CEO fraud is a targeted attack in which criminals impersonate a company's chief executive or other senior leader to trick employees into sending money, sharing sensitive data, or changing payment details. The tactic works because it exploits authority and urgency at the same time, often in ways that look routine on the surface. Understanding the threat makes it easier to see why these attacks keep working and where organizations are most exposed.

• CEO fraud uses an executive's identity to pressure employees into bypassing normal checks around money, data, or payment changes.
• These attacks often rely on plain-text social engineering rather than malware, which makes process controls as important as technical defenses.
• Effective prevention combines email authentication, out-of-band verification, and clear approval rules for sensitive requests.
• Voice and video impersonation have expanded CEO fraud beyond email, which means identity verification can no longer depend on a single channel.

CEO fraud is a form of executive impersonation in which an attacker poses as a CEO, CFO, or other senior executive to manipulate employees into taking harmful actions.

The attacker may spoof the executive's email address, compromise their actual account, or contact targets by phone using cloned audio, including deepfake variants. Regardless of the delivery method, the goal is the same: exploit the trust and authority that comes with a leadership title to bypass normal verification procedures.

As a subset of business email compromise (BEC), CEO fraud focuses on using executive authority against the people expected to act quickly on leadership requests. According to the FBI's 2024 Internet Crime Report, BEC generated $2.77 billion in adjusted losses that year alone.

These three terms describe related but distinct attack patterns, and confusing them creates blind spots in defensive planning.

The most important distinction is directional. In whaling, the executive is the victim. In CEO fraud, the executive's identity is the weapon, used against employees further down the organizational chart.

A CEO fraud attack follows a predictable sequence, from initial research through fund extraction, and each phase presents distinct opportunities for detection.

Attackers begin by studying their target through open-source intelligence gathering. They identify employees with financial authority, typically accounts payable staff or finance directors, using LinkedIn profiles, corporate websites, press releases, and regulatory filings.

Social media monitoring can help attackers identify moments when an executive may be harder to reach for direct verification. Attackers also study details and language to build believable messages, including email naming conventions to construct believable sender addresses.

Beyond individual targets, attackers learn the company's communication style, organizational hierarchy, and current business activities. A pending acquisition, a leadership transition, or a large contract can all serve as plausible cover for an urgent wire transfer request, consistent with documented pretexting patterns in BEC attacks. This reconnaissance phase may continue until attackers believe organizational conditions give them the best chance of success.

Once the attacker understands the target, they build the technical infrastructure to deliver the attack. Two primary methods exist. In account takeover attacks, the attacker gains access to the executive's actual email account through credential phishing, brute force, or malware. Operating from the real inbox gives them access to genuine email history, writing patterns, and established trust relationships.

Compromised accounts are particularly dangerous because messages sent from them pass email authentication checks, including Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC), since the message genuinely originates from the real domain.

The alternative is domain spoofing: registering a lookalike domain that differs slightly from the legitimate one, such as swapping similar-looking letters or using an alternative top-level domain. Even basic display-name manipulation can work when recipients focus on the sender name rather than the full address.

The attacker constructs a message built around authority, urgency, and secrecy. A typical CEO fraud email asks the recipient to process a wire transfer for a confidential deal, update banking details for a vendor payment, or send employee tax records. The language discourages verification: phrases like "keep this between us," "I'm in a meeting and can't talk," or "this needs to happen before end of day" are designed to suppress the target's instinct to confirm through a second channel. Some attackers study email threads obtained through prior account compromise to mirror the executive's tone precisely, replicating signature blocks and greeting patterns.

Attackers time their requests for moments when the impersonated executive is known to be traveling or otherwise unreachable, because fewer colleagues are available to consult and time pressure compounds as business hours run out. These messages are often plain-text pretexts with no malicious link or attachment. They are pure social engineering, which means URL scanners and attachment sandboxes produce no alerts.

If the target complies, stolen funds move quickly through a deliberate layering process designed to make recovery difficult. Initial transfers are often routed through intermediary accounts and money mule networks before reaching the attacker. Money mules receive funds into personal accounts and forward them onward, adding transactional layers that obscure the final destination. The FBI notes that international transfers are commonly routed through overseas destinations, which further complicates recovery.

The FBI's Recovery Asset Team works with financial institutions to freeze BEC-related transfers. Early intervention gives organizations the best chance of freezing or recalling funds before they are moved again.

