Imagine yourself as a financial executive at a multinational, Fortune-500 company. A new CEO has just started this month and sent you an email with instructions to transfer a payment to a new vendor in China.

Without a close inspection, the request seems routine: a message arrives from the company email address, the form is complete and satisfies internal protocol, even the lingo reads familiar. It’s the same task you’ve performed many times before.

Eager to please your new boss, you put their request on the top of your to-dos, check, then re-check the transfer protocols, and send the $3 million payment as instructed. Only the receiving bank account is managed not by a new company vendor, but by a fraudulent scammer who duped you with a fake CEO email.

This hypothetical may read as a drastic example or an unlikely fluke, but these events did indeed transpire, on one very bad day for Mattel, Inc.

Fake CEO Emails Can be Devastating

While the damage from email impersonation scams is well-known, a successful phishing attempt to imitate larger, C-level ‘phish’ (a practice referred to as ‘whaling’) can be crushing to a business. While Mattel was able to recover their $3 million, the scam has taken other companies for millions.

The logic behind impersonating the highest level employees is simple: every step higher on the org chart, in theory, exponentially increases the number of employees beneath them. With a larger pool of potential victims, it’s much easier for a thoughtful scammer to find the ‘mark’, or the target recipient of the fake CEO email.

Two US tech companies, both well-fortified with modern defenses and security measures, lost a combined $100 million to a scammer in Lithuania. In another instance, the city of Ottawa, Ontario wired $100k to fraudsters, who then requested another $150k before the city treasurer wised up to the scam.

Even financial institutions aren’t safe from fake CEO email attacks. One of the largest successful phishing attacks hit an unsuspecting bank in Belgium, who was taken for $75 million.

Why Impersonate CEOs?

The logic behind impersonating the highest level employees is simple: every step higher on the org chart, in theory, exponentially increases the number of employees beneath them. With a larger pool of potential victims, it’s much easier for a thoughtful scammer to find the ‘mark’, or the target recipient of the fake CEO email.

While members of executive management are most often targeted by fake CEO emails, as their day to day correspondence is less conspicuous, employees at all levels of a company are exploitable by the scam; sharing an innate desire to be recognized by their higher-ups and to perform well and execute promptly when given a direct task.

Once a target is marked, the impersonator needs only to take the time to learn the company’s more nuanced behaviors to craft a deceptively authentic-looking memo, using details like their unique terminology or the exact steps required in what it is they’re asking to be performed.

Protect Your Company and Your Team

You can mitigate your risk of fake CEO emails and other phishing scams. Cloudphish is available now and will help stop your executives and employees from falling victim to harmful impersonation phishing scams.

Schedule a free demo today.