CEO fraud & BEC

An email from the CEO, an urgent wire transfer, a few hours of pressure - and millions are gone. Here's the pattern, and the reflex that stops it.

The simple pattern behind spectacular losses

CEO fraud, or Business Email Compromise (BEC), is the most expensive form of email crime today. No trojan, no classic hack - just a well-timed, well-worded call to action. Across the US and Europe, BEC accounts for billions of dollars in losses per year.

The script is always similar:

Attackers do public research (LinkedIn, press releases, company website).
They identify someone with payment authority - often in finance.
They write as the CEO, CFO, or business partner with an urgent, confidential transfer request.
They push for speed, discretion, and a deviation from the usual process.

01

Pressure + secrecy = alarm

'Urgent, please keep this confidential' is the BEC signature. Real instructions respect the process.

02

Check the reply address

Replies often go to `firstname.lastname@company-ch.com` instead of `company.ch`. One letter of difference.

03

Four-eyes when in a rush

Exactly when something is supposed to be fast, the rule applies: ask a second person. By phone, not by email.

The three most common BEC patterns

1. CEO spoofing A CEO-styled email to finance: "I'm in a meeting, need a quick transfer for an acquisition. Confidential. Send me the IBAN and I'll share details." The account is offshore, the money gone in minutes.

2. Vendor takeover A real supplier gets compromised. Attackers wait for a real invoice, change the IBAN, forward it on. You pay on time - to the attackers. Often only discovered weeks later when the dunning letter arrives.

3. Lawyer / M&A scenario "I'm representing a law firm on this matter. Confidential deal. We need 250,000 quickly." Plays on the natural discretion around legal matters.

Real case - Swiss mid-market firm 2024

CFO receives a Friday-afternoon mail from the "CEO" (display name correct, reply address very similar): "On the flight to Singapore. Acquisition needs a 287,500 EUR deposit today on the following IBAN. Please authorize yourself - I'll explain on Monday." CFO knows: Compliance requires two signatures. Calls the CEO - who is bemused and at his desk. Damage: zero.

The same attempt hit a neighboring company a week earlier - there, the wire went through. Damage: 287,500 EUR.

The five anchors that expose every BEC

Time pressure: "Within an hour", "before the meeting ends" - legitimate business gives you time.
Secrecy: "Don't tell anyone on the team" - that's the classic tell. Real CEOs include the team.
Deviation from the standard process: "Wire directly, skip SAP" - that deviation is the attacker's goal.
New payment details: A new IBAN, often in a different country. Legitimate suppliers announce account changes in advance.
Reply address mismatch: Display name is right, but the actual address has a letter swap or a different TLD.

The one reflex that protects you

For every unusual payment request: second channel, different person.

Concretely:

Call the apparent sender on a known phone number. Not the number from the email.
For supplier IBAN changes: phone confirmation with the supplier's finance team.
When rushed: 30 minutes of waiting beats losing 300,000.

What your organization can do

Four-eyes principle above a threshold (e.g. CHF 10,000) - always, even when the CEO pushes.
Master-data changes for suppliers only after phone confirmation.
Phishing tests including BEC scenarios, not just classic email phishing.

If you're unsure: it's never awkward to question an instruction. It's awkward to follow one blindly.

Training catalogue

See more modules

12 modules covering phishing, MFA, compliance, and remote work.

View catalogue →

Member area

With quiz and certificate

Track progress, complete the quiz, get your PDF certificate.

Sign in →

Ready to take awareness seriously?

30-minute demo. We'll show you a real phishing campaign, a quarterly report, and the NIS2 mapping - for your industry.

Book a demo →Contact us