The CEO Fraud Playbook: How Impersonation Scams Work Step by Step

The CEO Fraud Playbook: How Impersonation Scams Work Step by Step

CEO fraud — also called executive impersonation or a type of Business Email Compromise — has stolen billions from businesses globally. The attack is elegant in its simplicity: no malware, no hacking, just a well-crafted email and human psychology.

Here's the playbook, step by step.

Step 1: Research and reconnaissance

The attacker identifies your business and your leadership team. LinkedIn is a goldmine: it tells them who the CEO or MD is, who runs the finance team, and what the org structure looks like. The company website might confirm email address formats.

They might also conduct more involved research — reading annual reports, press releases, or media coverage to understand current business activities and relationships.

Step 2: Identify the target

The attacker selects who to impersonate (usually a senior executive) and who to target (usually someone in finance, accounts payable, or HR who has authority to make payments or update records).

New employees are particularly valuable targets — they're eager to help, haven't built up the internal radar for "that's not how we normally do things," and are less likely to push back against authority.

Step 3: The initial email

The attacker sends an email to the target that appears to come from the executive. This might be:

• A domain lookalike (`@abcconstructions.com` instead of `@abcconstruction.com.au`)
• A spoofed display name
• A compromised actual email account (more advanced)

The email establishes a reason for the request. Usually:

• An urgent payment for a new supplier or deal
• An instruction to update bank details for an existing supplier
• A request for confidential information (payroll data, client contracts)

Step 4: Building pressure

The attacker applies urgency: "I'm in a meeting, I need this done before close of business today." They may explicitly ask the target not to discuss it with others ("this is confidential until the deal is finalised").

The authority + urgency + secrecy combination is the psychological trap.

Step 5: The transfer

The target, believing they're following legitimate instructions from their boss, makes the transfer. The money goes to the attacker's account and is quickly moved offshore.

Step 6: Discovery

Usually discovered when the legitimate executive denies making the request, or when the expected payment doesn't arrive. By this time, recovery of funds is very difficult.

How to break the playbook:

• Mandate out-of-band verification for all financial transactions. Call the requester. In person. On a known number. Every time.
• Explicitly brief your finance/accounts team on this scam. Show them this playbook.
• Remove the secrecy weapon. Make it a policy that any payment instruction, regardless of source, goes through the standard approval process. The CEO doesn't get to bypass it.
• Train your newest staff first. They're the most vulnerable.

Run this playbook in reverse — train your team at Phishbate →