CEO fraud takes several forms beyond the classic wire transfer request, each targeting different departments with different pretexts.

CEO fraud is not limited to a single request type or communication channel. In practice, attackers adapt the same core playbook to whichever department is most likely to act quickly and whichever pretext feels most believable in the moment. Finance teams may receive urgent payment instructions, HR staff may be asked for tax records, and executive assistants may be pressured into handling purchases or scheduling around a supposedly confidential matter. The tactic remains consistent even when the details shift: impersonate authority, create urgency, and discourage verification.

Common variants include the following:

• Wire Transfer Fraud: The impersonated CEO or CFO instructs finance staff to wire an urgent payment.
• W-2 and Tax Data Theft: A spoofed executive email requests employee W-2 forms or other personally identifiable information from HR.
• Attorney or Legal Impersonation: The attacker poses as outside counsel to add legal urgency.
• Vendor Payment Redirection: The attacker impersonates an executive to authorize changed vendor payment details.
• Voice Cloning and Vishing: Attackers use AI-generated voice clones to call targets by phone.
• Deepfake Video Conference Fraud: Attackers populate video calls with convincing recreations of real executives.
• Gift Card Scams: The impersonated executive asks an assistant to purchase gift cards and share card numbers by email or text.

What changes from one variant to another is less important than the pattern underneath. Each version is designed to make an unusual request feel routine enough to slip past normal checks.

Most CEO fraud attempts share identifiable patterns, even when the impersonation is technically sophisticated.

The warning signs of CEO fraud often appear in combinations rather than in isolation. A message may look ordinary at first glance, but small details can signal that the request deserves closer scrutiny. The sender name may match an executive, while the full email address does not.

The tone may be unusually urgent, secretive, or insistent about avoiding a phone call. In other cases, the request itself is the clearest signal, especially when it asks someone to bypass a routine approval step or handle a payment change outside the normal process.

Common red flags include the following:

• An unexpected request to transfer money, buy gift cards, or change banking details.
• The display name matches an executive, but the underlying email address uses a different domain or subtle misspelling.
• The message pressures immediate action and specifically discourages phone confirmation.
• The reply-to address differs from the sender address, routing responses to an external account.
• The request bypasses established approval processes or arrives during organizational change when unusual requests seem plausible.

Taken together, these signs point to the same underlying problem: the attacker wants the recipient to act before pausing to verify who is really making the request.

Stopping CEO fraud requires layered defenses that combine technical controls, process safeguards, and a security-aware culture. No single measure is sufficient on its own.

Email authentication protocols form the first line of defense. SPF, DKIM, and DMARC work together to verify that incoming messages actually originate from the domains they claim to represent: SPF validates the sending server against a list of authorized mail sources, DKIM uses digital signatures to verify message integrity in transit, and DMARC ties the two together by specifying a policy for how receiving servers should handle messages that fail either check.

DMARC set to a "reject" policy prevents attackers from spoofing your domain in outbound attacks, though it cannot stop spoofed emails from external domains that lack their own DMARC enforcement. This limitation matters because attackers frequently register lookalike domains without any authentication records.

On top of authentication, organizations can flag all external emails with a visible banner in the email client that includes the full sender domain. This simple step directly disrupts the impersonation mechanism, since a message supposedly from the CEO would carry an "External" label if it originated outside the organization. Phishing-resistant multi-factor authentication on executive accounts, particularly FIDO-based or biometric authentication, raises the cost of account takeover significantly.

Technical controls cannot catch a plain-text email that asks for a wire transfer and contains no malicious payload. Process controls fill this gap. Organizations can require out-of-band verification for any financial transaction above a defined threshold, meaning a phone call to a pre-registered number or an in-person confirmation rather than a reply to the requesting email.

Maintaining a verified contact directory with pre-registered phone numbers for each executive prevents employees from calling a number provided in the suspicious message itself. Some organizations go further by establishing internal codewords known only to executives and high-risk employees, which must be spoken during verification calls for high-risk transactions.

These procedures work best when they apply equally to requests that appear to come from the CEO, with no executive override that bypasses verification. Dual-approval requirements for wire transfers add another layer: if two people must independently authorize a payment, a single compromised or deceived employee cannot complete the fraud alone.

