CEO Fraud Email Scam UK: How to Spot and Stop Impersonation Attacks
CEO fraud emails are carefully crafted impersonation attacks designed to exploit trust and urgency—and they cost UK organisations millions every year.
What is this scam?
CEO fraud is a targeted email scam in which criminals impersonate a senior company executive—usually the CEO, finance director, or managing director—to trick employees into sending money or disclosing confidential information. The attacker researches the company and its staff, learns the names and structure of the organisation, and then sends an urgent, plausible email from what appears to be the executive's account. The email typically requests an immediate payment, fund transfer, or urgent access to employee or customer data. Unlike mass phishing attacks, CEO fraud is highly personalised and relies on exploiting the trust employees naturally place in management.
Scammers may use email addresses that look almost identical to the real executive's address, spoofed domain names, or genuine email accounts that have been hacked. The success of these attacks has made CEO fraud one of the costliest types of email scam affecting UK businesses, hitting companies of all sizes.
Warning signs to look for
- The email address looks almost right but has a subtle misspelling (for example, using 'rn' instead of 'm', or a slightly different domain name) or comes from an unfamiliar email address for that executive.
- The message creates artificial urgency and pressure, demanding immediate action or confidentiality, especially around sensitive payments or data requests.
- The request is unusual or deviates from normal procedures—for instance, the CEO asking to process a payment in an unconventional way or bypass standard authorisation steps.
- The tone is unusually terse or brief compared to how the executive normally communicates, or the language feels off or generic.
- The email is sent outside normal business hours, from an unusual location, or during a time when the executive is known to be out of the office or travelling.
- The sender claims confidentiality and asks you not to discuss the request with others or with the finance department, which is a major red flag.
- Links in the email look suspicious, are shortened, or direct to unfamiliar login pages; hover over links to check the true URL before clicking.
- The email lacks normal context or reference to previous conversations, and makes assumptions about your role or access that seem misplaced.
How this scam works step by step
The scam typically begins with reconnaissance. Criminals research the target company using LinkedIn, Companies House filings, press releases, and social media to identify key employees, understand the organisation's structure, and learn about recent deals, mergers, or financial activity. They then set up a spoofed or hacked email account that mimics the CEO or another senior executive, often with a domain name that is visually very similar to the real company domain. Next, they craft a highly personalised, urgent email to an employee with financial authority or access to sensitive data.
The email often references recent company news, uses the executive's known communication style, and requests an urgent, time-sensitive action—such as a wire transfer to a 'new supplier', a payment to 'acquire a business', or a fund transfer to an HR or payroll account. The message emphasises confidentiality and discretion, often claiming the request must not be discussed with colleagues or the finance team. If the employee complies, funds are transferred to an account controlled by the scammers, or sensitive data is disclosed.
By the time the fraud is discovered—sometimes days or weeks later—the money has been moved through multiple accounts or withdrawn, making recovery extremely difficult.
How to verify if it is genuine
If you receive an urgent email from a senior executive, do not act on it immediately, even if it seems time-critical. Step one: verify the sender's email address by hovering your mouse over their name (or long-pressing on mobile) to see the full email address, not just what is displayed. Check that it matches exactly the company email format you know to be legitimate. Step two: contact the executive directly using a phone number you know to be correct—either from your company directory, your mobile contacts, or the company website.
Do not use a phone number from the email, as scammers sometimes include false contact details. Call the executive on their known work or mobile number and ask about the request verbally. Step three: if the request involves payment or data transfer, follow your organisation's standard authorisation procedures. If your company has a financial approval workflow, do not bypass it, no matter how urgent the email claims to be. Step four: check with your finance, HR, or IT department directly (using known internal contact details) to confirm whether the request is legitimate.
Genuine executive requests will survive a quick verification call. See our guide to email spoofing and phishing to understand how attackers create convincing fake email addresses.
What to do if you have already interacted
If you have already responded to a CEO fraud email or suspect you have been targeted, take action immediately. First, stop any transaction or data transfer that has not yet been completed. If money has been sent, contact your company's finance team and IT department right away and inform them of the exact time the transfer was made, the amount, and the destination account details. The sooner the fraud is reported, the better the chance of intercepting the funds, especially if the money has only just been transferred.
Second, secure your own email account by changing your password if you have clicked any links or downloaded attachments from the fraudulent email. Alert your IT department so they can check your account for compromise and reset security credentials if needed. Third, preserve all evidence: do not delete the email. Take a screenshot of the full email header (including the from address, timestamp, and subject line) and forward it to your IT and security teams.
Fourth, report the incident to Action Fraud on 0300 123 2040 or online at actionfraud.police.uk, and notify your organisation's senior management and insurance provider, as CEO fraud incidents often need to be reported to insurers and potentially to auditors or regulators depending on the amount involved.
Reporting this scam in the UK
Report CEO fraud to Action Fraud, the UK national fraud reporting service, by calling 0300 123 2040 or submitting a report online at actionfraud.police.uk. Provide as much detail as possible: the fraudulent email address, the exact subject line, the timestamp, the amount requested or transferred, and any account details the scammer provided. If the email shows signs of being a spoofed or compromised email account, also report it to the NCSC (National Cyber Security Centre) Suspicious Email Reporting Service at report@phishing.gov.uk. Include the full email header when you report.
Your organisation should also report the incident to your company's cyber insurance provider (if you have one) and your bank, especially if funds have been transferred—your bank may be able to place holds or reversals on payments if they are still in transit. If the email originated from a compromised colleague's account, ensure that person is aware their email has been hacked so they can notify their contacts and secure their account. For general advice about protecting your business from email fraud, contact Citizens Advice consumer helpline on 0808 223 1133.
Document all communications about the incident for your own records and for potential future legal or insurance claims.
Frequently asked questions
Is CEO fraud always a scam, or can these emails be legitimate?
These emails can be either legitimate urgent requests from your executive or sophisticated scams. The only safe approach is to never assume an email is genuine based on who it appears to come from. Always verify using a phone call to a known number, even if the email seems time-critical. Legitimate executives understand and respect proper verification procedures.
What should I do if I have already sent money to a CEO fraud email?
Contact your bank immediately and report the transfer as fraudulent. Banks can sometimes freeze or reverse payments if they are flagged quickly enough. At the same time, report the incident to Action Fraud (0300 123 2040) and your company's finance and IT teams. The sooner you act, the better the chance of recovery, although funds sent to scammer accounts are often moved quickly and may be unrecoverable.
What if the email came from what looked like my CEO's actual company email address, not a fake one?
This is a sign the executive's email account has been hacked or compromised. Contact the CEO directly by phone (using a known number) to warn them. Then alert your IT department immediately so they can secure the account, reset the password, and notify other staff. Notify Action Fraud that the source was a compromised internal email account, as this is treated as a data breach and security incident.
How do I report a CEO fraud email I received but did not act on?
Report it to the NCSC Suspicious Email Reporting Service at report@phishing.gov.uk and forward the full email. You can also report it to Action Fraud at actionfraud.police.uk if you wish to create an official record. Inform your company's IT and security teams, as they should be aware of targeted phishing activity targeting your organisation. Even if you did not click links or send money, reporting helps protect your colleagues.