← All articles

CEO fraud: the $123,000 email

An email from the president, an urgent wire transfer, a request for discretion. No virus, no attachment — and $3 billion in yearly losses. Here's how CEO fraud works in the deepfake era, and the single habit that stops it.

CEO fraud: the $123,000 email

The finance assistant receives an email from the president, who's travelling abroad: a confidential acquisition closes today, a wire transfer must go out before 3 p.m., "I'm counting on your discretion." Elsewhere, a long-time supplier writes in: new banking details, please use this account for the next invoice. And in Hong Kong, an employee of the engineering firm Arup joins a video call with his CFO and several colleagues, then executes wire transfers totalling US$25 million. Nobody on that call was real: every participant was a deepfake.

The first two scenes, we see versions of every month. The third one actually happened, in 2024.

The most profitable crime you won't see coming

CEO fraud — business email compromise, or BEC — looks nothing like what we imagine a cyberattack to be. No virus, no malicious link, no suspicious attachment. Just a clean, well-written email pulling three psychological levers: authority, urgency and confidentiality. That's precisely why technical filters don't stop it: there's nothing to detect. The vulnerability being exploited isn't in your systems — it's in your processes.

Three billion a year — and AI just joined the game

The FBI's 2025 Internet Crime Complaint Center (IC3) report puts numbers on the damage: US$3.05 billion in reported losses in a single year, the second-costliest category of cybercrime. Spread across 24,768 complaints, that works out to roughly $123,000 per incident. And 86% of those funds leave by wire transfer — which means, in most cases, unrecoverable within hours.

For the first time in 25 years, that same report dedicates an entire section to artificial intelligence: $893 million in losses tied to AI-assisted fraud, including more than $30 million in CEO fraud with a confirmed AI component. Concretely: text generators that imitate the CEO's writing style to perfection, and cloned voices that "confirm" the request over the phone. The spelling mistakes and awkward phrasing that used to give fraudsters away? Ancient history. AI in the workplace now has two faces: the one your teams adopt — sometimes without oversight — and the one fraudsters point at you.

The four scenarios to know

The first is the executive's urgent wire: the classic described above, which prefers to strike on Friday afternoons and during vacation periods , when approval workflows are running on fumes.

The second is sneakier: the supplier who changes accounts. Here, the email often comes from the real supplier, whose mailbox has been compromised — often through a reused password, a problem with a known fix . The invoice is authentic, the amount is correct, the conversation history is genuine — only the banking details have changed.

The third targets HR: payroll diversion. A direct deposit change request arrives "on behalf of" an employee, and their next paycheque flies off to a fraudster's account.

The fourth plays the prestige card: the fake lawyer or notary calling about a confidential transaction, insisting on absolute secrecy — which conveniently isolates the victim from anyone who might make them doubt.

The defence comes down to one habit

No technology replaces this: every unusual wire request or banking detail change gets verified with a phone callback to a number you already know — never the one provided in the email or by the caller. That's it. That single habit, applied without exception, would have blocked most of the three billion dollars lost last year.

Around that habit, four reinforcements: mandatory dual approval for any wire above a defined threshold; DMARC, SPF and DKIM properly configured, so no fraudster can send email impersonating your own domain; regular phishing simulations to train the reflex rather than the theory; and above all, a culture where verifying isn't offending. The employee who calls the president back to confirm a wire transfer should be publicly congratulated — it's the best security investment you'll make this year.

If the wire has already gone out

Every minute counts. Call your bank immediately to request a funds recall, then report the incident to the Canadian Anti-Fraud Centre and your local police. The window is short but real: in the US, the FBI's Recovery Asset Team froze $679 million in 2025, with a 58% success rate — almost exclusively in cases reported within the first few hours.

The bottom line

The question isn't whether your business will receive one of these emails — it probably already does. The question is whether the person opening it will have the reflex to pick up the phone before sending the wire.

At MMO Techno, we attack the problem from both ends: the technical — advanced email protection, DMARC at enforcement, impersonation detection — and the human, with training and simulations that build the verification reflex into your team.

If your finance assistant received that email tomorrow morning, could you say, without hesitating, what she would do?

An IT project or a question?

Talk to an MMO Techno expert. We'll give you a clear, fast answer.

Contact us