Don't be a victim of CEO fraud

Avoid falling prey to fraudulent email scams with this checklist

Avoid falling prey to fraudulent email scams with this checklist

CEO fraud and spoofed emails are rapidly becoming the attack-of-choice for many hackers, making it harder for business owners to distinguish genuine emails from their fraudulent counterparts.

A recent report from the City of London Police’s National Fraud Intelligence Bureau (NFIB) shows that businesses have lost over £32 million as a result of CEO fraud.  

How does this scam work?

CEO fraud will typically start with an email being sent from a fraudster pretending to be a company director or CEO to a member of staff in a company’s finance department. The fraudster will ask the finance staff to quickly transfer money to a certain bank account for a specific reason. The member of staff will do as their boss has instructed, only to find that they have sent money to a fraudster’s bank account. 

The fraudster will normally redistribute this money into other mule accounts and then close down the bank account to make it untraceable.

Out of the £32 million reported to be lost by businesses to CEO fraud, only £1 million has been able to be recovered by the victims. This is due to businesses taking too long to discover that they have been the victim of fraud and the lost money already being moved by fraudsters into mule accounts. Most businesses reported initially being contacted via emails with and suffixes, which in itself should be a huge red flag.

According to Steve Proffitt deputy head of Action Fraud, awareness is the best ammunition against this type of fraud. “Employees should be encouraged to double check everything they do and never be rushed into transferring large amounts of money even if they do think that it’s  an important task given to them by their CEO. An increased awareness of this type of fraud amongst businesses will no doubt make it far harder for fraudsters to succeed.”

An unfortunate example

Action Fraud revealed one particular example where a globally established healthcare business was conned out of £18.5 million. The average amount siphoned by this scam is £35,000 but this can vary. 
In July last year a man who purported to be a senior member of staff phoned the company’s financial controller based in one of the company’s Scottish offices and asked her to transfer money to accounts in Hong Kong, China and Tunisia. After a number of calls and emails, the financial controller fell for the con. 

The usual target

Limited companies tend to be the most targeted type of company with 52 per cent of reports to Action Fraud coming from this business type. 22 per cent of reports have come from businesses within London suggesting that this problem is particularly affecting the capital. 

“CEO fraud is a real and growing threat for businesses of all sizes but there are many ways in which you can lessen the risk of becoming the next victim. The most important thing you can do is educate yourself on what to look out for,” Lee Munson, researcher at advised. 

A checklist: is this fraud?

Here are some tell-tale signs that the email you just received is attempting to defraud your company:

  • The sender of the message claims they are a newly-appointed manager or director within an organisation you already do business with.
  • They will know some basic details about you, having gleaned the information from social networking sites.
  • The criminal behind the message will use language that prompts a swift reply – the less time you have to think, the more likely it is you will reply without taking the risks into consideration.
  • If you don’t reply quickly, the sender will not be shy about sending a follow-up message to prompt you into complying.
  • Just like other phishing emails, CEO Fraud is popular in the run up to the weekend – be especially wary of money transfer requests received late on a Friday afternoon, a time when the attacker knows your attention span will be at its lowest.
  • While some fraudsters will spoof their email addresses to appear legitimate, many still rely upon generic accounts, so if you receive a message from, ask yourself why a corporate email address was not used instead.
  • Many spear-phishing emails employ poor grammar, feature simple spelling mistakes or use language that would not pass a large corporate’s legal and communications teams 

How you can protect your business

  • Ensure all staff, not just finance teams, and know about this fraud. 
  • Even if you personally know the person who sent the email, always contact them through their known channels in order to identify both their identity and the nature of their request.
  • Have a system in place which allows staff to properly verify contact from their CEO or senior members of staff; for example having two points of contact so that the staff can check that the instruction which they have received from their CEO is legitimate.  
  • Never be rushed into responding to an email that asks for payment of an invoice, the transfer of confidential information, or anything else for that matter.
  • Always review financial transactions to check for inconsistencies/errors, such as a misspelt company name.
  • Consider what information is publicly available about the business and whether it needs to be public.
  • Ensure computer systems are secure and that antivirus software is up to date.

If you’ve been a victim of fraud, get in touch with Action Fraud.

Praseeda Nair

Praseeda Nair

Praseeda was Editor for from 2016 to 2018.

Related Topics