CEO Fraud Defence: How to Catch the Signals Before It’s Too Late

CEO fraud is a scam in which an attacker impersonates a senior executive (usually the CEO or CFO) to trick an employee into authorizing a fraudulent payment, sharing sensitive data, or changing the bank details on a vendor account.

It is a subtype of Business Email Compromise (BEC), and the FBI’s Internet Crime Complaint Center reports it as one of the costliest digital fraud categories every year, with combined U.S. losses measured in the billions of dollars. 

Most coverage of CEO fraud treats it as an email problem to be solved with anti-phishing filters and security-awareness training. Unfortunately, that framing misses the part of the attack that happens outside your perimeter, weeks before the fraudulent email is sent.  

By the time the email arrives, the attacker has already chosen the target executive, mapped the finance chain of command, registered a lookalike domain, and increasingly, collected enough audio and video to deepfake a follow-up call. 

This post covers what CEO fraud is, how attacks unfold, what the most common playbooks look like, why deepfakes have raised the stakes, and the layered defence that catches the reconnaissance before the email reaches a finance employee’s inbox. 

What is CEO fraud? 

CEO fraud is a social-engineering attack in which the attacker pretends to be an executive (the CEO, CFO or another senior leader with payment authority) and instructs a finance or HR employee to act.

The most common ask is a wire transfer to a “new vendor account”. Other variants ask for gift-card purchases, payroll-deposit redirection, a copy of the W-2 file, or the urgent processing of an M&A-related transfer. 

The fraud is also called whaling (the phishing-industry term for executive-targeted attacks), executive impersonation, or, under its FBI category, Business Email Compromise.

The Federal Bureau of Investigation has tracked BEC since 2013 and reports adjusted global losses exceeding $55 billion through 2024.

How a CEO Fraud Attack Actually Unfolds 

A modern CEO fraud campaign usually moves through five stages… and just so you know, the fraudulent email is the last of them. 

1. Target selection: Attackers pick a company through a combination of public signals: a recent IPO, a public acquisition, a publicly named CFO who has just moved jobs, or an organization with permissive disclosures around financial controls. Companies in the middle of an integration are favoured because internal processes are in flux and the people approving payments are new to each other. 
2. Reconnaissance: The attacker collects publicly available information on the executive and the finance team. LinkedIn, the company press room, conference recordings, podcast appearances and leaked data sets from prior breaches all feed the dossier. The goal is the executive’s voice patterns, signature blocks, common phrases, travel calendar, and a clear picture of the finance approval chain. This stage often runs for weeks. 
3. Infrastructure: The attacker registers a lookalike domain. The most common pattern is a one-character substitution on the real corporate domain (an “rn” for an “m”, a missing letter, a Cyrillic homoglyph) or a near-twin top-level domain. The domain gets a TLS certificate, a configured mail server, and, in deepfake-enabled attacks, a voice clone produced from podcast audio. 
4. Trigger: The attacker waits for a window. A real CEO travelling internationally is the gold standard, because the time-zone gap explains the urgency and discourages a call-back. Public events (earnings calls, board meetings, off-sites) work for the same reason. 
5. Execution: The fraudulent email arrives. It is short, it references a real-sounding context the finance employee will recognize, and it instructs an urgent action. A follow-up call from a deepfaked CEO voice, or a video meeting featuring a deepfaked face, closes the deal. 

Steps one through three happen outside the firewall. Email filters never see them. That is the work that actually decides whether a CEO fraud campaign succeeds. 

Common CEO Fraud Playbooks 

Five variants account for almost every reported case. 

1. Wire-transfer authorization: The classic. A “new vendor”, a closing M&A deal, or an urgent overseas payment. The instruction tells finance to skip the usual verification because the executive is in a meeting and cannot be disturbed. 
2. Vendor banking change: A spoofed message from finance or procurement asks accounts payable to update a real vendor’s bank account details on file. The next invoice cycle pushes the payment to the attacker. Often, the original vendor’s email is also compromised, which is what makes this variant so hard to catch in time. 
3. Payroll redirect: A deepfaked or spoofed message from HR (or from the executive themselves) asks payroll to redirect direct deposit to a new account. Per-incident loss is smaller, but the success rate is high. 
4. Gift-card scam: A “favour” request from the CEO. Things you all have heard, such as buy a batch of gift cards for a client gesture, send the codes back by email, etc. The amounts are small enough that one employee can act on their own without escalating, which is the point. 
5. M&A or board pretext: A CFO-impersonation message tells the controller to wire funds for an “imminent acquisition” or “due diligence escrow”, with a confidentiality clause that explicitly says do not discuss with anyone, including the CEO. This is the playbook behind some of the biggest single losses on record. 

