Female dummy head
25 March 2021 / Elaboration

CEO Fraud: phishing at C-level

Is the CEO of your company the weakest cybersecurity link? Recent trends seem to suggest as much. Why is that and what can be done against CEO Fraud?


When do people click on malicious link the most? Correct: when they believe the sender is reliable, when a problem seems to surface and when there is time pressure. An email from the boss, claiming to be in immediate need of assistance, is not something you put aside lightly. Protecting yourself against CEO Phishing Fraud starts with…

...Recognising the threat

‘CEO Fraud’ is an upcoming threat in phishing. Cybercriminals impersonate someone in a leadership position at your company and try to convince co-workers that urgent action is required. In order to succeed, they use forged or spoofed email addresses, share details that ‘only the real CEO could possibly know’ or they are in possession of the real deal: a superior’s hacked email account.

In reality, only that last part can form an obstacle for hackers: faking an email address is easy. All you have to do is create a domain that somewhat resembles the original. Winning someone’s trust is simple as well, because of the information shared on social media. It is easy to find out whom leadership corresponds with or what their interests are. Using ‘CEO spoofing’ it is sometimes even possible to impersonate someone using their actual email domain, without the need of registering a lookalike, thanks to a badly secured email server.

That is why CEO Fraud is difficult to recognise. Only by paying attention to the smallest of details, can you discover a malicious attempt. Some general tips that might help: if someone tries their best to convince you of their identity, it is often a sign to be watchful. When the sender tries to persuade you to deviate from standard procedure for certain requests, an alarm should sound.

CEO’s names, and those of others in management positions, are abused more and more often because they possess a sense of authority.

How does it work?

When we take a closer look at CEO Fraud, we see a couple of well-known phishing practices come into play. Firstly, there is the element of spear phishing: a member of an organisation is singled out to be specifically targeted to execute a specific action. Instead of a general phishing message (coming e.g. from a cloud service), this message was sent by someone the receiver is supposed to know.

Secondly, criminals often use PDF of Macro fraud, where you receive a malicious email attachment. When you open the PDF document or activate the macro functions in a Word or Excel file, it becomes possible for criminals to infect your device externally. While the presence of a PDF, Word or Excel file immediately offers an air of authority and reliability, it should automatically make you wary of its contents. Just because it looks professionally, does not mean it is trustworthy.

How to prevent CEO Fraud?

The best way to prevent CEO phishing fraud is by taking into account many of the same measures against regular phishing campaigns: take a step back to analyse any message you receive and ask yourself some critical questions. Who is sending me this message? Why? Would this person ask me to perform this action in other, normal circumstances? Is it a request that falls outside my regular scope of duties? Is pressure put on me, e.g. by stating that it is an urgent task?

Next, you should check the sender’s email address: are there typo’s in the address or is the message coming from somewhere that doesn’t comply with corporate policy? Finally, you can check where any hyperlinks in the message direct you to by hovering your mouse pointer over any given link. If the destination seems wrong, don’t click it. Because this isn’t possible on mobile devices, you should never open a link on a smartphone or tablet!

CEO’s names, and those of others in management positions, are abused more and more often because they possess a sense of authority. People are less likely to question a strange request from their boss. It is, however, always a good idea to be vigilant, ask the right question and, most importantly: think before you click!