skip to Main Content

Lose A Cool $1.6 Million In One Email: CEO Fraud And How You Can Fight Back

CEO Fraud Email ScamGot A Cool $1.6 Million To Burn? CEO Fraud And The Repercussions To A Business Like Yours

Here’s how you can lose $1.6 million from one email…the timeline goes something like this:

  1. A short and simple email from your boss, asking you to immediately send a large sum of the company’s fund to a new bank account, supposedly given to him personally by the supplier.
  2. You notice a few spelling errors, here and there. But it’s your boss, so you decide to let it go. You’re a little bit suspicious though of a supplier going directly to your boss instead of through you at accounting.
  3. You decide to ignore it for now. You want to confirm with the supplier first. But then you start to worry that your boss might find out that you didn’t believe his email, so you decide against it.
  4. You remember watching a funny TED video about this guy replying to spam, so you decide to check with your IT department first to make sure you’re not giving away money to some Nigerian prince.
  5. But before you could, you receive another email from your boss, asking what’s taking you so long to transfer the funds. You think about how he rarely contacts you. But he’s contacting you now for this particular transaction, so it must be important.
  6. You notice another spelling error. Glaring this time. But the boss – the one who hasn’t sent you an email for the two years you’ve been in the company – has emailed you twice now. Twice.
  7. So with the overwhelming need to impress your boss, you go against all common sense, and you make the transfer.

…And that’s how you lose millions of dollars from a poorly spelled CEO Fraud email.

So What Happens To A Business When It Gets Hit By CEO Fraud?

While you might think that a diabolically clever genius of a scammer is writing these uber complex emails, that’s good enough to trick high-ranking White House officials into an email name-calling contest; analysts claim this isn’t the case.

In their study on the psychology of phishing scams, Prashanth Rajivan and Cleotilde Gonzalez from the Dynamic Decision Making Laboratory of Carnegie Mellon University found that creativity has nothing to do on the success of a phishing attack.

In fact, for email phishing scams, the simpler, the better. Because the more plausible it is, the higher the chances that an unsuspecting employee will take the bait and click on a link, give out sensitive information, or transfer money.

It’s this simplicity that makes CEO fraud one scary scam. But even scarier, is what happens to a business after a successful attack.

Financial Loss

The latest numbers from the FBI indicate that victims of CEO fraud experienced a loss of around $675 million to as high as $5 billion, with SMEs being scammed for as much as half a million in a span of two days.


These numbers don’t even include the added expense these companies face after the attack. Such as fixing their network, belatedly beefing up their online security, legal fees, reparations for customers, as well as running a campaign to gain back their trust.


So while multinational companies like Google and Facebook have the resources to survive a $100 million loss from a CEO fraud attack, small and medium businesses may not be as lucky.

The Biggest Phishing Scams In History

  • Lithuanian Evaldas Rimasauskas’ CEO fraud scheme took Facebook and Google for $100 million.
  • Toy giant Mattel nearly lost $3 million to a phishing scam, with the scammer exploiting the fact that the company just hired a new CEO.
  • US retailer Target was hacked with information gained through one of its third-party suppliers, compromising personal and financial information of its 70 million customers. The company reported an estimated loss of $162 million from the breach.
  • Hackers phished the log-in credentials of a small number of eBay‘s employees, gaining them access to sensitive information inside the company’s network.
  • Sources say that Sony lost close to $171 million when it was hacked back in 2011. Phishers looking to capitalize on the situation immediately launched an attack and asked users to update their passwords and credit card information.

Damaged Reputation

Back in 2011, a spear phishing email was sent to four employees of security vendor RSA; it read: “I forward this file to you for review. Please open and view it.”

When one of RSA employees clicked on the attachment, the hackers gained access to its well-known two-factor authentication product. The hacker had the intention of stealing military secrets from defense contractor Lockheed Martin.

Reports estimate that its parent company, EMC spent $63 million in damage control measures after the breach. However, as big as this sum of money is, it’s nothing compared to the cost of a tarnished reputation.

So, while RSA’s stock didn’t plummet and there’s no mass exodus of clients, industry insiders note of the immense doubt from consumers that looms over all of RSA’s post-breach products.

And with a slew of new competitors offering alternative authentication technologies taking over the market, it remains unclear whether RSA will recover their reputation as the world’s premier security vendor.

Here’s How You Can Fight Back Against CEO Fraud

  • Continuous Security Education and Awareness. As daily business operations now rely heavily on connected devices and cloud-based services, developing a culture of security education and awareness within the company is now a necessity.

However, you shouldn’t just focus on warning your employees against the latest phishing schemes, but rather, instill the awareness of how a breach from a CEO fraud can affect the company.

This way, you can permanently instill an automatic response within your employees to:

    • Check the sender on emails.
    • Call the sender to verify if they indeed sent the email.
    • Check for spelling errors.
    • Check with your IT support if you’re suspicious of an email.
    • Be weary of clicking on suspicious links.
    • Be weary of downloading not-so-reputable attachments.
    • Protect your business through NOT conducting financial transactions over email.

That old adage, “You can give a person a fish, or you can teach them how to fish” is exactly what you’re instilling in your team. Through strengthening this culture and awareness within your team, instead of a one-hit-wonder seminar around this training (one fish), you can commit to continuous security education across the board (teach your team how to fish.)

  • Constant Training Of Employees And Management. Intel conducted an experiment with 190,000 people from 144 countries to determine whether or not they can successfully identify if an email is a phishing email or not.

Results showed that one in four times, respondents were tricked by a phishing email – and all it takes is one email for scammers to gain access to your company’s data.

Constantly performing phishing attempts in a safe sandbox environment for all employees as well as management, will give them the necessary training to identify and handle possible phishing attempts successfully.

  • Invest In A Dedicated Staff For Online Security. Researchers at Symantec estimate there are 135 million attempted phishing attacks on businesses every day. So, it’s not a question of whether or not you’ll be attacked, but when.

The best line of protection? Hiring a skilled managed service provider to ensure all anti-phishing technologies are up in place! Having a true managed service provider for your IT support enables next level defense for employees when they encounter a possible phishing attacks and cyber threats.

Although it may seem costly, considering that a business can lose millions of dollars each day, with some scams running for years, it’s a worthy investment for any business.

But, with all these suggested solutions, herein lies the rub:

The crux of phishing scams and CEO fraud, is that people are both the problem and the solution.

In the end, the greatest defense against a CEO fraud attack might not be the most advanced security software, but properly educated employees that understand to never give money, sensitive information or passwords to anyone over email (even if it’s their boss!) and a managed service provider who is truly proactive and has your business covered.

Back To Top