CEO Fraud Scenario: When the Boss Orders a Wire Transfer by Email

Tuesday, 9:14 AM: An Email That Changes Everything

Sandra Hoffmann has worked in accounting at Kruger Haustechnik GmbH for eight years—a plumbing and heating installation company with 65 employees in Dortmund. She knows the processes, knows the customers, knows the quirks of the management. When boss Michael Kruger wants an invoice paid, he usually writes a brief email with the subject line "Please transfer" and attaches the invoice.

On Tuesday morning at 9:14 AM, Sandra opens an email that, at first glance, looks exactly like that:

From: Michael Kruger michael.krueger@krueger-haustechnik.de Subject: Urgent Transfer - Confidential

"Hi Sandra, I need your help with an urgent matter. We are about to close an acquisition, and I need a discreet transfer of EUR 47,500 to our advisor. You'll find the bank details below. Please process this today and don't discuss it with anyone for now, as the negotiations are confidential. I'm in meetings all day and hard to reach, but you can email me an update. Thanks for your reliability! Best regards, Michael"

Below is an IBAN at a Lithuanian bank and the reference "Advisory fee Q1/2026."

Sandra reads the email, and her first impulse is to prepare the transfer. The tone sounds like her boss, the sender address looks correct, and acquisition talks are indeed nothing unusual—Michael Kruger acquired a smaller competitor last year. The request for confidentiality fits his style during business transactions.

But something does not feel right.

How CEO Fraud Works: The Anatomy of an Attack

Before we continue, it is worth understanding the mechanism behind this attack. CEO Fraud, also known as Business Email Compromise (BEC), is not a technically sophisticated attack. It requires no malware, no exploits, no encryption. The entire attack relies on human psychology and careful research.

Phase 1: Reconnaissance

Weeks before the actual email, the attacker gathered information about Kruger Haustechnik GmbH. The sources are publicly accessible:

• Commercial register: Managing director Michael Kruger, share capital, business purpose
• LinkedIn: Michael Kruger's profile, his connections, his posts about last year's acquisition
• Company website: Team page with photos and names, Sandra Hoffmann listed as contact for invoices
• Legal notice: Email format (firstname.lastname@krueger-haustechnik.de)
• Xing and social media: Michael Kruger posted weekend photos from a trade fair—he is active and engaged professionally

The attacker now knows: who is the boss, who handles finances, what the email format looks like, and what business topics are current. This information is enough to construct a credible email.

Phase 2: Technical Preparation

The attacker registers a domain that is almost indistinguishable from the real one. In this case: krueger-haustechnik.de becomes krueger-haustechnjk.de (a lowercase "j" instead of "i") or krueger-haustechnik.com (different TLD). The email address michael.krueger@krueger-haustechnjk.de looks identical in an email client that does not prominently display the full address.

In more sophisticated cases, the attacker actually compromises the CEO's email account—via credential stuffing (stolen passwords from other data breaches) or phishing. Then the email genuinely comes from the real account, making detection significantly harder.

Phase 3: The Attack

The timing is deliberate. Tuesday morning, shortly after 9 AM, when the workday has just begun and attention is split between coffee and the first tasks. The email deploys the classic psychological levers:

• Authority: The email comes from the boss. Who contradicts the boss?
• Urgency: "Today" creates time pressure that suppresses critical thinking
• Confidentiality: "Don't discuss it with anyone" isolates the victim and prevents colleagues from questioning the matter
• Flattery: "Thanks for your reliability" activates the desire to live up to that trust
• Unavailability: "I'm in meetings all day" blocks the most obvious verification path: simply calling

Phase 4: Moving the Money

If the transfer goes through, the money is distributed from the recipient account to further accounts within hours and laundered through cryptocurrency exchanges or money laundering networks. After 24 to 48 hours, a recall is virtually impossible.

Tuesday, 9:22 AM: The Moment of Decision

Back to Sandra. She has read the email, noted the IBAN, and opened the online banking portal. But the nagging feeling will not subside. Three things irritate her:

First: Michael Kruger normally writes "Hi Sandra, please take care of..." and not "I need your help with an urgent matter." The tone is more polite than usual—almost a shade too formal.

