high Riskimpersonation

CEO Fraud (Business Email Compromise)

Scammers impersonate executives via email requesting urgent wire transfers, often using AI to craft convincing messages.

Last updated: February 11, 2026

What is this scam?

Business Email Compromise (BEC), commonly known as CEO fraud, is one of the most financially damaging forms of cybercrime. Scammers impersonate company executives, senior managers, or trusted vendors to trick employees into making fraudulent wire transfers, changing payment details, or revealing sensitive business information. The FBI estimates BEC scams cost businesses over $2.7 billion annually in the United States alone, with global losses far higher.

AI has made this scam significantly more dangerous by enabling scammers to generate perfectly written, personalized emails that match an executive's writing style, tone, and typical communication patterns. AI tools can analyze publicly available company communications, press releases, social media posts, and LinkedIn profiles to understand internal workflows and reporting structures. Scammers use this intelligence to create convincing fake email addresses that closely mimic real executive accounts and to time their attacks for maximum effectiveness, such as when the impersonated executive is known to be traveling or unavailable.

In some cases, scammers go beyond email entirely, using AI voice cloning to make follow-up phone calls that sound exactly like the executive, adding another layer of credibility to the fraudulent request.

How AI makes this scam more dangerous

Before AI, BEC scams relied on basic email spoofing and generic urgent language that trained employees could often recognize. AI has elevated these attacks to a level of sophistication that makes them extremely difficult to detect even for security-aware staff. AI can analyze an executive's publicly available writing, including their emails shared in legal filings, blog posts, social media updates, and company announcements, and generate new emails that perfectly replicate their vocabulary, sentence structure, tone, and even their typical greeting and sign-off patterns.

AI also enables scammers to conduct thorough reconnaissance at scale. Natural language processing tools can scrape LinkedIn, company websites, and news articles to build detailed organizational charts showing who reports to whom, which departments handle finances, and which employees have authority to approve payments. This research, which once took days of manual effort, can now be automated in minutes.

The combination of AI-cloned voices with AI-generated emails creates multi-channel attacks where an employee receives a convincing email from their "CEO" followed by a phone call in the CEO's voice confirming the request. This combination overwhelms the natural skepticism that a single suspicious email might trigger.

Who gets targeted and why

Finance departments and accounts payable staff are the primary targets because they have direct access to company funds and are accustomed to processing payment requests. However, HR departments are also targeted for employee tax records and personal data, and IT staff may be targeted for system access credentials. Small and mid-size businesses are frequently victimized because they often lack the sophisticated email security systems and verification procedures that larger corporations maintain.

New employees are particularly vulnerable because they may not yet be familiar with an executive's normal communication style and may be reluctant to question a request from a senior leader. Employees in companies undergoing transitions, such as mergers, acquisitions, or leadership changes, are also at elevated risk because unusual financial requests may seem more plausible during periods of change.

Warning signs specific to this scam

The most telling warning sign is an email requesting a wire transfer or payment change that arrives outside of normal approval processes, especially with urgency like "this needs to be done before end of business today." Requests to bypass normal approval procedures due to "time sensitivity" or "confidentiality" are a major red flag, as are instructions to keep the request secret from other colleagues. Check the sender's email address character by character because scammers use domains that differ by a single letter or use lookalike characters. Be suspicious if the sender refuses to discuss the request via phone or video call, if the payment destination is a new vendor or foreign account, if the email references a "confidential acquisition" or "urgent legal matter" that conveniently explains why normal processes should be skipped, and if the formatting, signature, or greeting style differs subtly from the executive's normal emails. Any financial request that makes you feel pressured or uncomfortable is worth verifying through a separate, trusted channel.

