CEO fraud

How it works

The attacker spoofs or registers a lookalike of the CEO address, then emails finance or HR with an urgent, confidential request. The authority of the role plus time pressure pushes the employee to skip the normal checks. It is a specific, common form of business email compromise.

Voice and video deepfakes are now used to back up the email on a follow-up call.

How it relates to brand impersonation

CEO fraud is executive impersonation turned into a direct payment scam, and it is especially dangerous for SMEs where one person can move money. The lookalike domains it needs are detectable in advance.

How nebty helps

Our business email compromise guide covers the controls that stop CEO fraud, and nebty monitors for the lookalike domains attackers register to impersonate your leadership.

How to shut the scam down

CEO fraud relies on a chain of small assumptions: that an urgent message from the boss is genuine, that confidentiality explains the secrecy, and that questioning a senior leader is risky. Break any link and the scam fails. The practical step is a standing rule that no payment or data release happens on an email instruction alone, no matter who it appears to come from; a second channel must confirm it. Make that rule explicit and blameless, so a junior employee feels safe pausing a CEO request. Watch for the lookalike sender domains the scam needs, since a message from [email protected] instead of your real domain is a signal monitoring can catch before the first email. Our BEC guide covers the finance controls in full.