How do spoofed “CEO” ransom requests work?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Picture this: your finance manager gets an email from the CEO at 4:45 PM on a Friday. It says there's a confidential acquisition closing and they need a $47,000 wire transfer done before the end of the day. Don't loop in anyone else. It's sensitive. Move fast.

That's Business Email Compromise (BEC), and it works because it's built on psychology, not malware. No encryption. No ransom note. Just a spoofed email and a deadline.

How the spoofing actually works

Attackers have a few techniques, and each looks slightly different in the inbox.

Display name spoofing is the simplest. The attacker sets the display name to "Sarah Chen, CEO" but sends from a completely unrelated address like ceo.sarah99@gmail.com. Most email clients show the name, not the address, by default. Employees who don't click to expand the sender details never see the real address.

Domain spoofing is more convincing. If your domain isn't protected by a properly enforced DMARC policy, an attacker can forge the From header to show ceo@yourcompany.com even though it's sent from an unrelated server. The address looks completely legitimate.

Lookalike domains fill the gap when DMARC is in place. The attacker registers something like yourcompany-hq.com or yourcornpany.com (notice the typo) and sends from that. It passes authentication checks because it's a real domain, just not yours.

Why employees fall for it

These attacks are engineered around urgency, authority, and secrecy. The three together are potent. A message from someone senior that needs to happen NOW and can't be discussed creates exactly the kind of pressure that bypasses normal judgment. Attackers research their targets first, too. They'll know the CEO's name, the CFO's name, maybe a current project or recent news. The email feels credible because some of it is real.

Common request types beyond wire transfers include W-2 or payroll data (sent to HR, asking for employee tax records), gift card purchases (harder to trace), invoice fraud (targeting accounts payable with a "vendor bank account change"), and credential requests disguised as IT notices.

Red flags to teach your team

  • Urgency combined with secrecy. "Don't tell anyone" is a social engineering classic.
  • A request that skips normal process. "We need to move fast, don't wait for approval."
  • The sender's email address doesn't match what you'd normally see (check the full address, not just the name).
  • The email came from a personal address or a domain that's close but not quite right.
  • Any financial request that arrives outside normal channels, even if it looks like it came from someone you know.

How to reduce the risk

Technical controls matter a lot here. A DMARC policy at enforcement (p=reject or p=quarantine) stops domain spoofing cold. Without it, anyone can forge your CEO's exact address. You can check whether your domain has a valid policy set up with our free DMARC parser.

But DMARC doesn't stop display name spoofing or lookalike domains. That's where process matters. A simple rule like "any wire transfer request over $X requires a phone confirmation to a known number" catches most of these attacks before money moves. The phone call is the safeguard. Not a reply email, not a text. An actual call to a number you already have on file.

Employee training that includes real examples (not just policy slides) also makes a real difference. When people have seen what a spoofed CEO email looks like, they're much more likely to pause before acting on one.

If you're not sure whether your domain is protected against spoofing right now, our DMARC generator can help you build a record from scratch. Or if this feels like it needs a second set of eyes, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my BEC exposure

Based on my organization's email setup, help me assess our exposure to CEO fraud and Business Email Compromise (BEC). Please provide: 1) The technical gaps most likely to make us vulnerable (DMARC enforcement status, display name spoofing risk, lookalike domain risk), ranked by how commonly attackers exploit them. 2) The top 3 process controls that would reduce BEC risk without creating too much friction for normal operations. 3) Specific red flag phrases or patterns I can use in employee training, with realistic examples of how spoofed CEO emails are phrased.

Edit the yellow boxes, then send to the AI of your choice.