Be careful with the CEO scam: do you know how this fraud works?


We are continuing with our series “Protect yourself against fraud” and are going to explain the technique known as the CEO scam.

The purpose of this fraud is to trick a middle manager of a company or government agency into making a transfer from the company’s account or into paying a fake invoice. To do this, criminals masquerade as a senior manager in the same company or agency or supplant the identity of a usual supplier.

  • Phishing: emails are sent indiscriminately to employees by cybercriminals masquerading as a reputable source in an attempt to “fish” sensitive information . 
  • Spear phishing: this is a step further than phishing, since the cybercriminals have previously gathered information on users available on the internet (for example, on social media) and the emails are more tailored.
  • Whaling: this is a type of phishing which targets the big fish (hence its name). The cybercriminals have studied their victim exhaustively and know how the organisation works.
  • Social engineering: they recreate situations which make the scam easier. For example, what would you do if you receive an email from your boss asking you to make a transfer to close an urgent and confidential financial transaction? Would you risk questioning this request? They know that this poses a dilemma and use it to their advantage.

As an employee:

  • Check the email addresses. If you are using a mobile device, click on the name to see the real address.
  • Be careful with email attachments.
  • Confirm the authenticity of the email with the sender and do not reply until you have checked this. Prevention is better than cure.
  • When faced with a change in a (supplier’s) bank account, check that the change is authentic by telephone or in person. It’s easy to confirm this before making a payment.
  • If you are suspicious about an email, inform your company’s IT department.

As a company:

  • Opt for using electronic banking over other less secure systems, such as email, and set the highest security level offered, especially for high-value transfers. Ask your bank if they have additional security measures such as security tokens.
  • Set up internal payment protocols and make sure they are followed. One example would be to set a limit above which the authorisation of two or more individuals is needed to proceed with a payment.
  • Since these types of fraud are based on social engineering techniques, training employees is essential so that they can recognise and prevent them.
  • Regular campaigns simulating the sending of phishing emails is recommended as a way of testing users.
  • Good antivirus software, an antispam filter and keeping your operating system up to date are essential IT security measures to prevent anyone from spying on your email.

Download this infographicAbre en ventana nueva prepared by the Spanish Banking Association (AEB by its Spanish abbreviation) and Europol with advice on how to avoid being a victim of this scam.


Remember that transfers are irrevocable payment orders and, consequently, banks cannot reverse transfers without the consent of the beneficiary.


Did you find this information useful?