🔍How This Scam Works

Reconnaissance: Scammers research company via LinkedIn, identifying CFO, CEO, and finance staff roles and relationships
Email compromise or spoofing: Either hack executive's actual email account OR create lookalike domain (company.com vs comp4ny.com)
Timing attack: Monitor exec calendars via social media/assistants; strike when CEO is traveling/unavailable
AI-crafted email: Use AI to analyze past emails and mimic executive's writing style, tone, and signature
Urgent wire transfer: Request immediate payment to "vendor" or "acquisition target," citing confidentiality
Bypass controls: Instruct employee to skip normal approval process due to "time sensitivity"
Money laundering: Funds transferred to attacker-controlled account, often overseas, immediately moved to hide trail

🚩Red Flags to Watch For

•Email requesting wire transfer comes unexpectedly or outside normal approval process
•Urgent tone with time pressure ("Need this done before end of business today")
•Request to bypass normal approval procedures
•Email address has subtle differences from real address (extra character, different domain)
•Email lacks normal signature or has formatting differences
•Sender refuses to discuss via phone or video call
•Instructions to keep request confidential
•Recipient is being asked to act outside their normal responsibilities
•Payment destination is unusual (new vendor, foreign account)
•Request references a "confidential acquisition" or "urgent legal matter"

🛡️How to Protect Yourself

1Implement dual-approval process for all wire transfers above threshold
2Verify any unusual financial request via phone call to known number (not one in email)
3Never use reply button - manually type email addresses for sensitive communications
4Hover over sender email address to verify exact spelling and domain
5Establish verbal verification codes for high-value transfers
6Train employees to question requests that bypass normal procedures
7Use email authentication (SPF, DKIM, DMARC) to prevent spoofing
8Limit public information about organizational structure and roles
9Create a culture where employees feel comfortable questioning executives
10Report suspicious emails to IT/security immediately, even if unsure

📞If You've Been Targeted

If your company has been hit by a BEC scam:

Contact your bank immediately - Time is critical. Call your bank's fraud department and request an urgent recall of the wire transfer. If you act within 24-72 hours, there is a reasonable chance the funds can be frozen before they are moved further. Ask your bank to contact the receiving bank directly
Report to the FBI IC3 (US) - File a report at ic3.gov immediately. The FBI's Recovery Asset Team has successfully frozen and recovered funds in many BEC cases, but only when reported quickly
Notify your company's IT security team - The executive's email may have been compromised, and other employees may be receiving similar fraudulent requests. IT needs to investigate immediately, check for email forwarding rules, and secure all executive accounts
Preserve all evidence - Save the fraudulent emails with full headers, any attachments, phone call logs, and transaction records. Do not delete anything, as this evidence is essential for law enforcement investigation
Report to law enforcement - In addition to the FBI IC3, file a report with your local police and any relevant financial regulators
Notify affected clients or partners - If vendor payment details were changed, contact the real vendor to alert them and verify correct payment information
Conduct an internal review - Investigate how the scam succeeded to identify and close the security gap. Review email authentication settings (SPF, DKIM, DMARC), wire transfer approval processes, and employee training
Implement immediate safeguards - Require verbal verification for all wire transfers above a threshold amount, mandate dual approval for payment changes, and prohibit processing financial requests received solely via email without independent verification
Consider legal counsel - Depending on the amount lost and circumstances, legal advice may be needed regarding insurance claims, regulatory reporting, and liability
Support the affected employee - The person who processed the fraudulent transfer is also a victim. Blame and punishment discourage future reporting of suspicious activity

Speed matters more than anything. The majority of successfully recovered BEC funds are reported to law enforcement within 48 hours of the transfer.

🌍Report & Get Help

Report fraud and get support through these official resources in your country:

🇺🇸United States

FBI IC3
Report cyber fraud
FTC
Consumer protection

🇬🇧United Kingdom

Action Fraud
UK fraud reporting

🇨🇦Canada

Canadian Anti-Fraud Centre
Report fraud and cybercrime in Canada

🇦🇺Australia

Scamwatch (ACCC)
Report scams and get help in Australia

Learn More

View Guide →

Related Scam Alerts

medium