CEO fraud rarely begins in the inbox. By the time a payment-change email arrives, the attacker has usually already mapped the executives, the finance staff, the vendor relationships, the travel patterns, the reporting lines, and the way people in the organisation talk to each other. The email is the last step, not the first.
This matters because most defences sit at that last step. A secure email gateway inspects the message. Finance training prepares the person reading it. Multi-factor authentication protects the account it appears to come from. All three are useful, and all three engage the problem after the attacker has already done the work that makes the message convincing.
Business email compromise remains one of the most costly categories of cybercrime. The FBI's Internet Crime Complaint Center recorded $2.77 billion in reported BEC losses across 21,442 complaints in 2024, roughly 17% of all reported cybercrime losses that year. The Verizon 2025 Data Breach Investigations Report identifies pretexting, the tactic that underpins most BEC, as one of the leading actions in social-engineering breaches, which matters because BEC depends on a believable pretext. They are patient, well-researched attacks.
The useful way to think about BEC defence is as a chain. An attacker moves through a sequence of steps, and a defender can interrupt any one of them. Breaking the chain early, before the pretext is even built, is cheaper and more reliable than catching the final email.
The usual mistake: treating BEC as an email problem
Treating BEC as an email problem is understandable, because the fraud is delivered by email. But the email is where the attack surfaces, not where it starts.
A secure email gateway inspects the message, but it engages late. Many BEC emails carry no malware, no attachment, and no obvious spoofing. They are plain text asking a real person to do a routine thing slightly differently, and a clean message from a lookalike domain that says "we've changed banks, please update the details" is exactly what a gateway struggles with.
Finance training prepares the person reading the email. It also puts the decision on one person's judgement under pressure, often when the message is timed to land during a genuine payment cycle or while the named executive is known to be travelling.
Multi-factor authentication protects the account. BEC frequently works without any account takeover at all: the attacker does not need to log in as the CFO if a well-researched impersonation from a similar address achieves the same result.
None of this argues against those controls. It argues for adding controls earlier in the chain, where the attacker is still assembling the information that makes the final email work.
The attack chain behind CEO fraud
BEC follows a recognisable sequence. The specifics vary, but the shape is consistent:
- Target selection. The attacker identifies an organisation and a payment relationship worth impersonating.
- Reconnaissance. They gather names, roles, email formats, and personal details from public sources, breach data, and people-search platforms.
- Relationship mapping. They work out who reports to whom, who can authorise a payment, and who would plausibly ask.
- Timing selection. They wait for a moment that makes the request natural: a real invoice cycle, a known acquisition, an executive out of contact.
- Pretext construction. They build the story, matching tone, signature style, and the details that make it feel routine.
- Delivery. They send the message, often from a lookalike domain or, in account-takeover cases, from a genuine mailbox.
- Payment or credential action. The target changes bank details, releases a wire, or hands over a credential.
- Follow-up. The funds are moved through mule accounts, and in some cases the attacker keeps access for a second attempt.
Every one of these steps is an opportunity to interrupt. The organisations that lose money are usually the ones defending only at step six.
The inverse kill chain: where defenders break it
The idea of a kill chain is borrowed from military and intrusion analysis: an attack is a sequence, and disrupting any link stops the outcome. The inverse view asks a simpler question for each attacker step. What would make this step harder, slower, or less reliable?
Mapped against the eight steps above, the defensive interruptions group into five phases.
| Attacker step | What it gives the attacker | Where the defence breaks it |
|---|---|---|
| Target selection & reconnaissance | Names, roles, email formats, personal data | Phase 1 — reduce broker and breach exposure |
| Relationship mapping | Who authorises a payment, who can ask | Phase 2 — limit public finance-team structure |
| Timing selection | The moment a request looks routine | Phase 3 — protect timing signals |
| Pretext construction & delivery | A believable, well-timed message | Phase 4 — payment-change verification |
| Payment or credential action | The transfer, or the credential | Phase 4 — out-of-band approval, vendor callback |
| Follow-up & laundering | Moved funds, retained access | Phase 5 — monitor the indicators |
The first three phases reduce what an attacker can learn and infer. The fourth removes the payoff even when the earlier phases fail. The fifth watches for the signals that an attempt is being prepared. The order matters: a control at phase four protects you even if reconnaissance succeeds, but phases one to three lower the probability that a convincing pretext can be built at all, and they reduce the exposure that feeds every other targeted attack, not only BEC.
Phase 1 — Reduce what attackers can learn
Reconnaissance is the foundation of a convincing pretext. Home addresses, personal email addresses, phone numbers, family details, and past breach records give an attacker both the raw material for impersonation and the specifics that make a message feel authentic.
Much of this sits on data-broker and people-search platforms, and in old breach corpora that are traded and re-traded. Removing executive and finance-staff personal data from those sources, and understanding what past breaches have already exposed, shrinks the attacker's starting position. We covered the mechanism of this in detail in why CEO fraud starts with data brokers, and the way breach data without passwords still fuels executive targeting in why breaches without passwords still put you at risk.
This phase does not require perfection. It requires denying the attacker the easy, high-confidence details that separate a generic scam from a targeted one.
Phase 2 — Make relationship mapping harder
The second thing an attacker needs is the org chart: who authorises payments, who they report to, and who would plausibly instruct them.
