CEO Fraud
Impersonation of senior executives to pressure staff into urgent, confidential payments.
Last reviewed: 1 June 2026
What this scam is
CEO fraud (whaling) impersonates a senior executive to instruct staff — usually in finance — to make an urgent, confidential payment or share sensitive data, exploiting authority and the reluctance to question the boss.
How it works
Using a spoofed or look-alike email (or increasingly a deepfake call), the 'CEO' requests an urgent transfer for a confidential deal, stressing secrecy and speed. Staff comply to avoid delaying the executive.
Common red flags
- Urgent, confidential payment request from a senior figure
- Pressure to bypass normal procedures
- Slightly wrong sender address or unusual channel
- Instruction to keep it secret
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
I'm in a confidential acquisition and need you to transfer [amount] to [account] now. Keep this between us.
Payment methods used
- Bank transfer
- Crypto
Who is usually targeted
- Finance staff
- Executive assistants
- New employees
What to do immediately
- Verify the request via a separate known channel (call the executive directly)
- Follow dual-authorisation procedures; never bypass them for 'urgency'
- If paid, contact your bank immediately and report it
Evidence to preserve
- The message and headers
- Any call records
- Payment details
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How do we defend against CEO fraud?
Mandate out-of-band verification for payment requests, enforce dual authorisation, and build a culture where staff are encouraged to pause and verify even when 'the boss' is asking urgently.