Recognising CEO Fraud with Examples

CEO fraud is a sub-category of Phishing attacks, involving the impersonation of a high-ranking member of a company, usually instructing an employee via email to transfer a certain amount of money for supposedly valid work-related reasons.

When it comes to identifying CEO fraud, or any online attack, it can be much easier when shown clear examples of what details to look out for. The following images are a mixture of real experiences and mocked up examples to help you spot a scam.


Case 1: The Look-alike Email Address

This phishing attempt is a real encounter from the company Centrify, sent to the company’s VP of Finance. Adding to the realism, the message appears to not only be written by the CEO Tom, but also forwarded by the CFO Timothy. In this example the scammers covered a lot of their bases, obviously researching the company – possibly on LinkedIn – to get the name spellings correct, as well as the email address structure. However, the one detail that does catch the scammer out, if you have a keen eye, is that the email domains used aren’t an exact match, but rather a look-alike.

The scammers have added an extra letter to make it ‘’ rather than ‘’, which – at a glance – can blend in perfectly, showing just how essential it is to read your emails carefully, even if they don’t seem suspicious at first. In fact, the VP of Finance didn’t even notice this element initially and was simply lucky enough to bump into the real Tim who, of course, hadn’t heard anything about a wire transfer. 


Case 2: Perfect Match

In Another example from Centrify, we can see that sometimes hackers can make it appear as though they are actually sending a message from the real email – as you can see there are no extra or missing letters like the look-alike domains. However, if you were to reply to this email, it obviously wouldn’t be sent to the real Timothy – in this instance when they went to reply to the attacker it was sent to an email address on a Czech domain.


Case 3: Spell Check

spelling ceo

In this example there are clear spelling and grammar errors – quite a few for such a short message. You would think this would be the most obvious way to spot a scam, however it’s not always the case as the sender could simply be typing in a rush, not worrying too much about professionalism since the message is only internal, or it could even be from an employee who’s first language isn’t English. Of course, if the apparent sender is somebody you email regularly, it should be easy enough to notice if these errors are straying away from their usual writing style.

In 2016 a bank in Bangladesh saved themselves from being scammed out of nearly $1 Billion thanks to a single spelling mistake. The hackers had misspelled ‘foundation’ as ‘fandation’, instantly raising suspicion and prompting the bank to cancel their transaction immediately. 


Case 4: Malicious Attachments

attachment ceo

Although most CEO fraud attacks will ask for a financial transfer or sensitive data, that isn’t always the case. In this example the scammer sent a very brief message with an attached image which, when clicked, will prompt the download of a data stealing malware. Avoiding this issue is quite simple, as a good email security service can scan attachments for threats like this and block them.

However, still use caution when opening suspicious attachments – even with virus protection – as these can occasionally be bypassed by sophisticated scams, such as the zero-day Russian invoice scam from 2016.






Share this post

Close Menu