraseology changes, IBAN / account number scanning, attachment modification, link execution and scanning, man-in-the-email detection. 

Heimdal Official Logo
Email communications are the first entry point into an organization’s systems.

Heimdal® Email Fraud Prevention

Is the next-level email protection system against Business Email Compromise and fraud attempts.
  • Advanced email fraud prevention solution focusing on email alterations
  • 125 vectors of analysis coupled with live threat intelligence
  • Deep content scanning for attachments and links;
  • Identify and stop Business Email Compromise, CEO Fraud, and complex malware
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Heimdal Email Fraud Prevention can learn the senders’ communication patterns and detect the smallest modifications. Both you as a user and the IT administrator will be notified when a fraudulent email enters your inbox, not to mention that a team of experts would be there for you 24 hours / 7 days a week, to analyze possibly dangerous isolated emails in order to avoid false positives. 

Wrapping Up

CEO fraud emails are common in today’s business world, but they can be prevented and their consequences mitigated if you and your employees respect a few basic rules – of awareness and protection

You must also remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it. 

Drop a line below if you have any comments, questions, or suggestions regarding the topic of CEO fraud emails  – we are all ears and can’t wait to hear your opinion!

Last updated by Antonia Din.

Why Do Organizations Need an Email Security Policy?

Vendor Email Compromise (VEC) Explained

What Is Online Impersonation?

What Is Email Spoofing and How to Stay Protected

What Is Email Security?

The Complete Guide to Business Email Compromise (BEC) and How to Prevent It

Here are the Top Online Scams You Need to Avoid Today

How Ensuring Email Fraud Protection Keeps Your Company Safe

Did You Know That There Are Various Types of Online Financial Frauds Lurking in the Cyberspace?

Leave a Reply

Your email address will not be published. Required fields are marked *