Second: During the last acquisition, the payment ran through the tax advisor and the house bank, not through a direct transfer to an unknown account.

Third: Lithuania? Kruger Haustechnik has no business relationships in the Baltics.

Sandra decides to do what her last security awareness training taught her: she picks up the phone and calls Michael Kruger on his known mobile number. Not a number listed in the email (there is none), but the number she has saved in her contacts.

Michael picks up after the third ring. "Sandra? No, I didn't send you any email. What acquisition? We're not acquiring anything right now. Show me the email when I'm in the office later."

Sandra has just saved EUR 47,500.

What Would Have Happened If Sandra Had Transferred the Money?

Let us play through the alternative scenario—because this is exactly what happens in German companies hundreds of times a year. The BKA (Federal Criminal Police Office) estimates the annual damage from CEO Fraud in Germany at a nine-figure sum; the actual number is significantly higher because many cases go unreported out of embarrassment.

The First Minutes After the Transfer

Sandra would have executed the transfer at 9:30 AM. Kruger Haustechnik uses a regional Volksbank, which typically processes SEPA transfers within a few hours. By the afternoon at the latest, the money would be in the Lithuanian account.

At 2:00 PM, Michael Kruger arrives at the office. Sandra casually mentions the transfer. Michael goes pale.

Immediate Action 1: Contact the Bank (Minute 0 to 15)

Michael and Sandra immediately call the Volksbank—the business customer hotline, not the general number. They request a recall of the transfer. For SEPA transfers, there is a standardized procedure called a SEPA Recall, in which the sending bank asks the receiving bank to reverse the credit.

The chances vary:

• Within the first hour: Good chances, if the receiving bank cooperates and the money is still in the account
• Within 24 hours: Low chances, as professional fraudsters move the money immediately
• After 48 hours: Virtually hopeless

In this scenario, four and a half hours have passed since the transfer. The bank initiates the recall, but the probability of recovery is low.

Immediate Action 2: Criminal Complaint (Hours 1 to 2)

Michael files a criminal complaint with the police, ideally directly with the Cybercrime Unit of the competent public prosecutor's office. The complaint includes: the fraudulent email (as evidence), the transfer details, the email headers (which the IT department or an external provider can extract), and any further communication with the attacker.

The criminal complaint serves two purposes: it enables criminal prosecution (even though the success rate for international fraud is low) and it is a prerequisite for the insurance claim.

Immediate Action 3: Internal Escalation (Parallel)

Michael informs the tax advisor and the corporate attorney. If Kruger Haustechnik has a cyber insurance policy or a fidelity insurance policy, the damage is reported there. Such policies frequently cover CEO Fraud losses, but only if the incident is reported promptly and the agreed security measures were followed. If the insurer determines that no four-eyes principle existed despite being contractually warranted, they may reduce or deny the claim.

The Uncomfortable Questions Afterward

In the days following the incident, management must face uncomfortable questions:

• Why could a single person execute a EUR 47,500 transfer without a countersignature?
• Why was there no process requiring additional verification for unfamiliar recipient accounts?
• Why did Sandra have no clear instructions for handling a suspicious payment request?
• Why does the email system not display a warning when an email comes from an external domain similar to the company's own?

Detection Indicators in Detail

Sandra recognized the fraud because she trusted her gut feeling. But relying on gut feeling is not a security strategy. The following indicators should trigger a review on every payment instruction:

Linguistic Red Flags

CEO Fraud emails are frequently written by non-native speakers or translated from English. Even with AI assistance, phrasing creeps in that deviates from the impersonated person's usual writing style. Anyone who regularly reads emails from their boss develops a feel for their speech patterns. Deviations from them are a first warning sign.

Watch for: unusually polite or formal language, phrasing that sounds like translation software, missing internal terminology or abbreviations that the real sender normally uses.

