← Back to Attack Types

CEO Fraud & Business Email Compromise (BEC)

Critical Threat Level

Executive impersonation attacks designed to trick employees into authorizing fraudulent wire transfers

$120K
Average loss per successful BEC attack
$43B
Total BEC losses 2016-2023 (FBI IC3)
98%
Success rate when employees don't verify

What is CEO Fraud / BEC?

Business Email Compromise (BEC), commonly called CEO fraud, is a sophisticated phishing attack where criminals impersonate company executives (CEO, CFO, or other C-level) to trick employees—typically in accounting or finance—into authorizing fraudulent wire transfers or revealing sensitive information.

Unlike mass phishing campaigns, BEC attacks are highly targeted and personalized. Attackers research the company's organizational structure, executive names, communication patterns, and business relationships before launching the attack.

Why It's So Effective:

  • Exploits organizational hierarchy and authority
  • Creates urgency and pressure to bypass normal procedures
  • Often occurs outside normal business hours when verification is harder
  • Uses social engineering rather than technical hacking

How CEO Fraud / BEC Attacks Work

Step 1: Research & Reconnaissance

Attackers gather intelligence about the target company:

  • LinkedIn profiles to identify executives and their roles
  • Company website for organizational structure
  • Social media for executive communication styles and travel schedules
  • Public filings for business relationships and vendors
  • Email patterns from data breaches or leaked credentials

Step 2: Domain Spoofing or Account Compromise

Attackers use one of two methods:

  • Domain Spoofing: Register similar domain (companyname.co vs companyname.com, or rn vs m to fool quick readers)
  • Account Compromise: Hack the actual executive's email account through credential phishing or password reuse
  • Display Name Spoofing: Use the executive's real name but a fake email address

Step 3: The Urgent Request

The attacker sends a carefully crafted email with:

  • Time pressure: "I need this done immediately"
  • Confidentiality: "Don't discuss this with anyone"
  • Authority: Coming from CEO/CFO with expectation of compliance
  • Legitimacy: References to real vendors, acquisitions, or business deals
  • Timing: Often sent when executive is traveling or in meetings

Step 4: Wire Transfer Execution

If the employee complies:

  • Victim initiates wire transfer to attacker's account
  • Money is immediately moved through multiple accounts internationally
  • By the time fraud is discovered (hours or days later), money is gone
  • Recovery rate is typically less than 10%

Real-World Example

Ubiquiti Networks - $46.7 Million Loss (2015)

Attackers impersonated company executives and outside attorneys through email, convincing the finance department to wire $46.7 million to overseas accounts controlled by criminals. The company only recovered $8 million.

The Email Content:

From: "CFO Name" <cfo@ubiquiti-networks.com>

Subject: Urgent: Confidential Acquisition - Wire Transfer Required

"I'm in meetings with our legal team regarding the acquisition we discussed. I need you to process the following wire transfer immediately. This is time-sensitive and highly confidential. Our outside counsel will send wiring instructions shortly. Please coordinate directly with them and do not discuss this with anyone else on the team yet."

Red Flags: Urgency, confidentiality demand, external coordination, pressure to bypass verification

Detection Using Email Header Analysis

HeaderScope can help detect CEO fraud attempts by revealing authentication failures and routing anomalies:

Red Flags in Email Headers

  • SPF Failure: "Return-Path" domain doesn't match sender's domain, and SPF check fails
  • DKIM Missing/Failed: No DKIM signature or failed verification indicates spoofing
  • Reply-To Mismatch: Reply-To address differs from From address (common in spoofing)
  • External Origin: "Received" headers show email originated from external/untrusted server
  • Unusual Routing: Email traveled through unexpected countries or mail servers
  • Display Name Spoofing: From header shows "CEO Name <randomuser@gmail.com>"

Example Header Red Flags:

Authentication-Results: spf=fail (sender IP is not authorized)

Authentication-Results: dkim=none (no signature found)

From: "John Smith, CEO" <john.smith@company-name.net>

Reply-To: payments@protonmail.com

Received: from smtp.gmail.com (not company mail server)

If your CEO's email normally has valid SPF/DKIM and originates from company mail servers, these failures are immediate red flags.

Prevention Strategies

1. Multi-Channel Verification (Most Critical)

Require verification through a separate communication channel for ANY financial request:

  • Call the requester using a known phone number (NOT one provided in the email)
  • Walk to their office if they're on-site
  • Use internal messaging system (Slack, Teams) to confirm
  • Never rely solely on email for wire transfer authorization

2. Formal Wire Transfer Procedures

  • Require dual approval for all wire transfers above threshold (e.g., $10,000)
  • Mandate in-person or phone verification for unusual requests
  • Create approved vendor list with verified banking information
  • Flag any changes to vendor payment details for additional verification
  • Delay processing: Wait 24 hours for large or unusual transfers

3. Technical Controls

  • Enable SPF, DKIM, and DMARC authentication for your domain
  • Configure email warnings for external emails that appear to be from executives
  • Use email security gateways that flag display name spoofing
  • Implement multi-factor authentication (MFA) for all email accounts
  • Monitor for lookalike domain registrations (typosquatting)

4. Employee Training

  • Train finance team to recognize CEO fraud tactics and red flags
  • Conduct simulated BEC attacks to test employee awareness
  • Create culture where verification is expected and encouraged
  • Teach employees to check email headers using tools like HeaderScope
  • Emphasize: "It's okay to question authority when money is involved"

5. Executive Awareness

  • Executives should use code words or signatures for financial requests
  • Never demand confidentiality or urgency for legitimate requests
  • Support employees who verify rather than criticize "delays"
  • Secure executive email accounts with MFA and strong passwords
  • Limit publicly available information about executive schedules

If You've Sent a Wire Transfer to Scammers

Act immediately - every minute counts:

  1. Contact your bank immediately: Request wire recall. Banks can sometimes reverse transfers if caught within hours.
  2. Contact receiving bank: Request they freeze the funds and alert fraud department.
  3. File FBI IC3 report: Go to ic3.gov immediately. FBI may be able to assist with recovery.
  4. File local police report: Required for insurance claims and bank cooperation.
  5. Notify cyber insurance carrier: If you have coverage, report within required timeframe.
  6. Preserve evidence: Save all emails with full headers, don't delete anything.
  7. Internal investigation: Determine how the attack succeeded and close security gaps.

Recovery Rate: Only 10-15% of BEC losses are recovered. Speed is critical.

Analyze Suspicious Emails with HeaderScope

When you receive an unexpected financial request from an executive, use HeaderScope to check the email headers before taking action:

  • Verify SPF, DKIM, and DMARC authentication results
  • Check if the email originated from company mail servers
  • Identify reply-to address mismatches
  • Review the complete delivery path for anomalies
Analyze Email Headers Now →