The Little Black Book of Scams: Your CEO is asking for money urgently; make sure the email is legitimate, because business email compromise scams are a growing threat

This is the fifth chapter in the Little Black Book of Scams.


Your CEO is asking for money urgently; make sure the email is legitimate.

Do you work in accounting or finance? Do you have the authority to move money at work? Do you report to a chief executive officer (CEO)?

If yes, be on the lookout; this scam specifically targets you.

In a typical “CEO scam,” fraudsters will impersonate a senior company executive, either by gaining access to their email address or by imitating one.

They will send realistic-looking emails that try to trick you into sending money to a third party.

The emails will make the request sound urgent and confidential. For example, they may say the money is needed to secure an important contract, complete a confidential transaction, or update a supplier’s payment information.

Fraudsters are usually strategic about the timing of these emails. They send them when executives are away or hard to reach.

This lucrative scam can cost businesses tens of thousands to millions of dollars.

BEC scams are a growing global threat that targets small local businesses and large corporations alike.

Tips to protect yourself

✔ Keep your computer systems secure with an up-to-date, reputable antivirus software and strong passwords.

✔ Validate all transfer requests either on the phone or in person. Never use the contact information provided in emails.

✔ Verify the sender’s email address—scammers will often create addresses that are very similar to legitimate ones, with just one or two different letters.

✔ Encourage your company to create a standard process for money transfers that requires multiple levels of approvals.

✔ Limit the details you share publicly. Fraudsters use information that’s available online and on social media to find potential victims and to time their fraud.

Always report all scams.


*The full booklet is here. This chapter is re-posted with permission. You can also watch a video interview with the Commission for Financial Capability's fraud education manager Bronwyn Groot here.

We welcome your help to improve our coverage of this issue. Any examples or experiences to relate? Any links to other news, data or research to shed more light on this? Any insight or views on what might happen next or what should happen next? Any errors to correct?

We welcome your comments below. If you are not already registered, please register to comment or click on the "Register" link below a comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current Comment policy is here.

2 Comments

Watch out for an email, purporting to come from a supplier, asking for its bank account details to be changed. The email looks totally genuine. In the case I know of, the email was sent just before the (genuine) monthly invoice was received. Many thousands of dollars vanished and the scam was only noticed when the real supplier queried the non-payment of the invoice. Phone your supplier using the phone number known to you.

If you're unsure of a link in an email, right-click and copy the URL. Trusting the hover-over is no longer ideal, because JavaScript can be used to obfuscate the real URL.

Paste it into plain old notepad (and not a rich text editor like Word) then check that the pasted URL reconciles with what you expect.

Ie; if it purports to be from Kiwibank the pasted URL should be the official domain name, similar to https://kiwibank.co.nz/ and not some other URL.

Here's a benign test case to try the technique with. Which one is real, and which is fake?
https://kiwibank.co.nz
https://kiwibank.co.nz