Close panel

Close panel

Close panel

Close panel

Cybersecurity 21 Jun 2019

CEO fraud: the email scam targeting companies

Any company can fall victim to this kind of crime in which criminals trick an employee authorized to give bank payment orders into performing a transaction for them. Financial institutions like BBVA never request sensitive information, such as passwords or personal data, by email or outside of the secure environment on Net Cash and For organizations, the key to preventing this kind of fraud is to reinforce control systems and  exercise great caution.


CEO fraud generally takes place over email through one of the following ways:

  • Impersonating a regular supplier: For example, the email asks the employee to change the account number for a payment.
  • Impersonating a senior manager or partner of the company: The victim is asked to perform a confidential or urgent corporate transaction, such as the acquisition of a company abroad or real estate.

The fake operations are masked as exceptional payment orders due to their urgency or confidentiality, but maintain the same appearance as company operations. This is how the criminals manage to trick the victim. The transfers are usually sent to Africa or Asia. Therefore, once the fraud has been detected, the time differences or language barriers make efforts to recover the money more difficult.

How to prevent CEO fraud in companies

  • Educate and raise awareness among employees so that they are able to detect attempted fraud. To do so they must carefully review emails by: checking the sender’s domain and server address, paying attention to the wording and looking for spelling mistakes, expressions or words that are not common in the company; being wary of uncommon activity, urgent requests and transactions to new account numbers, being cautious when clicking on links included in emails and when downloading questionable files.
  • Keep in mind that financial institutions will never request passwords, pins or sensitive information by email or over the phone. In order to operate securely, BBVA’s corporate clients can use Net Cash and This will ensure that their data is protected and prevent leaks of compromising information for the company.
  • Be especially cautious when using mobile devices. It is much easier to detect phishing on a desktop computer than on a smartphone. If employees open fraudulent emails on a mobile device, it is much more difficult to check the sender’s identity, and if they are influenced by the urgency of the message, they are likely to do the transaction requested by the criminal or reveal sensitive company information.
  • Review company protocols. For example, establish a double verification system to authorize sensitive transactions, such as having a third party approve orders, and using robust passwords that regularly change and are protected from leaks.
  • Protect corporate information. Do not publish company information on social networks, websites, etc. to prevent attackers from using them to impersonate people and make credible requests (information about meetings, schedules, trips, operations, internal structures, regular communications in the company, common payment systems. internal processes, etc.).

Knowledge and awareness of how these kinds of scams work is very important to prevent companies from falling victim to them. Remember, you are the best defense.