CEO fraud is a type of cyberattack in which an attacker impersonates a company executive. Learn how the attack works, what the warning signs are, and how to protect yourself effectively.
An employee receives an email from the CEO. The tone is confidential, the request urgent—they need to quickly provide a WhatsApp number, pay an invoice, or send a sensitive document. The problem is that the real boss knows nothing about this email. This is exactly how one of the most widespread and financially costly cyber scams of today works.
What is CEO fraud
CEO fraud, technically known as Business Email Compromise (BEC), is a targeted scam in which the attacker pretends to be a superior or senior executive of the organization. Unlike mass phishing campaigns, this attack is tailored to a specific victim—the attacker researches the name, position, and communication style of the person they are impersonating in advance.
According to the FBI, BEC attacks have caused global losses exceeding $50 billion over the past decade. Slovakia and the Czech Republic are no exception—businesses, law firms, and public institutions are facing these attacks with increasing frequency.
How the attack works in practice
- Reconnaissance – The attacker uses public sources (the company’s website, LinkedIn, media) to identify the name and position of a senior executive, the company’s structure, and the names of employees they intend to target.
- Creating a fake identity – The attacker registers an email address using the target’s name on a common platform (Gmail, Outlook, Daum, etc.). The address appears trustworthy at first glance, but the company’s actual domain is missing.
- Initial contact / testing – The attacker sends a vague but polite message. They do not ask for money right away – instead, they ask for a WhatsApp number, availability, or mention a “confidential matter.” The goal is to establish contact outside of the company email system.
- Escalation – Once trust has been established, the actual request follows: an immediate bank transfer, sending sensitive documents, or installing a file. The attacker emphasizes urgency and confidentiality – the employee is not to trust, verify, or tell colleagues.
Real-world example
In recent weeks, we have recorded a series of attacks in which attackers impersonated the CEO of the law firm Hronček & Partners. The messages came from addresses such as headoffice023@daum.net, judypierce197091@gmail.com, and mailprivateoffice065@gmail.com—that is, from common public services, not from the company’s domain.
In our case, the messages were relatively easy to spot—they contained grammatical errors, unusual phrasing, and suspicious addresses. This isn’t always the case. More sophisticated attacks are much harder to detect—the attacker uses proper language, knows the company’s internal processes, knows who to reference, and the difference from genuine communication may be just a single character in the email address. That is precisely why it is important to verify every non-standard request, no matter how trustworthy it may seem.
Warning signs to watch out for
- The email does not come from a company domain, but from Gmail, Yahoo, Outlook, or another public service
- The message is unusually brief and vague—lacking specific context or reference to an ongoing matter
- The sender requests moving the conversation to WhatsApp or another private channel outside the corporate environment
- The message emphasizes urgency, confidentiality, and demands an immediate response without the option to verify
- The request concerns a payment, bank transfer, sensitive documents, or login credentials
- The attacker discouraged you from verifying the request with another colleague or via direct phone communication
What to do if you receive such a message
- Do not reply and do not click on any attachments or links. Leave the message as is.
- Verify by phone or in person with your supervisor whether they actually sent such a message.
- Report the message to the IT department or security administrator in your organization.
- If you have already provided any data or funds, immediately contact management and consider further steps to minimize damage
How to protect yourself systemically
Individual measures can significantly reduce the risk of a successful attack. We recommend that organizations implement a "four-eyes" rule for payment approvals, enable two-factor authentication on all company accounts, and regularly train employees to recognize social engineering. Technically, it is advisable to configure email filters and DMARC/DKIM records, which make it harder to spoof the sender.
It is equally important to have a clearly defined internal procedure in case of an incident – employees should know who to contact and how to proceed without panicking and without further spreading the damage.
We’ll help you prepare before an attack strikes
At Top Privacy, we take a comprehensive approach to cybersecurity. If you want to ensure your organization is prepared for such incidents, we can help with employee training focused on phishing and social engineering, vulnerability testing, including simulated phishing campaigns, setting up security documentation and internal processes, governance, risk, and compliance (GRC) and incident response management (IRM), as well as Chief Information Security Officer (CISO) services.
