CEO fraud is a variant of business email compromise where attackers impersonate the CEO, founder, or another senior executive to convince a finance or operations team member to wire funds, share sensitive data, or take other high-stakes actions. The attack relies on the recipient's deference to leadership and the urgency typical of executive requests.

How much does CEO fraud cost on average?

The FBI's IC3 reports average BEC losses around $125,000 per successful incident, with CEO fraud being one of the higher-loss variants because the impersonation typically targets larger transactions. Some single-incident losses run into the millions when the impersonation persists across multiple transfers.

How do attackers research the CEO they impersonate?

Public sources. LinkedIn profiles. Press releases. Conference talks and podcasts. Social media. The attacker often spends weeks studying writing style, recent business activities, vendor relationships, and team dynamics before launching the attack. The reconnaissance is part of why the resulting emails feel contextually accurate.

Why does CEO fraud work even on careful employees?

Because it exploits two deep human tendencies: deference to leadership and response to urgency. The combination short-circuits the verification step the employee would normally apply to an unusual request. Even employees who would normally call to verify a wire transfer hesitate to question what appears to be a direct, urgent request from the founder.

What is the single most effective defense against CEO fraud?

A written verification protocol that applies to everyone including the CEO. Any wire transfer initiated by email is confirmed by phone using a known number before processing. The CEO has to be inconvenienced because attacker-initiated requests are designed to look like legitimate-but-urgent CEO requests. The protocol works because it does not depend on recognizing the attack.

CEO Fraud: How One Email Costs $125K

CEO fraud is the BEC variant where attackers impersonate company leadership. Here is the anatomy of a successful attack and what works.

CEO fraud is the email scam that has cost American businesses billions of dollars over the last decade. The mechanism is simple: an attacker impersonates the CEO, founder, or another senior executive and convinces a finance or operations employee to take an action that moves money or data to the attacker. The FBI’s Internet Crime Complaint Center reports that BEC variants including CEO fraud accounted for $2.9 billion in losses in 2023, with average losses around $125,000 per incident.

This post is the structural anatomy of how CEO fraud works, why it succeeds even against careful employees, and the specific defenses that catch it.

The Standard Anatomy

A typical CEO fraud attack has four phases.

Phase one: reconnaissance. The attacker selects a target company and studies its leadership. LinkedIn profiles give the names and titles of the executive team. Press releases and conference appearances give writing samples and recent business context. Social media gives travel patterns, vendor relationships, and operational tempo. Public filings give financial scale. Paid OSINT tools (or breach data) give email addresses and possibly phone numbers.

The reconnaissance phase often takes one to four weeks. The attacker is not in a hurry; they are building a profile sophisticated enough to support a believable impersonation when they launch the attack.

Phase two: setup. The attacker establishes the sending infrastructure. Options:

Register a lookalike domain (acmec0rp.com versus acmecorp.com) and configure clean SPF, DKIM, and DMARC records.
Compromise an actual email account at the company through earlier phishing, password reuse, or credential theft. This is the higher-effort path but produces the most convincing attack because mail genuinely comes from the legitimate domain.
Use display-name spoofing where the visible “From” name says “Mark Wilson, CEO” while the underlying address is from an unrelated domain. This works on email clients that show the display name prominently.

The attacker also identifies the specific employee to target: typically the CFO, controller, finance manager, or executive assistant. Smaller companies may target whoever the attacker can see has signing authority on transactions, often the founder’s right hand.

Phase three: execution. The attacker sends the impersonating email. The pretext varies but the structure is consistent: an urgent, plausible request that requires the recipient to take action quickly.

Common pretexts:

“Hey, I am about to step into a board meeting. Need you to handle a wire transfer for the [vendor] deal. Sending the routing details in the next thirty minutes. Please confirm receipt.”
“Quick favor. I need you to send out the gift cards for the year-end client appreciation. Total is $25,000, I will reimburse from the AP account next week.”
“I am closing out the contract with [partner] today. Please update their banking details in your system to the account I am about to send. The treasurer’s office requested the change.”

The urgency cuts off verification. The familiarity (“Hey,” “Quick favor”) establishes a casual register that suggests prior trust. The reference to real names, real partners, or real business activity confirms the attacker did the reconnaissance.

Phase four: extraction. The recipient acts on the request. The wire goes out. The gift cards are purchased and the codes shared. The vendor banking details are updated. The attacker either receives the funds directly or, in the case of vendor banking changes, waits for the next legitimate invoice payment cycle to capture funds at the moment they are sent to the new account.

Discovery typically happens days or weeks later, when someone notices that the legitimate vendor has not received their expected payment, or when the CEO returns from the supposed meeting and is asked about the transfer. By then, the funds have usually been moved through one or more layers of accounts and are difficult to recover.

Why It Works on Careful Employees

The naive analysis of CEO fraud assumes the victim was incompetent or careless. The realistic analysis is more uncomfortable.

CEO fraud exploits two deep human tendencies that careful employees still have:

Deference to leadership. In any hierarchical organization, employees default to taking the CEO’s stated request seriously. Asking the CEO to verify their own request feels insubordinate. The trained response is to act, not to question.

Response to urgency. Time pressure consistently degrades pattern recognition and verification behavior. An employee who would normally call to confirm an unusual wire transfer hesitates when the email says “I’m about to step into a meeting; need this in the next thirty minutes.” The urgency is the design feature, not a coincidence.

The combination produces a moment where the employee’s normal verification reflexes are most likely to fail. The careful employee under normal conditions becomes the mid-day-Friday employee under a tight deadline from the founder. The same person, but in a worse decision-making state.

