Back to blog
    CEO Fraud

    What is CEO Fraud? Executive Impersonation Attacks Explained for Finance Teams

    Sectricity Security TeamMay 14, 2026

    CEO fraud is a targeted form of Business Email Compromise where criminals impersonate senior executives to trick finance or HR staff into making urgent payments or sharing sensitive data. This guide explains how the attacks work, why they succeed, and which concrete procedures reliably stop them in 2026.

    CEO fraudBECwhalingfinance securityHR securitysocial engineeringemail spoofinglook-alike domainsexecutive impersonationAI voice cloningdeepfakessecurity awareness trainingpentesting

    What is CEO Fraud? Executive Impersonation Attacks Explained for Finance Teams

    TL;DR

    • CEO fraud is a targeted scam where attackers impersonate an executive to convince a finance or HR employee to authorise an urgent payment or share confidential data.
    • Three delivery methods dominate: display name spoofing, look-alike domains, and a fully compromised executive mailbox. The last is the hardest to detect.
    • Four psychological levers do the actual work: authority, urgency, secrecy, and plausibility built from public OSINT on LinkedIn and the company website.
    • Five organisational procedures stop most attacks: out-of-band verification, four-eyes approval, IBAN-change protocol, a written rule that executives never request payments by email, and a 30-minute reporting threshold.
    • 2026 adds a new layer: AI voice cloning and deepfake video calls used to confirm the fake email. Belgian business federation VBO has been warning about this trend since the start of 2026.

    Introduction

    CEO fraud is a form of social engineering in which a criminal impersonates a senior executive, usually the CEO or CFO, to manipulate an employee into transferring money or releasing confidential information. The target is almost always someone in finance, accounting, or HR, because those departments have the access and authority the attacker needs.

    The pattern is consistent: the employee receives an urgent message that looks like it comes from a senior leader, requesting a payment, an IBAN change, or a list of personnel records. The request stresses confidentiality, leans on hierarchy, and adds time pressure. By the time anyone verifies through a second channel, the money is already gone. This guide explains how it works, why finance and HR are the primary targets, and which procedures actually stop it. If you suspect you are already compromised, start with our guide on signs you have been hacked and our Incident Response Plan for the first 72 hours.

    CEO fraud, BEC, and whaling: terminology that matters

    These three terms get used interchangeably in the press, but they are not the same thing. Business Email Compromise (BEC) is the umbrella category: any email-based fraud that targets businesses, including invoice fraud, payroll diversion, and vendor impersonation. CEO fraud is one specific sub-type of BEC, where the attacker impersonates a senior executive. Whaling is the inverse: phishing aimed at an executive, with the executive as the victim rather than the spoofed sender. Confusing the three leads to confused defences, which is why we keep the distinction clear in this article.

    The three delivery methods of CEO fraud

    Display name spoofing

    The simplest variant. The attacker sends a message from any email address, but sets the display name to match a real executive. On mobile email clients, the address is often hidden by default, so the recipient only sees the executive's name without realising the underlying address is a personal Gmail or a random domain rather than the real corporate domain. This works because mobile users tap and reply quickly without expanding sender details.

    Look-alike domains

    A small step up. The attacker registers a domain that is visually almost identical to the real one: a number swapped for a letter, a missing character, or a hyphen inserted. The mail header looks legitimate at a glance. This technique requires the attacker to register a domain and configure SPF, DKIM, and DMARC records to avoid being flagged by mail filters, which they often do successfully.

    Compromised executive mailbox

    The most dangerous variant. The attacker actually controls the real executive's mailbox, usually after a successful phishing attack on the executive that bypassed MFA through Adversary-in-the-Middle techniques. From inside, the attacker reads the communication style, learns who handles payments, sees ongoing deals, and waits for the right moment. The fraudulent message is sent from the real address. If you suspect a mailbox has been compromised, a useful first check is whether the email address appears in a known data breach. Services like Have I Been Pwned tell you immediately if the credentials have leaked publicly, which is often the entry point for this variant. The full set of warning signs is described in our guide on detecting account compromise.

    The four psychological levers attackers use

    Authority

    The message comes from the top. Most people are conditioned not to question a direct instruction from a senior leader, especially in hierarchical organisations. Attackers exploit this by using formal tone, signature blocks, and references to recent real events to make the message feel authentic.

    Urgency

    "This needs to happen today." "The deal closes in two hours." "I'm in a meeting and cannot talk." The pressure removes the time needed to verify through a second channel. Attacks are often timed for Friday afternoons, just before holidays, or right before the CEO is known to be flying, when verification by phone is practically impossible.

    Secrecy

    "Do not discuss this with anyone." "This is confidential until announced." Secrecy isolates the target from the colleagues who would normally catch the anomaly. It also conveniently prevents the target from walking down the corridor to the CFO's office.

    Plausibility

    The request fits the context. The attacker has spent days or weeks studying the company through LinkedIn, the website, recent press releases, and social media. They know there is an acquisition in progress, they know the CFO is on holiday, they know the name of the law firm the company uses. The fake message references these details, which makes it feel real.

    A recent example: the Alkmaar case

    In 2023, the Dutch municipality of Alkmaar lost over EUR 200,000 in a CEO fraud attack. Criminals impersonated a senior figure within the municipality and convinced a staff member to authorise transfers to fraudulent accounts. The case became public and is often cited as a clear example that CEO fraud does not only target large multinationals: municipalities, foundations, and small organisations are equally exposed, often more so because their payment procedures are less formal.