Technical Indicators

The sender address is the most obvious check—and the most frequently overlooked, because many email clients display only the display name and hide the actual address. Train your employees to display and check the full sender address.

Further technical clues: the email comes from an external domain (even if it looks nearly identical), the email has no DKIM signature or fails the DMARC check, the Reply-To header differs from the sender address (common in spoofed emails), or the email lacks the internal signature or contains a slightly altered version.

Process Anomalies

The strongest indicator is not the email itself but the deviation from normal business processes. If your boss normally approves invoices through the ERP workflow and suddenly requests a manual transfer via email, that is an anomaly that must be investigated. If the payment goes to an unknown recipient at a bank in a country with no business relationship, that is another warning sign. And if the instruction includes a request to bypass the normal approval process, it is almost always a fraud attempt.

The Confidentiality Trick

The demand for secrecy is the most insidious element of CEO Fraud. It exploits employees' natural loyalty and discretion while simultaneously preventing the most effective countermeasure: talking to someone about it. Make it clear to your employees that no legitimate business transaction requires them to keep it from their supervisors or the second authorized signatory. If someone makes secrecy a condition for a payment, it is virtually always a fraud attempt.

Prevention: The Three Pillars

CEO Fraud cannot be prevented with a single measure. You need a combination of technical, organizational, and human protection layers.

Pillar 1: Technical Measures

Email authentication (SPF, DKIM, DMARC): These three protocols ensure that emails claiming to come from your domain actually originate from your authorized mail servers. SPF defines which servers may send emails on your behalf, DKIM cryptographically signs emails, and DMARC specifies what happens to emails that fail the checks. A correctly configured DMARC policy with p=reject prevents attackers from forging emails with your exact domain.

But: DMARC does not protect against lookalike domains (krueger-haustechnjk.de). For that, you need additional measures.

External mail banner: Configure your email system to display a clearly visible warning on every email originating from outside the organization. For example: "This email is from an external sender. Check the sender address carefully." This banner is simple but remarkably effective because it interrupts the automatic trust reflex.

Lookalike domain monitoring: Services like dnstwist or commercial brand protection tools monitor newly registered domains that resemble yours. This way you learn early when someone registers krueger-haustechnjk.de and can act preemptively.

Pillar 2: Organizational Controls

Four-eyes principle for transfers: No transfer above a defined threshold (e.g., EUR 5,000) may be approved by a single person. Two independent approvals are always required, ideally from people who do not sit in the same office and are not reachable through the same communication channel.

Mandatory telephone callback: For every payment instruction received by email that deviates from normal processes, a telephone callback to the requester is mandatory. On a known, previously verified phone number—not on a number provided in the email.

Defined approval limits: Tier the approval authorities by amount. Up to EUR 2,000, one approval is sufficient; up to EUR 10,000, two approvals; above that, three approvals including management. Document these limits in writing and regularly verify compliance.

Securing new bank details: When an existing supplier suddenly communicates new bank details, these must be verified through a separate channel (phone, personal contact) before the first payment to the new account. This procedure also prevents the related scam known as "payment redirection fraud."

Pillar 3: Awareness and Training

Regular training: At least twice a year, all employees involved with payments should receive training on CEO Fraud. A systematic security awareness program anchors the knowledge sustainably. The training should show real-world examples, convey the detection indicators, and practice the correct behavior when suspicion arises.

Simulated attacks: Phishing simulations and CEO Fraud simulations are the most effective training format because they replicate real situations. If Sandra regularly receives test emails and learns to spot the indicators, she will also recognize the real attack.

Clear escalation paths: Every employee must know whom to contact when a payment instruction seems suspicious. And they must know they will not be punished for it—even if the suspicion turns out to be unfounded. A corporate culture where asking questions is interpreted as distrust of the boss is the best breeding ground for CEO Fraud.

The boss's announcement: Michael Kruger should state clearly in a team meeting: "If you receive an unusual payment instruction from me, call me. Always. Even if the email says I'm not available. I will never criticize you for being cautious—but I will ask why you transferred EUR 47,000 without checking." This statement from the boss personally is more effective than any training slide.

