Knowledge base › CEO fraud
CEO Fraud: what it is, how to recognise and prevent it
CEO fraud is one of the most lucrative forms of cybercrime targeting businesses. Criminals impersonate a director or senior executive and send an urgent payment request to the finance team. The money is transferred before anyone realises something is wrong. This article explains how CEO fraud works, how to recognise it, and how to protect your organisation.
What is CEO fraud?
CEO fraud, also known as Business Email Compromise (BEC) or executive impersonation fraud, is a targeted attack in which fraudsters pose as a senior executive within an organisation. This is typically the CEO, CFO or another person with authority over financial decisions.
The attacker sends an email to a member of the finance, procurement or payroll team. The message appears to come from the CEO or director and contains an urgent request: transfer a sum of money to a specified account today. The justification varies: a confidential acquisition, an emergency abroad, a payment that must go through to close a deal.
CEO fraud is a specific form of phishing in which the attack is highly personalised. The fraudster does their research (OSINT), knows the director's name, the organisation's structure and sometimes even ongoing projects. This makes the email particularly convincing. For a broader overview of the risks, see our article on the dangers of phishing for businesses.
Scale of the problem: The FBI reported over $50 billion in worldwide losses from CEO fraud over the past decade. In the Netherlands, police received hundreds of reports of successful CEO fraud targeting SMEs in 2024 alone.
CEO fraud examples
The examples below are fictional but realistic, based on the characteristics of CEO fraud incidents that occur in Dutch SMEs.
Example 1: Construction company, Friesland (65 employees)
The CFO of a mid-sized construction company receives an email on a Friday afternoon that appears to be from the director. The director is "in a meeting" and writes that a deposit of 47,000 euros must be transferred today for a confidential land acquisition. Nobody else can know about it yet. The CFO hesitates but the director is hard to reach and the deadline is pressing. The money is transferred. On Monday morning it turns out the director knew nothing about the email.
Loss: 47,000 euros, not recovered.
Example 2: Accounting firm, Utrecht (38 employees)
A payroll administrator receives an email from the "CEO" asking to update the IBAN details of a regular supplier. A modified PDF is attached with new bank details. The employee processes the change correctly through the system. Three monthly invoices are paid to the new account, totalling 89,000 euros, before the real supplier contacts the firm about missing payments.
Loss: 89,000 euros, partially covered by cyber insurer after a lengthy claims process.
Example 3: Care organisation, Drenthe (120 employees)
A new finance employee receives a WhatsApp message from an unknown number identifying itself as the organisation's director. Could she arrange an urgent transfer of 125,000 euros for medical equipment being delivered today? The employee assumes that the director communicating via WhatsApp is normal and follows the instruction. The "director" was a fraudster who had found the phone number on LinkedIn.
Loss: 125,000 euros, reported to police, funds not recovered.
How to recognise a CEO fraud email
CEO fraud emails are carefully crafted to appear genuine. Yet there are six recurring characteristics that betray an attack:
The email demands immediate action: "must be done today", "within 2 hours", "before 4pm". This time pressure prevents the recipient from thinking clearly or seeking verification.
"Don't tell anyone", "this must stay confidential", "don't discuss with colleagues". This isolates the recipient and prevents a colleague from raising doubts that could expose the fraud.
The address resembles the real one but has a subtle difference: ceo@coboo-nl.com instead of ceo@coboo.nl, or an extra letter you miss when reading quickly. Always check the full email address.
CEO fraud sometimes arrives via WhatsApp, SMS or a personal email account. The attacker claims their work account "isn't working right now". Financial requests that arrive via unusual channels always warrant extra verification.
"This amount normally requires sign-off from two people but make an exception" or "skip the normal payment process". Any request that tries to bypass security procedures is a red flag.
The destination account is unknown, is in another country or has just been changed. CEO fraud always involves a bank transfer. Never send money to a new account number without verification via a known telephone number.
Preventing CEO fraud: a step-by-step plan for businesses
CEO fraud is largely preventable with the right procedures and awareness. Follow this plan:
Step 1: Four-eyes principle for payments
Establish a firm rule: every payment above a threshold amount (e.g. 5,000 euros) requires approval from two people. This applies even when the request appears to come from the director. Document this in policy and ensure all relevant staff know it.
Step 2: Mandatory telephone verification
For any unexpected payment request or IBAN change, call the requester back on a known number from the company directory. Never call the number in the email. This single step prevents the majority of CEO fraud cases.
Step 3: Set transfer limits
Configure your banking software so that one-off transfers above a certain amount are blocked or delayed. Some banks also offer a verification step for new beneficiaries. Use these features actively.
Step 4: Train staff through phishing simulations
CEO fraud is a form of phishing based on social manipulation. Employees who are regularly exposed to simulated phishing, including CEO fraud scenarios, are demonstrably better at recognising real attacks. A phishing simulation makes vulnerabilities visible and builds genuine awareness without causing harm.
Step 5: Clear escalation procedure
Make sure employees know what to do when they have doubts: who do they call? How do they report a suspicious message? A culture where doubt is rewarded, not punished as obstructive, is your strongest defence. Employees who fear looking foolish click more often. Employees who know reporting is valued become your front line of protection.
Financial impact of CEO fraud
CEO fraud is so effective because the money disappears quickly and irreversibly. Once a transfer has been made to a foreign account, often via multiple intermediate stops, recovery is virtually impossible. Banks can only intervene if the fraud is reported within minutes. In practice, it takes hours or days before the fraud is discovered.
CEO fraud costs a business on average between 50,000 and 150,000 euros per incident. In larger organisations or with staged fraud over multiple periods, amounts can run into millions of euros. Beyond the direct financial loss, there are indirect costs: investigation expenses, legal fees, reputational damage with clients and staff, and in some cases a mandatory GDPR notification to the data protection authority if personal data was also compromised.
Important: Many cyber insurance policies cover CEO fraud, but only if demonstrable policies and procedures were in place. Without documentation of awareness training and payment controls, the insurer may refuse a claim.
Frequently asked questions about CEO fraud
What are examples of CEO fraud?
Examples of CEO fraud include: a fake email from the director requesting an urgent transfer for a confidential acquisition, a forged PDF with updated supplier bank details, or a WhatsApp message from a "board member" via an unknown number. In every case, urgency and secrecy are central.
How do you recognise CEO fraud?
Recognise CEO fraud by six signs: extreme urgency, request for secrecy, a slightly different email address, unusual communication channels, a request to bypass normal approval procedures, and a payment to a new or unfamiliar account.
What does CEO fraud cost a business on average?
CEO fraud costs a business on average between 50,000 and 150,000 euros per incident. Recovery of the funds is rarely possible once the transfer has been processed. On top of the direct financial loss come investigation costs, legal fees and potential reputational damage.
What should you do if you fall victim to CEO fraud?
Contact your bank immediately and request an urgent recall of the transfer. File a police report. Notify your cyber insurer. If personal data was involved, you may be required to report the incident to the data protection authority within 72 hours.
Protect your business against CEO fraud with a phishing simulation
A phishing simulation including CEO fraud scenarios shows which employees are vulnerable, safely, in a controlled environment, without any harm. CoBoo runs simulations for businesses of all sizes across the Netherlands.
Request a free quote
Whether you have 5 or 500 employees, there is a solution for every business size.
This opens your email client. You send the email yourself.