A Single Email Cost This Company $47 Million
In 2015, Ubiquiti Networks disclosed that threat actors used a CEO fraud email scam to trick finance employees into wiring $46.7 million to overseas accounts controlled by attackers. The emails looked like routine requests from senior executives. No malware was involved. No firewall was breached. Someone simply believed an email and followed instructions.
That incident wasn't an outlier. The FBI's Internet Crime Complaint Center (IC3) reports that Business Email Compromise — the broader category that includes CEO fraud — has generated over $50 billion in exposed losses globally since 2013. The 2023 IC3 Annual Report ranked BEC as the costliest cybercrime category, surpassing ransomware by a wide margin.
If you're responsible for protecting your organization's finances, reputation, or data, this is the threat that should keep you up at night. Here's exactly how these attacks work, why they succeed, and what you can do to stop them.
What Is a CEO Fraud Email Scam?
A CEO fraud email scam is a type of social engineering attack where a threat actor impersonates a company's CEO, CFO, or other senior executive via email. The attacker sends a convincing message — usually to someone in finance or accounting — requesting an urgent wire transfer, vendor payment, or sensitive data like W-2 forms.
The email doesn't contain malicious attachments or links. It relies entirely on authority, urgency, and trust. That's what makes it devastatingly effective.
These attacks fall under the FBI's Business Email Compromise (BEC) umbrella, but CEO fraud is the most targeted and highest-dollar variant. The attacker's goal is simple: manipulate a human being into sending money or information to a destination they control.
How the Attack Actually Works — Step by Step
1. Reconnaissance: Weeks Before You See Anything
Threat actors don't send CEO fraud emails cold. They research your organization methodically. They mine LinkedIn for org charts, read press releases for executive names, check SEC filings for financial details, and scan social media for travel schedules.
If your CEO just posted about being at a conference in Singapore, that's the perfect moment to impersonate them — they're "unavailable" and can't be easily reached by phone.
2. Domain Spoofing or Lookalike Domains
Attackers either spoof your CEO's exact email address (if your domain lacks proper DMARC enforcement) or register a lookalike domain. Think yourcompany-inc.com instead of yourcompany.com. The difference is nearly invisible in a busy inbox, especially on mobile devices.
Some attackers go further — they compromise the CEO's actual email account through credential theft, often via a prior phishing attack. When the email comes from the real account, even cautious employees comply.
3. The Urgent Request
The email itself is carefully crafted. It's short, authoritative, and urgent. Here's a typical example:
"I need you to process a wire transfer of $125,000 to a new vendor today. I'm in meetings all afternoon and can't talk, but this needs to go out before 3 PM. I'll send the account details in the next email. Keep this between us for now — it's related to a confidential acquisition."
Notice the psychological levers: authority (CEO), urgency (today, before 3 PM), isolation (keep this between us), and a plausible business reason (confidential acquisition).
4. The Money Disappears
Once the wire transfer goes out, the funds are typically routed through multiple accounts across different countries. Recovery rates are low. The FBI estimates that intervention within 24 hours gives you the best chance, but most organizations don't realize they've been hit for days or weeks.
The $4.88M Lesson Most Organizations Learn Too Late
According to the IBM Cost of a Data Breach Report 2024, the average cost of a data breach reached $4.88 million globally. BEC and social engineering attacks are among the costliest initial attack vectors because they bypass technical controls entirely.
I've seen organizations with excellent firewalls, endpoint detection, and network segmentation still lose six or seven figures to a CEO fraud email scam. The reason is straightforward: they invested in technology and ignored the human layer.
Your employees are your last line of defense against these attacks. If they can't recognize a fraudulent executive request, no amount of technology will save you.
Real CEO Fraud Incidents That Made Headlines
FACC: $55.8 Million Gone
Austrian aerospace parts manufacturer FACC lost approximately €42 million (about $55.8 million at the time) in 2016 when attackers impersonated the CEO and instructed a finance employee to transfer funds for a fake acquisition project. The company's CEO and CFO were both fired in the aftermath.
Toyota Boshoku: $37 Million
In 2019, a European subsidiary of Toyota Boshoku Corporation lost $37 million after a threat actor used social engineering to convince a finance executive to change wire transfer banking information for a payment. The attacker posed as a business partner with knowledge of ongoing transactions.
Crelan Bank: $75.8 Million
Belgian bank Crelan lost approximately €70 million in a BEC fraud scheme disclosed in 2016. The attack was only discovered during an internal audit — the fraudulent transfers had gone undetected for an extended period.
These aren't small, careless companies. They're multinational corporations with security teams. CEO fraud works because it exploits human psychology, not technical vulnerabilities.
Why Traditional Email Security Doesn't Stop CEO Fraud
Most email security gateways are designed to catch malware, known phishing URLs, and spam. A CEO fraud email contains none of these. It's plain text from a legitimate-looking sender with no malicious payload.
Some advanced email security tools use AI to detect anomalies in communication patterns — unusual sender behavior, first-time wire transfer requests, or domain lookalikes. These help, but they're not foolproof.
Here's what I tell every organization I work with: technology is necessary but insufficient. You need layered defenses that combine technical controls with trained, skeptical humans.
