CEO Fraud (BEC)
The costliest cyber threat facing SMBs
CEO fraud — internationally known as Business Email Compromise (BEC) — costs organisations worldwide billions every year. Criminals impersonate senior executives to trick employees into making urgent payments. In the most advanced attacks the email account is actually taken over through an AiTM attack.
CEO fraud in numbers
1 in 4
SMBs in the Netherlands fell victim to cybercrime in 2024, with BEC being the most common form.
€19M
Lost by Dutch cinema chain Pathé in a single CEO fraud case in 2018 — one of Europe’s most notorious examples.
$2.9B
Reported BEC losses in the US in 2023 (FBI IC3) — and these are only the cases that were actually reported.
What is CEO fraud?
CEO fraud — also called whaling, executive impersonation, or BEC fraud — is a targeted form of scam in which criminals pose as a senior executive within your organisation. The objective is almost always financial: convincing employees to transfer money to an attacker-controlled account, or to share confidential information.
Unlike broad-based phishing campaigns, CEO fraud is highly targeted. Attackers spend days or even weeks studying the organisation: who is the CEO, who handles payments, what tone is used in internal emails. In the most sophisticated variant, the CEO’s email account is actually compromised through an Adversary-in-the-Middle attack — meaning the fraudulent message is sent from the real email address.
CEO fraud falls under the broader category of Business Email Compromise (BEC). Law enforcement agencies and security organisations use both terms, but BEC also covers variants such as invoice fraud and payroll fraud. What all forms share is that they exploit human trust through email.
Types of CEO fraud and BEC
BEC is not a single attack but a family of techniques. These are the most common variants:
CEO impersonation (classic)
The attacker poses as the CEO and asks a finance employee to make an urgent payment. Typically emphasises secrecy and time pressure.
Invoice fraud (vendor fraud)
Criminals intercept invoices from a supplier and change the bank account number. The payment goes to the attacker instead of the legitimate vendor.
Account takeover
The email account is actually hijacked, usually via AiTM phishing. The attacker sends messages from the real email address — making it virtually impossible for the recipient to detect.
Payroll fraud
An employee “asks” HR to update the bank account number for salary deposits. The salary is then paid out to the attacker.
AI and deepfakes
Attackers use AI-generated voice clones or deepfake video to bypass phone-based verification. A growing threat that undermines traditional double-checks.
Data theft
Not always financially motivated. HR departments are approached with requests to share employee records, national ID numbers, or tax information.
How does a CEO fraud attack work?
CEO fraud ranges from opportunistic spam to attacks that are prepared over weeks or months. In the most advanced form, criminals infiltrate the network and send the payment request from the CEO’s actual email address.
- 1
Reconnaissance
Criminals research the organisation via LinkedIn, company registries, the website, and social media. They identify the CEO, CFO, and finance staff, and study the internal communication style.
- 2
Impersonation or account takeover
The attacker registers a look-alike domain (e.g. attic-security.com instead of atticsecurity.com) or takes over the real account via AiTM phishing. Both methods produce convincing messages.
- 3
The request
An urgent, confidential payment request is sent — often just before the weekend or during holidays. The message emphasises secrecy and time pressure.
- 4
Payment and disappearance
The money is transferred to an attacker-controlled account, often overseas. Within hours it is moved onwards — making a reversal virtually impossible.
How to recognise CEO fraud
CEO fraud relies on urgency, trust, and secrecy. Learn to spot these warning signs before you act:
Unexpected payment request from a senior executive
Especially if it comes from a new email address or you don’t normally receive payment instructions from this person.
Extreme urgency and time pressure
“This needs to be done today” — often just before the weekend, a public holiday, or while the CEO is on leave.
Request for secrecy
“Don’t tell anyone about this yet” or “This is strictly confidential” — designed to prevent you from verifying the request.
Slightly different email address
Subtle changes to the domain (atticsecurity.com vs. attic-security.com) or a personal email address “because the work email isn’t working”.
Unfamiliar or foreign bank account
The payment is to an account you don’t recognise, often in an unusual location.
How to protect your organisation against CEO fraud
Effective protection combines organisational procedures with technical measures. Awareness alone is not enough — you also need detection.
Verification procedures
Every payment above a certain threshold requires phone verification using a pre-established number. Never use the number provided in the email.
AiTM protection
Prevent account takeover by installing Attic FREE. The browser extension blocks fake login pages used to steal session cookies.
Continuous monitoring
Detect suspicious sign-in activity, unusual mailbox rules, and forwarding settings in real time. Attic MDR monitors your Microsoft 365 environment 24/7.
M365 hardening
Block auto-forwarding to external addresses, enable audit logging, and configure DMARC/SPF/DKIM. Attic Fixer checks this automatically.
Fallen victim to CEO fraud? Here is what to do
The faster you act, the greater the chance of limiting the damage. Follow these steps immediately:
- 1
Call your bank immediately
Request that the payment be blocked or reversed. For international transfers this may still be possible up to 24 hours after the transaction.
- 2
File a report with law enforcement
CEO fraud is a criminal offence. Filing a report is important for potential insurance claims and helps authorities track criminal networks. In the Netherlands, report to the police; in the UK, contact Action Fraud; in the US, file with the FBI’s IC3.
- 3
Report the fraud to your national fraud agency
Notify the relevant fraud reporting body in your country (e.g. Fraudehelpdesk.nl in the Netherlands). This helps warn other organisations and map fraud patterns.
- 4
Engage a security specialist
CEO fraud often indicates that the network or email account has been compromised. Without investigation you risk follow-up attacks. Schedule a call with our team.
- 5
Preserve all evidence
Do not delete any emails, chat messages, or log files. Check Microsoft 365 mailbox rules for suspicious forwarding settings.
How Attic protects you against CEO fraud
Attic continuously monitors for suspicious activity and compromised accounts in your Microsoft 365 environment. This is how we detect CEO fraud before the damage is done.
Protection against phishing
Block the first step of CEO fraud: AiTM phishing that steals credentials and session cookies. Attic Free warns employees before they log in to a fake page.
More about FREEDetection of suspicious sign-in activity
Attic Bouncer detects when an account is being taken over — for example from an unusual location or device. This prevents attackers from sending emails on behalf of the CEO.
More about BOUNCERSecure your Microsoft 365 configuration
Attic Fixer checks daily whether auto-forwarding is blocked, audit logging is enabled, and DMARC/SPF/DKIM are correctly configured. Reduce your attack surface with one click.
More about FIXERFrequently asked questions about CEO fraud
Prevent CEO fraud — start today
Don’t wait until it’s too late. Protect your organisation with automated monitoring and detection of suspicious activity in Microsoft 365.