Cybercrime in Companies
, CEO fraud – fake instructions from impersonated bosses

Cybercriminals pose as senior executives to manipulate employees with the aim of transferring corporate funds to fraudulent accounts. How supervisors and employees can protect themselves.

Table of Contents

CEO Fraud
, At a glance

  • CEO fraud operates by attackers impersonating executives to prompt employees to take actions such as making transfers. Using artificial intelligence, these deceptions are becoming increasingly sophisticated.
  • Companies with untrained staff, incomplete IT security, and rigid hierarchies are particularly at risk.
  • Clear security processes, such as the four-eye principle, encrypted email communications, and regular training, can reduce the risk of CEO fraud.

Definition
, What is CEO Fraud?

In CEO fraud (also known as fake president fraud, boss scam, or CEO scam), an attacker pretends to be a company leader, such as a CEO, executive board member, or other senior figure. They contact employees—often via email, typically in finance, accounting, or procurement departments—to instruct them to carry out wire transfers or release sensitive data. HR departments could also be targeted, for instance, with fake instructions regarding payroll or bonuses.

CEO fraud utilises "pretexting" as part of social engineering tactics: attackers use seemingly plausible stories or scenarios as a pretext, faking identities to manipulate and control employees. For example, attackers may pose as executives via email to provoke staff into authorising bank transfers or sharing sensitive information (business email compromise).

What is Business Email Compromise (BEC)?

Business email compromise is an umbrella term for cyberattack methods where offenders use email—sometimes even from compromised accounts—to gain access to communication or impersonate identities to deceive employees. The primary aim is often to initiate transactions or redirect supplier payments without deploying malware.

BEC encompasses CEO fraud as well as attacks where criminals impersonate external partners or internal employees via email. For example, attackers may engage in "payment diversion," assuming the identities of suppliers to falsify changes to bank details and divert funds.

Typical Workflow
, How Does CEO Fraud Work?

CEO fraud usually follows a structured pattern based on trust, urgency, and authority. The stages of such an attack can be broken down as follows:

Gathering Information

  • Attackers deliberately research information about the company, its executives, and relevant staff.
  • This includes names, email addresses, communication styles, current projects, ongoing transactions, and organisational structures.
  • Public sources like social media profiles, company websites, or press releases are often used for this.
  • Fraudsters increasingly use AI to optimise their research, creating personalised victim profiles to tailor their attacks.

Preparation of the Deception

  • Based on collected information, attackers craft convincing emails that appear to come from company executives.
  • They manipulate the "from" email address so it mirrors a known or trusted address (spoofing).
  • Emails typically contain urgent requests, such as transferring a sum to an external account or sharing sensitive documents.
  • Urgency is often emphasised ("Transfer immediately") or confidentiality underscored ("Do not share with colleagues").

Dissemination and Implementation of Instructions

  • The fake email is sent to employees authorised to release transactions or data, typically in finance, accounting, or procurement departments.
  • Often, the email claims that a “specialist department” (e.g., legal or financial) has confirmed the payment request. This adds credibility to the fraudulent demand.
  • Employees, failing to detect the fraud, execute the instructions, resulting in the loss of money or sensitive data.
  • Such attacks often go unnoticed initially, as the emails appear authentic and are not questioned.

Completion

  • Fraudsters act swiftly, transferring or redirecting funds, making it nearly impossible to recover the money in most cases.

Warning Signs
, How Can I Spot CEO Fraud?

CEO fraud can often be identified by certain clues, even if the message or call initially appears credible. Common warning signs include:

Unexpected or Urgent Payment Requests

Emails from executives suddenly instructing large payments without prior arrangements should be critically examined. Emphasis on urgency or secrecy is often a red flag.

Unfamiliar Sender Addresses or Domains

Examine email addresses closely. Spoofed or slightly altered domains (e.g., additional letters or symbols) are classic indicators of fraud.

Unusual Writing Style or Tone

Sudden changes in communication style, unusual wording, or lack of personal address may indicate an attempt at fraud. Spelling or grammar mistakes are another warning signal.

Unexpected Communication via New Channels

Emails or instant messages on platforms not typically used for payment instructions should be questioned.