This is why training alone is insufficient defense. The trained employee knows in the abstract that wire transfer requests should be verified. The trained employee under deference and urgency pressure may not act on what they know. Industry simulations consistently show that trained employees miss roughly half of well-crafted CEO fraud attempts on the first encounter.

The Specific Defenses That Work

The defenses that work against CEO fraud share a common property: they remove the dependence on the employee’s in-the-moment recognition. The decision is made in advance, written down, and applied regardless of the apparent source of the request.

Defense one: written verification protocol. A one-page document that says: any wire transfer initiated by email is confirmed by phone using a known number before processing. The phone confirmation has to be voice-to-voice; voicemail is not acceptable. The protocol applies to everyone including the CEO.

The protocol works because it removes the in-the-moment judgment call. The employee does not have to decide whether this particular email is suspicious. They have to follow the protocol on every email, which is a much lower cognitive bar.

For the protocol to work, the CEO has to be okay with being inconvenienced. The CEO will sometimes legitimately initiate an urgent wire transfer by email and have to wait two minutes for the verification call. The cost is real but small. The cost of skipping the protocol when the email is fraud is six figures.

Defense two: dual approval on threshold transactions. Any transaction above a defined threshold (commonly $5,000 to $25,000 depending on company size) requires two-person approval. The second person is not the originator of the request. The two-person rule means a CEO fraud attack would have to compromise two employees simultaneously, which is materially harder than compromising one.

Defense three: hardware-key MFA on executive and finance accounts. Eliminates the credential-theft path that produces the highest-quality CEO fraud (where the attacker has actually compromised the CEO’s email account). Without the hardware key, the attacker cannot log in even with the password. Without account compromise, the attack falls back to lookalike domains or display-name spoofing, which are technically detectable.

Defense four: phishing awareness training for finance and operations. Realistic expectations. Training cuts click-through and act-on rates roughly in half. The other half still acts on convincing fraud, which is why the protocol-based defenses matter more.

Defense five: structural inbox filtering. A small cover charge on unknown senders changes the cost structure of reaching inboxes. Mass-volume CEO fraud campaigns (where the attacker impersonates the CEO of dozens of companies in parallel using automation) depend on free reach to be profitable. Once reaching each finance employee’s inbox costs four cents, the campaign math collapses for all but the highest-conviction targeted attacks. Targeted CEO fraud attacks are still possible (a determined attacker willing to pay can reach the inbox), but the email arrives with a PAID label attached. The CEO is on the employee’s guest list and would never pay a cover charge, so a paid email claiming to be from the CEO is itself a visible red flag at the inbox layer.

We covered the structural-filtering layer in why we don’t use AI to fight AI phishing. The five defenses together produce a layered protection that does not rely on any single point.

What Cyber Insurance Covers

Many small businesses assume cyber insurance covers CEO fraud losses. Reality is more nuanced. Standard cyber liability policies often have BEC sub-limits ranging from $50,000 to $500,000, with various exclusions and required controls.

The most common gotchas:

The policy requires the insured to have implemented specific controls (MFA, employee training, dual approval). If the controls were not in place or were not followed, the claim is denied.
The policy excludes “voluntary parting” with funds, where the employee made the transfer based on a fraudulent communication. Some policies cover this; many do not.
The sub-limit for BEC may be lower than the policy’s overall coverage limit, surprising the insured at claim time.

A 30-minute call with the broker to confirm what the policy actually covers, what controls are required, and what the BEC sub-limit is, is worth the time. For small businesses without cyber insurance, $1,500 to $5,000 per year for a small business cyber policy is standard, and BEC is the most common claim category.

The Recovery Window

If CEO fraud succeeds, the recovery window is short. The FBI’s IC3 reports significantly higher recovery rates when victims report within the first 24 hours, falling sharply after 72 hours. The IC3 Recovery Asset Team has had real successes with timely reports.

The action sequence on discovery:

Immediately call the receiving bank and request a wire recall. Bank-to-bank recall is the fastest path and most likely to succeed in the first day.
File an IC3 complaint at ic3.gov. Provide all transaction details, sender details, and the original fraudulent email.
Notify your bank’s fraud team so they can flag related patterns and assist with the recall.
Notify your insurance carrier if the loss is potentially covered. Most policies require timely notice as a condition of coverage.
Contact local law enforcement. The FBI handles federal-level investigations, but local law enforcement can sometimes assist with the receiving bank or the receiving account holder.

Speed matters. Funds that have been withdrawn or moved to an offshore account in a non-cooperative jurisdiction within the first day are usually not recoverable. Funds still in the receiving bank’s account often are.

The Honest Bottom Line

CEO fraud is one of the most-tested attack patterns of the last decade. Attackers have refined the playbook against most of the easy defenses. The defenses that still work are the ones that remove dependence on in-the-moment employee judgment: written verification protocols, dual approval, hardware-key MFA on critical accounts, training to raise the floor, and structural filtering to collapse mass-volume reach economics.

Skipping any of these defenses leaves a gap. Implementing all of them at small business scale costs roughly $5 to $15 per employee per month in tooling and training, or several thousand dollars per year for a typical small business. That is a small fraction of the cost of a single successful CEO fraud incident.

For the broader BEC defense framework, see business email compromise survival guide for small businesses. For the underlying threat overview, see business email compromise: the $2.7 billion threat. Rythm handles the structural-filtering layer for $1.65 per inbox per month, complementing whatever other defenses the organization has in place.

The attack is preventable. The prevention is process discipline rather than technology spending. The companies that fall victim are usually the ones that skipped the protocol step, not the ones that failed to detect the email.

CEO Fraud: How One Email Can Cost a Company $125,000