In August 2015, Ubiquiti Networks — a billion-dollar tech company with dedicated IT and finance teams — wired $46.7 million to bank accounts controlled by criminals. No malware was involved. No systems were breached. Someone in the finance department received emails that appeared to come from senior executives requesting wire transfers to overseas accounts. They complied.
Ubiquiti eventually recovered about $15 million. The rest is gone.
This isn't an isolated case. It's an entire criminal industry, and it's staggeringly profitable.
The Numbers Are Hard to Believe
The FBI's Internet Crime Complaint Center (IC3) tracks business email compromise (BEC) separately from other cybercrime because the losses are so disproportionately large. Their 2023 report shows:
- $2.9 billion in reported BEC losses in 2023 alone
- BEC accounts for roughly 35% of all reported cybercrime losses — more than ransomware, investment fraud, and tech support scams
- The average BEC loss is around $137,000 per incident
And these are just the reported cases. Many businesses never report, either because they don't realise they've been scammed until it's too late to trace the money, or because they're embarrassed.
Some of the biggest known cases:
| Company | Year | Amount Lost |
|---|---|---|
| Facebook & Google | 2013-2015 | $121 million |
| Ubiquiti Networks | 2015 | $46.7 million |
| Toyota Boshoku | 2019 | $37 million |
| Nikkei | 2019 | $29 million |
| Belgian bank Crelan | 2016 | $75.8 million |
If it can happen to Facebook and Google — companies with some of the best security teams on the planet — it can happen to you.
How Attackers Research Their Targets
CEO fraud isn't spam. It's targeted, researched, and personalised. Here's exactly how an attacker prepares:
LinkedIn is the starting point. An attacker picks a company, then maps the org chart. LinkedIn tells them who the CEO is, who the CFO is, who works in finance, and often their exact reporting structure. Job titles, start dates, and endorsements fill in the details. A finance manager who just joined three months ago? Perfect target — they're still learning processes and eager to prove themselves.
Companies House (UK) and public filings reveal directors' names, registered addresses, annual accounts, and significant business events. An attacker can see that your company just completed an acquisition, which gives them a plausible pretext for an "urgent" wire transfer.
Press releases and news provide timing and context. Company announcing a new partnership? The attacker can reference it. CEO speaking at a conference? They know the CEO is travelling — which explains why they're emailing instead of walking over.
Social media fills in the personal touches. The CEO's writing style, whether they sign off with "Best" or "Cheers" or just their initial. Whether they use formal language or casual. These details make the impersonation convincing.
Previous data breaches sometimes provide the jackpot: actual email threads from the company. If a senior executive's email was compromised in an earlier breach, the attacker has real examples of how they communicate, who they email, and what kinds of requests are normal.
The Anatomy of a CEO Fraud Attack
Here's how a typical attack unfolds:
Day 1 — Reconnaissance. The attacker identifies the target company, maps the finance team, and identifies the CEO or senior executive to impersonate.
Day 2-3 — Infrastructure. They register a lookalike domain (e.g., company-group.com instead of companygroup.com) or compromise the executive's actual email account. They set up the spoofed email address and test it.
Day 4 — The approach. The first email is often a test: "Are you at your desk?" or "Can you help me with something confidential?" It's short, casual, and designed to start a dialogue. If the target replies, the attacker knows they've engaged.
Day 4 — The request. Once engaged, the attacker escalates: "I need you to process an urgent wire transfer. Details attached. This is for the [acquisition/supplier payment/legal settlement] — please keep it confidential until the announcement."
Day 5 — The follow-up. If the target hesitates, the attacker applies pressure: "Has this been sent yet? The deadline is today." They might involve a fake "solicitor" or "lawyer" (another attacker-controlled email) who sends seemingly legitimate documentation.
The entire attack, from first email to money transfer, often happens within 24-48 hours. Speed is deliberate — it reduces the window for the target to verify through other channels.
Why It Works: The Psychology
CEO fraud exploits three deeply wired human tendencies:
Authority bias. When your boss asks you to do something, your default is to comply. This is amplified exponentially when the request comes from the CEO. Most employees interact with the CEO rarely enough that they don't have a strong baseline for what a "normal" request looks like. And questioning the CEO feels risky — what if they get annoyed?
Urgency and scarcity. A tight deadline activates the brain's fight-or-flight response and suppresses analytical thinking. You shift from "let me think about this" to "how do I get this done fast." This is a well-documented cognitive bias, and attackers exploit it ruthlessly.
Confidentiality as a trap. "Please keep this between us for now" sounds like the CEO is trusting you with sensitive information. It feels like a compliment. In reality, it's a mechanism to prevent you from doing the one thing that would unravel the scam: talking to a colleague who might say "wait, that doesn't seem right."
The combination is lethal. Authority + urgency + secrecy creates a pressure cooker that makes intelligent, experienced professionals bypass every safety instinct they have.
Practical Defences for Small Businesses
Large enterprises can implement complex payment verification workflows, dual-authorisation banking, and AI-driven email analysis. Small businesses need defences that actually work without a security team:
1. Establish a verbal verification policy for all payment changes. Any request to send money, change payment details, or create a new payee requires a phone call to verify — using a phone number you already have on file, not one provided in the email. Write this down as a formal policy and make sure every employee who handles money knows it exists.
2. Create a code word. This sounds low-tech because it is. Agree on a code word or phrase with your finance team that must be used to authorise any unusual payment over a certain threshold. The attacker can't know it because it's never written in an email.
3. Remove the stigma of questioning authority. Explicitly tell your team: "If you ever get a payment request from me by email, and you call me to verify, I will thank you — even if it's real." The number one reason CEO fraud works is that employees don't feel comfortable pushing back. Make verification a praised behaviour, not a nuisance.
4. Implement dual authorisation for transfers over a threshold. No single person should be able to authorise a wire transfer above, say, £5,000. Two people checking means the attacker needs to fool two independent minds — which is dramatically harder.
5. Delay outbound wires by 24 hours. Many banks offer this option. A 24-hour hold on outbound transfers gives you a cooling-off period. Legitimate payments rarely have genuine same-day urgency. If one does, the verbal verification policy covers it.
6. Be cautious with out-of-office messages. Auto-replies that say "I'm away until March 3, contact Sarah for urgent matters" are an attacker's dream. They now know you're away, who your deputy is, and that urgent requests should go to Sarah. Keep out-of-office replies minimal and internal-only if possible.
What Happens After the Money Is Sent
Here's why speed matters if you suspect you've been hit:
Wire transfers are typically irreversible after 24-72 hours. The money moves through a chain of accounts — often starting in the UK or US, then bouncing through Hong Kong, then to mainland China, Eastern Europe, or West Africa, before being dispersed and converted to cryptocurrency or cash.
If you catch it within hours, your bank may be able to initiate a recall request through the SWIFT network. This isn't guaranteed, but it's your best chance. After 72 hours, the probability of recovery drops to nearly zero.
Call your bank immediately. Not tomorrow. Not after the meeting. Now.