Variants of CEO Fraud

The classic variant with the forged boss email is just one form. Attackers constantly adapt their methods:

Supplier Variant

Instead of impersonating the boss, the attacker poses as an existing supplier and communicates "new bank details." The email seemingly comes from the supplier's contact person and references an actual open invoice (the information comes from a compromised email account of the supplier or from publicly available information).

Lawyer Variant

The attacker poses as a lawyer or notary who needs to arrange an urgent payment in connection with a corporate transaction (acquisition, property purchase, litigation). The authority of the lawyer role and the alleged confidentiality of the transaction increase the pressure.

IT Support Variant

A newer variant combines CEO Fraud with technical social engineering: a caller poses as IT support and convinces an employee to install remote access software. Through the remote access, the online banking is then manipulated or a transfer is executed directly.

Deepfake Variant

The most recent and most concerning development uses AI-generated voices or videos. A call that sounds like the boss, or a short video in a Teams message that looks like the boss. These cases are still rare, but the technology is becoming more accessible. This makes the telephone callback to the known number all the more important—because you are calling, not the attacker.

The Costs of a Successful CEO Fraud

The direct financial losses are only part of the damage. For Kruger Haustechnik, a successful attack would have had the following consequences:

Direct financial loss: EUR 47,500, which with high probability cannot be recovered.

Insurance costs: The fidelity insurance deductible is often 10 to 20 percent of the damage, plus rising premiums after a claim.

Legal costs: Attorney, criminal complaint, potentially civil litigation with the bank.

Internal costs: Staff time for post-incident work, new security measures, training.

Reputational damage: If the incident becomes public (e.g., through a data protection notification or press reports), trust from customers and partners suffers.

Psychological burden: Sandra would blame herself, even though she was the victim of a professional fraud. This personal toll is often underestimated.

The Action Plan After the Scenario

Michael Kruger uses the incident (even though Sandra caught the fraud in time) as the catalyst to overhaul security measures:

Implemented Immediately

• External mail banner activated for all incoming external emails
• Four-eyes principle introduced for all transfers over EUR 3,000
• Mandatory callback for unusual payment instructions documented as a binding work instruction
• New bank details must be verified by phone with the supplier

Within Four Weeks

• SPF, DKIM, and DMARC configured for the company domain (DMARC with policy "quarantine," switching to "reject" after three months)
• Security awareness training for the entire accounting department and all employees with signing authority
• Approval limits documented in writing and configured in the ERP system

Within Three Months

• Lookalike domain monitoring set up
• First CEO Fraud simulation conducted
• Regular training cadence established (semi-annually)
• Emergency procedure for completed fraudulent transfers documented (whom to call, in what order, what information to have ready)

What This Case Teaches

CEO Fraud is among the attacks that can be prevented with relatively simple measures. No expensive security tool, no complex infrastructure. The most effective countermeasures are organizational: a functioning four-eyes principle, a mandatory callback procedure, and a corporate culture in which asking questions is not seen as distrust but as diligence.

Sandra acted correctly because she had three things: a trained eye for anomalies, the courage to ask, and her boss's phone number in her head. That this is not a given is shown by the damage statistics.

And this case demonstrates something else: the best technical security solution is useless if the person at the end of the process makes a wrong decision under pressure. CEO Fraud is an attack on people, not on systems. In ISMS Lite, approval processes, training records, and incident response procedures can be documented and tracked—without per-seat licenses—so that social engineering falls flat. The defense must therefore also start with people: with knowledge, with clear processes, and with the explicit permission to be skeptical.

Further Reading

• Social Engineering in the Workplace: Methods, Examples, and Countermeasures
• Recognizing and Reporting Phishing: A Practical Guide for Employees and IT
• Detecting and Reporting Security Incidents: The Right Process
• Building a Security Awareness Program: From Compliance Exercise to Security Culture
• Email Security: Properly Configuring SPF, DKIM, and DMARC