The CEO Scam: Are You Prepared or Vulnerable?

Email is currently one of the most popular channels hackers use to attack their prey. Andalmost every company uses some sort of email for communication. Right now, one of the most popular ways hackers are manipulating your employees is through the CEO Scam.

In recent years, the CEO Scam has become more and more prevalent, and the BBB warns that the CEO Scam will be one of the most popular scams of 2017. In fact, in the U.S., hackers have tricked victims into giving up $960 million.

The repercussions are tremendous, so having a plan of action is critical to keeping your company safe. That’s why we are providing three tips to help you prepare your employees.

What is The CEO Scam?

Also known as the “Business E-mail Compromise,” the CEO Scam is a new formof phishing email. The hacker will often send employees an email posing as the CEO or some other high ranking officer by using a fake email extension or changing the display name to match that of the CEO.

Then, the hacker sends the email to low level employees in departments such as HR or Finance. The hope is that theybelieve the CEO is actually emailing them asking for information.

The emails will range from asking information, such as employee Social Security numbers, to wiring money for company expenditures. This form of social engineering relies on the fact that people may not question these requests. It may be a realistic request for someone in HR to submit a document to the CEO containing sensitive information. This is why this scam is so successful since it works off people not double checking who the email is coming from.

How Can You Protect Your Organization?

1. Train and Educate Your Employees

The best way to keep your organization safe is to make sure your employees can identify a potential attack. You should teach employees the importance of skepticism when it comes to emails sent from the CEO requesting sensitive information. And basic cyber security training can prepare your employees for this situation.

For example, a well-trained employee will reach out to the CEO or manager before transmitting the requested information. On top of this, training will make the employee less susceptible to other social engineering attacks in the future.

It is also good practice to inform your employees that no one in the organization will ask for their username and password via email. Many companies, such as Activision-Blizzard and Google, make this clear because it acts as a way to warn their customers of potential phishing emails posing as their company.

2. Have a Process for Transmitting Sensitive Information

A company policy that outlines how employees should transmit sensitive information is a great way to counteract the CEO Scam. For example, your policy might state that employees are required to get manager approval on certain transfers of company funds. This provision allows the manager to check who the funds are going to and put a “second pair of eyes” on the email.

Additionally, for sensitive information, it may be best to transfer data in person. Delivering a hard copy of confidential information can ensure that it doesn’t fall into the wrong hands. However, sometimes organizations are large enough where this isn’t feasible. If this is the case, it might be best to make the request over the phone or through the employee’s manager. Having processes in place can drastically reduce the chance your organization falls victim to a CEO Scam.

3. Have Fail-Safes in Place

When all else fails, it is important to have fail-safes in place to ensure your data stays safe. A fail-safe is a process that goes into effect when something goes wrong. For instance, if an employee transmitted their username and password because of a CEO Scam email, a fail-safe can ensure the hacker will not have access to the data.

An easy to use and effective fail-safe is two-factor authentication (TFA). TFA makes it so When someone attempts to log in to a service, TFA requires them to authenticate their identity with a second device for example, an employee’s smartphone. What this does is makes a username and password virtually useless without that second form of authentication. Thus, if the credentials get compromised the hacker is still locked out.


The CEO Scam is a real threat to every business. But, if you follow these tips, you can greatly reduce your organization’s risk. Like other forms of social engineering, training is the best way to keep your employees informed. And always utilize fail-safes in case employees do fall victim to an attack.

If you have any additional tips for preventing the CEO scam, let us know in the comments below!