Seven Defenses That Actually Work Against CEO Fraud
1. Implement Strict Wire Transfer Verification
Require out-of-band verification for any wire transfer request, payment change, or sensitive data request — regardless of who it appears to come from. "Out-of-band" means using a different communication channel: if the request came by email, verify by phone using a known number (not one from the email).
This single control would have prevented the majority of CEO fraud losses I've seen. Make it policy. Make it non-negotiable. Make it apply to the CEO's requests too.
2. Deploy DMARC, SPF, and DKIM
These email authentication protocols prevent attackers from spoofing your exact domain. CISA's Binding Operational Directive 18-01 required all federal agencies to implement DMARC — your organization should too.
Set your DMARC policy to "reject" to block spoofed emails from reaching your employees. Many organizations set it to "none" (monitoring only) and never move to enforcement. That's a false sense of security.
3. Train Your People with Realistic Phishing Simulations
Security awareness training is the most effective defense against social engineering. But generic annual training doesn't cut it. You need ongoing, realistic phishing simulation exercises that mirror actual CEO fraud tactics.
Our phishing awareness training for organizations is built specifically for this purpose — it puts your employees through scenarios modeled after real BEC attacks so they learn to spot the red flags before real money is at stake.
4. Enable Multi-Factor Authentication on All Email Accounts
If a threat actor compromises your CEO's email account through credential theft, they can send CEO fraud emails from the real address. Multi-factor authentication (MFA) is the single most effective control against account compromise.
Prioritize phishing-resistant MFA methods like FIDO2 security keys over SMS codes, which can be intercepted through SIM-swapping attacks.
5. Flag External Emails
Configure your email system to add a visible banner to all emails originating from outside your organization. A simple "[EXTERNAL]" tag in the subject line or a colored banner at the top of the message body makes domain lookalike attacks much easier to spot.
6. Limit Public Exposure of Your Org Chart
Every piece of information you publish about your executive team, reporting structure, and financial processes helps attackers craft more convincing CEO fraud emails. Audit what's publicly available. You don't need to list every VP and director on your website.
7. Adopt a Zero Trust Mindset
Zero trust isn't just a network architecture concept. It's a philosophy: never trust, always verify. Apply it to email communications. Train your finance team to treat every wire transfer request as potentially fraudulent until verified through a separate channel.
Who Gets Targeted? It's Not Just Fortune 500 Companies
The Verizon 2024 Data Breach Investigations Report found that social engineering attacks — including BEC — disproportionately affect small and mid-sized businesses. These organizations often lack dedicated security teams and rely on informal approval processes for financial transactions.
In my experience, companies with 50 to 500 employees are the sweet spot for attackers. They're large enough to process significant wire transfers but small enough to have loose controls. The CEO and CFO might actually email the accounting team directly, making impersonation feel natural.
If your organization fits this profile, you're a prime target. Comprehensive cybersecurity awareness training isn't optional — it's a direct defense against the most expensive cyber threat you face.
What to Do If You've Already Been Hit
Speed matters. If you suspect a CEO fraud email scam has resulted in a fraudulent wire transfer:
- Contact your bank immediately. Request a recall of the wire transfer. Banks have a narrow window to freeze funds.
- File a complaint with the FBI IC3 at ic3.gov. Include all email headers, transaction details, and recipient account information.
- Preserve all evidence. Don't delete the emails. Save headers, timestamps, and any related communications.
- Engage legal counsel. You may have notification obligations, especially if employee data (like W-2s) was compromised.
- Conduct a post-incident review. Identify exactly how the attack succeeded and close that gap before the next attempt.
The FBI's Recovery Asset Team has had success freezing fraudulent transfers when reported within 48 hours. Don't wait. Don't investigate internally first. Call your bank and file with IC3 in parallel.
Building a Culture Where CEO Fraud Fails
The organizations that consistently defeat CEO fraud email scams share one trait: they've built a culture where questioning authority is expected, not punished.
When an accounting clerk can call the CEO directly to verify a wire transfer request — and the CEO thanks them for doing it — you've created an environment where social engineering fails. When that same clerk is afraid to "bother" leadership, attackers win.
This starts at the top. Executives need to publicly endorse verification procedures and submit to them personally. I've watched CEOs exempt themselves from the very controls designed to prevent impersonation of them. That's organizational sabotage dressed up as convenience.
Pair that cultural shift with regular, practical training. Run tabletop exercises where your finance team walks through a CEO fraud scenario. Conduct ongoing phishing simulations. Review your wire transfer policies quarterly.
The Threat Isn't Going Away — It's Evolving
Generative AI is making CEO fraud more dangerous. Attackers now use AI to craft grammatically flawless emails that match an executive's writing style. Deepfake voice technology has already been used in at least one documented case to impersonate a CEO's voice on a phone call, convincing a UK energy firm to wire $243,000 in 2019.
As these tools become more accessible, the barrier to launching a convincing CEO fraud email scam drops dramatically. The organizations that survive will be those that combine robust technical controls with a workforce trained to verify before they trust.
Your defenses need to evolve faster than the threat. Start by hardening your email authentication, implementing strict financial verification procedures, and investing in continuous security awareness training for every employee who touches money or sensitive data.
The next CEO fraud email targeting your organization is already being drafted. The only question is whether your people will recognize it.