The Deepfake Variant 

CEO fraud has changed in the last 24 months. Voice and video deepfakes that used to require expensive tooling are now generated from about a minute of source audio and pushed in real time during a video call. 

The clearest public case is the 2024 Arup loss. An employee in Hong Kong joined a Microsoft Teams call with what they believed was the company’s CFO and several colleagues. Every face on the call was deepfaked. The employee approved 15 transfers totalling about $25 million before the fraud was discovered. 

Arup was not a small or unsophisticated target. The point of the case is that a well-resourced attacker can now produce a convincing deepfaked video of any executive whose voice or face has appeared in public, which for most listed companies covers every C-suite role. 

Why Email Security Alone Keeps Missing It 

The first three stages of a CEO fraud campaign happen on registrar systems, social platforms, leaked-data marketplaces and public press archives. A secure email gateway has no visibility into any of those. 

By the time the fraudulent message arrives, the attacker has already invested two to six weeks. The email is a polished, brand-aligned message from a domain that was registered specifically to look right, sent through a mail server with valid SPF and DMARC, at a moment when the real executive is unreachable. That is a hard email to flag from inside the inbox alone. 

Email security is necessary. However, it is not enough.

Defenders who only watch the inbox watch the last ten minutes of an attack that started six weeks earlier.

How to Prevent CEO Fraud: A Layered Defence 

A strong CEO fraud defence covers the reconnaissance, the infrastructure and the email itself, and adds out-of-band human verification at the point of payment. 

1. Email security: Use SPF, DKIM, and DMARC enforcement, a secure email gateway, and inbox-level impersonation detection. These controls help catch spoofed senders, suspicious links, and obvious impersonation attempts.
2. External monitoring: This is the layer most teams are missing. Continuous monitoring of newly registered lookalike domains targeting your corporate domain and your executives’ personal domains. Dark web and leak site monitoring for executive credentials, personal data, and mentions in criminal forums. Monitoring of impersonations on public social platforms. By the way, this is the work covered by Styx Intelligence’s executive protection, disinformation security and dark web monitoring modules. 
3. Executive digital hygiene: Reduce the public surface area of senior executives. Keep voice and video samples to a planned and controlled set. Use privacy services for executive personal registrations. Review LinkedIn pages and conference biographies for the information that lets an attacker pretext a finance employee. 
4. Finance team protocols: Mandatory call-back verification on every new vendor and on every payment above a defined threshold. The callback must use a number from the company’s existing record, never a number supplied in the request. Dual authorization on payments above a second threshold. A documented refusal-to-act protocol for “urgent and confidential” requests that bypass normal review. 
5. Tabletop exercises: Quarterly CEO-fraud drills with the real finance team and the real executives. Include a deepfake-voice scenario. Measure the time it took to escalate. 

These layers work together.

• Email security catches the obvious
• External monitoring catches the setup
• Executive hygiene reduces the raw material
• Finance protocols stop the payment
• Drills show where the process breaks.

External signals worth monitoring 

A detection checklist that a security or finance team can lift straight into a runbook: 

• Any new domain registration that resembles the corporate domain (one-character substitutions, homoglyphs, near-twin TLDs). 
• TLS certificate issuance against a lookalike domain. 
• MX record changes that activate a mail server on a lookalike domain. 
• Newly leaked credentials for any executive or finance team member. 
• New impersonation profiles of executives on LinkedIn, X or Telegram. 
• Mentions of the company name or executive names in dark web forums that discuss BEC, wire fraud or invoice fraud. 
• Unusual public press or social activity that telegraphs CEO travel. 

Each of these signals adds days to the warning window. A team that watches them is responding before the email arrives, not after the wire has been sent.