Some of this is unavoidable. Public companies disclose leadership; sales teams need to be reachable. But a great deal of finance-team structure leaks unnecessarily through detailed LinkedIn titles, published direct email addresses, conference bios, and staff listings. Each precise data point makes the impersonation more accurate and the pretext more specific.
The goal is friction, not concealment. Reducing the volume of unnecessary internal-structure detail forces the attacker to guess, and guesses are what verification controls catch.
Phase 3 — Protect timing signals
BEC is timed. A payment-change request lands with far more force when it coincides with a real invoice cycle, an announced acquisition, a fundraising round, or a period when the impersonated executive is known to be unreachable.
Those signals are often public: board cycles, press releases, event appearances, travel visible through social posts, and leaked calendar detail. The exposure that tells an attacker when to strike is largely self-published, and it is one of the least examined parts of an organisation's footprint. We looked at how a digital footprint reveals the optimal moment to attack in the optimal moment.
Protecting timing signals means treating executive movement, financial calendars, and major-event announcements as information an adversary reads, and deciding deliberately what needs to be public and what does not.
Phase 4 — Break the pretext
This is the phase that protects you even when the first three fail, and it is the one most organisations underinvest in. Reconnaissance may be perfect and the email may be flawless, but a payment cannot be redirected if the process does not allow a payment to be redirected on the strength of a message alone.
Four process controls carry most of the weight. They are owned by finance and operations, not by security software, and they are the controls the FBI's own BEC guidance emphasises:
- Payment-change verification. Any change to bank details, for a vendor or an internal account, is verified out of band before it takes effect, using a contact detail held on file, not one supplied in the request.
- Out-of-band approval. High-value or unusual transfers require confirmation through a second, independent channel: a call to a known number, an in-person or internal-system sign-off, never a reply to the originating email.
- Vendor callback controls. When a supplier notifies a change, the organisation calls the supplier back on a previously established number and confirms with a known contact, rather than trusting the number or address in the notification.
- A named owner and a documented step. Verification only works if someone owns it and the step is written down. An informal "we usually check" collapses under a well-timed, authoritative-sounding request.
These controls are simple and highly effective. They convert a convincing story into a routine confirmation call, and they remove the single point of failure of one person deciding under pressure. PI does not run these finance controls; they belong to finance and operations. What the exposure audit adds is knowing where they are most likely to be tested: which executives, finance staff, vendors, timing signals, and payment relationships are visible enough to support a convincing pretext.
BEC succeeds on what an attacker can learn before the email is ever sent. A Corporate Audit maps the executive, finance-team, and vendor exposure that makes a convincing pretext possible.
Talk to an AnalystPhase 5 — Monitor the indicators
The final phase watches for the signs that an attempt is being prepared or is underway.
Several indicators are observable in advance. Credential leaks and stealer-log appearances signal that a mailbox or identity may already be compromised, which is what separates lookalike-domain BEC from the more dangerous account-takeover variety; we examined that failure mode in how account takeover happens. Newly registered lookalike domains that resemble the organisation or its key vendors are a common precursor. So is the resurfacing of executive personal data on broker sites after a prior cleanup, and new public mentions of finance staff.
Monitoring turns these from things noticed after the loss into things noticed before it. It also matters because BEC increasingly arrives with a synthetic voice or video component, as in the widely reported Arup case dissected in the six phases of a social engineering attack. Pairing exposure monitoring with deepfake and voice-verification awareness closes the loop between exposure and response.
What PI does, and does not do
PI does not replace email security, finance controls, or fraud-response procedures. Those controls belong to the client's security, finance, and operations teams. PI maps the exposure that makes the fraud believable: the personal data, relationships, vendor signals, timing clues, credential indicators, and public documents an attacker can use before the email is sent.
What a corporate exposure audit covers
Pulling the phases together, an exposure-led view of BEC risk examines what an attacker can actually find and use:
- Executive exposure — personal data, timing signals, and impersonation surface for the people most likely to be impersonated.
- Finance-team exposure — the roles, contact details, and structure that make relationship mapping possible.
- Vendor exposure — the supplier relationships and naming patterns an attacker can exploit for callback fraud.
- Credential exposure — breach and stealer-log indicators that a relevant mailbox is already compromised.
- Public-document exposure — bios, PDFs, and event pages that leak names, roles, and pretext material.
- Social-graph exposure — the visible relationships that let an attacker choose a plausible sender and recipient.
PI performs this mapping. It covers the external, discoverable surface and produces a ranked, actionable picture for the people who own the controls, sitting alongside the process work in phase four rather than replacing it.
The email is the last step
CEO fraud is not only an inbox problem. It is an exposure problem that becomes an inbox problem at the final stage. The email that asks for the payment is the visible end of a long, quiet process of reconnaissance, mapping, and timing. Every part of that process is a place a defender can intervene.
The organisations that lose money defend the last step. The ones that do not defend the whole chain: they reduce what can be learned, make mapping harder, protect their timing, verify every payment change out of band, and watch the indicators that an attempt is being built.
CEO fraud is an exposure problem that becomes an inbox problem at the final stage. A Corporate Audit assesses executive and finance-team exposure before an attacker maps it.
Request a Corporate Audit