Why do people fall for fake invoices or CEO requests?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You're processing 40 emails before lunch. An invoice arrives from a vendor you half-recognize. The amount looks about right. Your CEO's name is in the thread. You're already late for a call.
That's exactly the moment attackers design for. These scams work not because people are careless, but because they're built to look completely normal inside a busy workday.
Why fake invoices slip through
Businesses receive invoices constantly. One more doesn't trigger alarm bells on its own. Attackers research your company beforehand (often using LinkedIn or your own website) so they can reference real vendor names, real project names, and real payment amounts. The email fits the pattern your brain expects, so your brain approves it.
Why CEO requests work
This is authority bias in action. Questioning your CEO feels insubordinate. Delaying a request feels like you're causing a problem. And admitting you don't recognize a vendor feels embarrassing. So you don't push back. You process it.
Attackers add urgency on top of that. "Wire today or we miss the deadline" is a phrase engineered to shut down your critical thinking. The faster you feel you need to move, the less you verify. That's not a character flaw. That's just how human brains work under pressure.
It's also worth knowing that these attacks often bypass technical defenses entirely. SPF, DKIM, and DMARC protect against spoofed domains, but a scammer who registers ceo-company.com (one letter off from your real domain) can send a perfectly authenticated email. Authentication tools don't catch look-alike domains.
The minimum verification checklist
Now you don't need to interrogate every email. You just need a short habit for anything involving money or access.
- Any payment request over your normal threshold: call the requester directly on a number you already have, not one in the email.
- A "CEO" asking you to skip normal process: that's the red flag, not the request itself. Real executives rarely need you to bypass your own controls.
- A vendor you don't recognize: cross-check the email domain against previous invoices or your accounts system before touching the payment.
- Urgency language: "wire today", "don't tell anyone", "handle this personally" are phrases that should slow you down, not speed you up.
- A reply-to that doesn't match the from address: check both. Scammers often use a legitimate-looking from but route replies to a different inbox they control.
And the goal isn't to become paranoid. It's to build a 60-second habit that kicks in for anything unusual. One confirmation call has stopped more fraud than almost any technical filter. (Of course, that only works if you actually make the call before hitting approve.)
Want to understand the broader pattern these attacks follow? Read about common psychological tricks in phishing or how urgency bias gets used against you. If you're dealing with a live situation, our SOS hotline is free and we actually pick up.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.