Absence of Standard Controls

Requests to bypass internal protocols, such as the four-eye principle or verification steps, require caution.

Prevention
, How Can I Protect Myself from CEO Fraud?

Preventing CEO fraud requires attention from all employees, clear processes, and open communication from leadership.

For Employees:

  • Critically Assess Emails and Messages:
    Check suspicious sender addresses, question urgent payment requests, and compare writing style with known supervisor communications.
  • Verify Instructions Personally:
    Before making any unusual payments or disclosing data, call the supervisor on an officially known phone number to confirm.
  • Follow Internal Procedures:
    Do not share sensitive data or release payments without adhering to defined protocols. Open attachments only from trustworthy sources.
  • Participate in Regular Training:
    Attend awareness sessions and follow company security tips to detect fake executive emails early.
  • Act on Warnings:
    If alerted by the bank, respond promptly.

For Supervisors:

  • Establish Standard Processes:
    Implement clear instructions for payments, new payee approvals, and edits to master data. Enforce the four-eye principle and avoid individual authorisations.
  • Train and Educate Staff:
    Periodic workshops on cyber risks and social engineering enhance employees' ability to recognise fraud attempts.
  • Implement Technical Safeguards:
    Use encrypted email communication, two-factor authentication, and email filters to spot fake addresses.
  • Promote Open Communication:
    Foster an atmosphere where employees feel safe to question suspicious directives without fear of repercussions.

Response in Serious Cases
, What Can Victims of CEO Fraud Do?

CEO fraud can cause significant damage, potentially resulting in liquidity issues. Stolen funds are generally irretrievable. To limit damage during an attack, the following steps can help:

Contact your bank:
Contact your corporate client adviser or call our Commerzbank corporate clients hotline at +49 69 1368 0527 (English) or +49 69 1362 6360 (German) - Monday – Friday, 8:00 AM – 6:00 PM.

Document the Incident:
Save all suspicious emails, payment requests, and communication. Record sender details and attachments to reconstruct the incident.

Notify the Police:
File a report at your local police station or with your regional Cybercrime Centre. Provide all evidence alongside your complaint. Zentrale Ansprechstelle Cybercrime (ZAC)

Measures in the Event of Compromised Email Accounts:

  • Notify the IT Team:
    Immediately inform your company’s IT department of the incident.
  • Inform Those Affected:
    All impacted individuals—both the email recipients and the supposed senders—as well as external partners should be notified about the security breach.

Further Steps After an Attack:

  • Improve Internal Processes:
    Review your procedures for payment approvals, changes to master data, and internal communication based on the fraud incident. Implement the four-eye principle and establish clear responsibilities.
  • Raise Employee Awareness:
    Regular training on cybersecurity is essential for employees. Share experiences regarding fraud attempts with your team.

Commerzbank at your side
, What we do for your security in the corporate client portal?

High-security standards

The corporate client portal and its various applications are regularly tested and reviewed by security teams during development.

Deactivating fraudulent phishing websites

Although we cannot prevent phishing emails from arriving in your inbox, we ensure that the fraudulent websites linked within such emails are deactivated promptly in most cases.

Two-factor authentication

Access to our online portal is secured by a two-factor authentication mechanism (2FA), an extra security measure. Although 2FA cannot completely prevent phishing, it significantly enhances the protection of your account.

Personal advice

If you have any questions or security concerns, please contact your dedicated corporate client adviser directly.

Further information

FAQ
, Frequently Asked Questions About CEO Fraud

Any company can fall prey to fake executive emails—regardless of size or industry. However, the risk increases significantly when certain factors are present. Particular risks arise from:

  • Decentralised Locations – especially when companies run separate HR, procurement, or finance departments at individual sites, leading to differing processes.
  • Untrained Employees who are unable to identify signs of social engineering or fake management emails.
  • Lack of Standardised Processes, for example, for data changes or payment approvals, especially if no four-eye principle applies and individual authorisations exist.
  • Strict Hierarchies, where employees fear negative consequences if they question directives.
  • Unencrypted Email Communications or insecure messenger platforms being used for official business communication.