CEO Impersonation Fraud

CEO impersonation fraud takes place when a scam email purporting to be from the Chief Executive Officer, Managing Director or another senior figure in an organisation is sent to the finance team requesting that a payment to be made to a third party, or to the senior figure themselves. It is also known as ‘whaling’ (because it targets one ‘big fish’ as opposed to phishing, which targets a large number of smaller ones). Small and large organisations alike have been targeted … and fallen for the scam.

This type of email frequently requests the payment to be made the same day, sometimes providing a seemingly satisfactory explanation for its urgency. It is often received when the ‘sender’ is away from the office, making it difficult for the recipient to check whether or not it is genuine. In addition, the fact that the email is Whatever the scenario, the fact that it seems to come from a senior person in the organisation can make it more believable – and more important that the payment is made – than a ‘normal’ phishing email.

Fraudsters can achieve the impersonation by either hacking into the senior figure’s email account, spoofing the sender’s actual address or use one that is very similar, but almost indistinguishable. Their scam can also be aided by gathering information about your organisation and the relevant people in it via social engineering techniques or other underhand methods, or even via legitimate methods such as LinkedIn. In some cases, the email is followed by a call from the supposed payee, providing payment details.

The risks

The belief that you are making payments to suppliers or other legitimate third parties when, in fact, you are paying fraudsters impersonating a senior officer in your organisation.

Protect your business from CEO impersonation fraud

  • Be on your guard for payment requests that are unexpected or irregular, whatever the amount involved.
  • Always check with the person you believe sent the email, however senior or busy, that it is from them. If they are not available and the email has requested urgency, check with one of their senior colleagues.
  • Do not do this by email in case their account has been hacked. Instead, make a phone call, ask in person or use some other trusted communication method.
  • If in any doubt, do not make the payment, however urgent it may seem or whatever the suggested outcome(s).

If your organisation is a victim of actual or attempted fraud

  • Report it to the police.
  • Take immediate steps to mitigate damage, whether the suspected source of fraud is internal or external.
  • If the fraud concerns your bank account, contact your bank immediately.