    The five procedures that stop most CEO fraud

    1. Out-of-band verification above a threshold

    Any payment over a defined amount (often EUR 5,000 or EUR 10,000, depending on the organisation) must be confirmed through a second channel: a direct phone call to a known number, or a face-to-face check. Never reply to the original email to verify, because a compromised mailbox will reply with confirmation.

    2. Four-eyes approval

    No single person can release a payment above the threshold. Two approvers are required, each verifying independently. This procedure alone stops a large share of attacks, because the attacker would need to manipulate two people simultaneously rather than one.

    3. IBAN-change protocol

    A request to change a supplier's bank account number must always be verified by phone, using the number on file in the accounting system, not the number in the email. This is the single most common variant after CEO impersonation: vendor invoice redirection. The procedure costs five minutes per change and prevents most occurrences.

    4. A written rule: executives never request payments by email

    The rule must be explicit, communicated to all finance staff, and signed by the executives themselves. "If you receive an email from me asking for an urgent payment, treat it as fraudulent until verified by phone." This single sentence, applied consistently, neutralises the authority lever.

    5. A 30-minute reporting threshold

    Suspect messages must be reported to security or IT within 30 minutes, before any action is taken. The reporting channel should be a known internal email address or chat channel, not a reply to the suspect message. Fast reporting allows the organisation to warn other potential targets within the company before the attacker moves on to the next employee.

    2026 trend: AI voice cloning and deepfake video calls

    A new layer has appeared since the start of 2026. The Belgian business federation VBO FEB has warned about a wave of attacks targeting executives in Belgium specifically, where victims receive invitations for video calls with AI-generated images of known figures, or follow-up phone calls in which the executive's voice is cloned from public recordings.

    The implication is straightforward: phone-based verification used to be the gold standard against CEO fraud, but a five-second voice clip from a podcast, conference talk, or webinar is now enough to generate a convincing voice clone. Verification procedures need to evolve. Authentication phrases known only inside the team, callback to a verified internal number rather than the number provided in the message, and short pre-agreed code words can all help. This trend connects to the broader pattern we describe in our post on AI-powered attacks.

    How pentesting and awareness work together against CEO fraud

    Two layers of defence are required. The technical layer tests whether your email infrastructure can be spoofed at all: SPF, DKIM, and DMARC records properly configured, third-party senders correctly aligned, and the absence of forwarding rules attackers can hide behind. This is part of what we cover in a social engineering assessment, which includes targeted phishing and pretexting against your finance team in a controlled way.

    The human layer prepares the people who actually receive the messages. Security awareness training with realistic phishing, smishing, and CEO impersonation simulations gives staff the muscle memory to spot the patterns described above. Awareness alone is not enough, and technical hardening alone is not enough. The combination is what works.

    Frequently Asked Questions

    What exactly is CEO fraud?

    CEO fraud is a targeted scam in which an attacker impersonates a senior executive, usually the CEO or CFO, to convince an employee in finance, accounting, or HR to authorise an urgent payment, change a supplier's bank details, or share confidential information. The attacker uses a combination of email impersonation, social engineering, and time pressure to bypass normal verification procedures.

    How is CEO fraud different from phishing?

    Phishing is broad and untargeted: a generic email sent to thousands of people, hoping a few click. CEO fraud is targeted and researched. The attacker studies the organisation through LinkedIn and public sources, identifies who handles payments, learns the executive's communication style, and crafts a specific message that fits the context. Phishing is volume. CEO fraud is precision.

    Why do attackers target finance and HR?

    Finance has the access and authority to release payments. HR has access to the entire personnel database, including salaries, addresses, and identity documents. Both departments handle requests under time pressure, both often serve multiple senior leaders, and both are trained to be responsive rather than skeptical. That combination is exactly what an attacker wants.

    How do I recognise a CEO fraud email?

    Look for the four levers in combination: authority (it comes from the top), urgency (it must happen now), secrecy (do not tell anyone), and plausibility (it references real context). Also check the sender address by expanding the header, not just the display name. Look for small domain variations, unusual sending times, and any request to change established payment procedures.

    What should I do if I receive a suspicious email from our CEO?

    Do not reply to the email. Do not click any links. Verify through a second channel: call the executive directly on a known internal number, or walk to their office if possible. Report the message to your IT or security team within 30 minutes. If you have already executed a payment, contact your bank immediately and file a report with the police.

    Can a pentest prevent CEO fraud?

    A pentest does not prevent every attempt, but a social engineering assessment tests the specific scenarios attackers use against your organisation: spoofed email, look-alike domains, pretext calls, and impersonation under time pressure. Combined with security awareness training, it removes the most common entry points and gives your finance team the practice they need to recognise the patterns. The goal is not perfection. It is making a successful attack harder, slower, and more likely to be detected.

    Related services and resources

    If you want to understand how attackers build the context they use in CEO fraud, read what a hacker actually does, from OSINT to pentesting. To see how the technical infrastructure that enables impersonation gets tested, our social engineering assessment covers email spoofing, look-alike domains, and pretext calls in a controlled exercise. Our penetration testing service tests the external attack surface that often leads to the executive mailbox compromise variant of CEO fraud, and our security awareness training prepares the people who receive these messages with realistic phishing and impersonation simulations.