Thresholds for dual approval should balance catching unusual requests against creating approval fatigue. Verification procedures should cover not just wire transfers but also changes to direct deposit information, vendor bank details, and data release requests.

Security awareness training programs should specifically cover CEO fraud scenarios, not just generic phishing. Employees need to understand that questioning an executive's request is expected and supported, not insubordinate.

Executive buy-in is critical: leaders should publicly endorse verification procedures and praise employees who flag suspicious requests, even when those requests turn out to be legitimate. If employees fear pushback for delaying a CEO's wire transfer instruction, no amount of training will change their behavior in the moment. Building that psychological safety requires visible, repeated reinforcement from leadership.

Training should cover not just email-based CEO fraud but also voice and video-based variants, since AI-generated deepfakes have expanded the attack surface beyond traditional channels. Organizations should conduct tabletop exercises specifically simulating CEO fraud scenarios, where finance and HR teams walk through their response procedures against realistic attack scripts and practice escalation decisions under time pressure. Reporting procedures should be as simple as possible, and regular simulations that mimic real CEO fraud attempts help employees practice recognition in realistic conditions.

CEO fraud affects organizations across every industry and at every scale. In one widely reported case, British design and engineering firm Arup confirmed that a Hong Kong employee paid out roughly $25 million to fraudsters after being duped into a video call with people he believed were the chief financial officer and other staff, all of whom turned out to be deepfake re-creations. The employee initially suspected a phishing email but set his doubts aside after the video call, as the other attendees looked and sounded like colleagues he recognized. The case illustrates how impersonation has moved beyond email into channels that employees once treated as inherently trustworthy.

An earlier and equally instructive case shows that the core pattern predates deepfakes. Networking company Ubiquiti Networks disclosed that it was scammed of nearly $47 million by cyber thieves, with the fraudulent transfer moving funds from a Ubiquiti subsidiary in Hong Kong to overseas accounts held by third parties. The specific names, industries, and dollar amounts vary from case to case, but the mechanics remain familiar: a trusted identity is impersonated, an urgent financial request is presented as routine or time-sensitive, and the victim acts before a secondary check takes place.

These incidents also show why recovery gets harder with time. Once money moves into intermediary accounts and through additional transfers, tracing and freezing it becomes far more difficult. That is why the same themes appear repeatedly across cases: trusted relationships are exploited, money moves rapidly, and delayed verification creates the opening that makes the fraud possible. Looking at individual cases is useful not because each one is unique, but because each one reflects the same broader BEC pattern from a slightly different angle.

Several widely held assumptions create gaps in organizational defenses.

• No Malicious Payload Required: Most CEO fraud messages contain no technical payload. They are plain-text requests relying on social manipulation, so traditional email filters will not flag them.
• The CEO Is Not the Target: The CEO is impersonated, not targeted. The actual victims are finance staff, executive assistants, and HR personnel.
• Whaling Is Not CEO Fraud: Whaling targets executives. CEO fraud uses executive identities to target subordinates. The defensive controls for each are different.
• Video Calls Are Not Reliable Verification: Deepfake-enabled impersonation means video calls should not be treated as conclusive proof of identity on their own.
• BEC Incidents Are Underreported: Public understanding of these attacks is often shaped by more visible cybercrime categories, which can cause organizations to underestimate the operational risk of CEO fraud.

CEO fraud succeeds because it exploits trust, authority, and the natural reluctance to question leadership. The strongest defenses combine clear verification procedures, shared accountability, and a culture that treats healthy skepticism as part of doing the job well. As impersonation expands across email, voice, and video, organizations are better served by making verification a normal part of work rather than an exception reserved for obvious red flags.

CEO fraud is one specific type of BEC. BEC encompasses any attack that impersonates a trusted business identity, including vendor fraud and payroll diversion. CEO fraud specifically involves impersonating a senior executive to manipulate subordinates.

Yes. Attackers increasingly use phone calls with AI-cloned voices, SMS messages, and deepfake video conferences to impersonate executives. The underlying tactic is the same regardless of channel: exploit authority and urgency to pressure the target into acting before verifying.

Gift cards are functionally anonymous and nearly impossible to trace or reverse once redeemed. They serve as an easy cash-out mechanism for lower-value attacks, because the attacker simply needs the card numbers and PINs. Many organizations now flag gift card requests automatically in their training programs.