Phishing-CEO-Fraud

The Scams That Trick Even the Smartest Employees

“Hi, I need you to process an urgent payment. I’m in a meeting so can’t call, but please action this immediately and confirm when done.”

If you received this email from your managing director, would you question it? What if it came from their actual email address—or one that looked almost identical?

This is the reality of modern email fraud. Gone are the days of obvious scams from foreign princes. Today’s attacks are sophisticated, targeted, and designed to exploit the trust and urgency that keeps businesses running smoothly.

The Scale of the Problem

Email-based attacks remain the number one method criminals use to target UK businesses. According to government statistics, over 80% of cyber attacks begin with a phishing email. For small and medium-sized businesses, the consequences can be devastating—not just financially, but in terms of reputation, client relationships, and business continuity.

We see attempted attacks on our clients regularly. The good news is that with the right awareness and systems in place, the vast majority can be stopped before any damage is done.

Understanding the Different Types of Attack

Not all email attacks are created equal. Understanding the different approaches helps you recognise them.

Standard Phishing: Casting a Wide Net

Traditional phishing emails are sent to thousands of recipients hoping a small percentage will fall for them. They typically impersonate well-known brands—banks, delivery companies, Microsoft, HMRC—and try to create urgency that bypasses your critical thinking.

Common examples include:

  • “Your Microsoft 365 password expires in 24 hours – click here to renew”
  • “Your DHL parcel could not be delivered – confirm your address”
  • “HMRC: You are eligible for a tax refund of £847.50”
  • “Unusual sign-in activity detected on your account”

The goal is usually to steal login credentials or install malware. These attacks rely on volume—send enough emails, and someone will click.

Spear Phishing: Targeted and Personal

Spear phishing takes things further by targeting specific individuals with personalised content. The attacker researches your company—often using LinkedIn, your website, Companies House, and social media—to craft a believable message.

These emails might reference real projects you’re working on, name colleagues correctly, or mention recent company news. They feel legitimate because they contain accurate details about your business.

CEO Fraud / Business Email Compromise

This is the attack we see causing the most damage to SMEs. Also known as Business Email Compromise (BEC), it involves criminals impersonating senior figures in your organisation—typically the managing director, CEO, or financial director.

The attacker might use a spoofed email address that looks nearly identical to the real thing (john.smith@yourcompany.co.uk vs john.smith@yourcompany.uk), or in more sophisticated attacks, they may have actually compromised the real email account.

Typical CEO fraud scenarios:

  • Requesting an urgent bank transfer to pay a “supplier” or complete a “confidential acquisition”
  • Asking for employee payroll details, P45s, or personal information
  • Requesting gift cards be purchased for “client gifts” or “staff rewards”
  • Changing supplier bank details just before a large payment is due

Supplier Invoice Fraud

A variation of BEC targets your relationships with suppliers. Criminals intercept email chains—sometimes by compromising your systems, sometimes the supplier’s—and send fraudulent bank detail change requests. When you pay the next invoice, the money goes to the criminal’s account instead.

These attacks are particularly effective because they slot into existing, legitimate business processes. You’re expecting an invoice, you receive one, and you pay it.

What These Attacks Actually Look Like

Let’s look at some realistic examples based on attacks we’ve seen targeting UK businesses.

Example 1: The Urgent Payment Request

From: David Mitchell <david.mitchelI@smithandco.co.uk>

To: Sarah (Accounts)

Subject: Urgent – Payment needed today

Hi Sarah, I’m finalising a confidential supplier agreement and need to make a payment of £12,400 today. Can you process this as priority? I’m in meetings all day so please don’t call – just email me the confirmation once done. Bank details attached. Thanks, David

The red flags: Look carefully at the sender’s email—the ‘l’ in Mitchell is actually a capital ‘I’. The request is urgent, confidential, and specifically asks not to call. Classic CEO fraud.

Example 2: The Supplier Bank Change

From: accounts@acme-suppIies.com

Subject: Updated bank details – Action required

Dear Valued Customer, Please note our banking details have changed with immediate effect due to a recent bank migration. Please update your records before processing any payments. Our new account details are below. Regards, ACME Supplies Ltd

The red flags: Again, look at the domain—’suppIies’ uses a capital I instead of an ‘l’. The request is generic and doesn’t reference specific invoices. Legitimate bank changes would typically involve phone confirmation.

Example 3: The Microsoft Warning

From: Microsoft 365 Team <no-reply@microsoft-365-security.com>

Subject: [URGENT] Your password expires in 2 hours

Your Microsoft 365 password will expire today. To avoid losing access to your email and files, please verify your credentials immediately by clicking the secure link below. Failure to act will result in account suspension.

The red flags: Microsoft doesn’t send emails from “microsoft-365-security.com”—their emails come from microsoft.com domains. The artificial urgency and threat of suspension are classic pressure tactics.

Why These Scams Work

Intelligent, careful people fall for these attacks every day. Understanding why helps us defend against them.

They exploit trust and authority

When your managing director asks you to do something, your instinct is to help, not to question their identity. Criminals exploit this workplace dynamic.

They create urgency

Urgency bypasses critical thinking. When something needs doing “immediately” or “before end of day”, we act quickly rather than carefully.

They discourage verification

“I’m in meetings so don’t call” or “this is confidential” are designed to prevent you from picking up the phone to verify.

They fit existing workflows

The best attacks slot into normal business processes. Processing a payment or updating supplier details are routine activities—exactly what makes them effective targets.

They target busy people

The person who processes 50 emails before 10am is less likely to scrutinise each one carefully than someone with a quiet inbox.

How to Protect Your Business

Train Your People

Your staff are both your biggest vulnerability and your best defence. Regular security awareness training helps everyone recognise the warning signs. This doesn’t need to be heavy-handed—short, regular refreshers with real examples are more effective than annual lectures.

Crucially, create a culture where people feel comfortable questioning unusual requests. The employee who phones the MD to verify a payment request isn’t being awkward—they’re being sensible.

Establish Clear Processes

Simple procedural controls can stop most CEO fraud dead:

  • Require phone verification for any bank detail changes—using a known number, not one from the email
  • Implement dual authorisation for payments above a certain threshold
  • Create a policy that urgent payment requests must be verified in person or by phone
  • Establish a clear process for handling unusual requests, regardless of who they appear to come from

Use Technology Wisely

Technical controls add important layers of protection:

  • Advanced email filtering that goes beyond basic spam detection
  • Multi-factor authentication on all email accounts (essential for preventing account takeover)
  • External email banners that clearly mark messages from outside your organisation
  • SPF, DKIM, and DMARC records to prevent email spoofing of your domain
  • Regular security assessments and simulated phishing tests

What To Do If You Suspect An Attack

If you receive a suspicious email or suspect you may have fallen victim to an attack:

  1. Don’t panic—but do act quickly
  2. Don’t reply to the suspicious email or click any links
  3. Verify directly—contact the apparent sender through a known, trusted channel
  4. Report it to your IT provider or internal IT team immediately
  5. If money has been transferred, contact your bank immediately—speed is critical for recovery
  6. Report to Action Fraud (0300 123 2040) for official recording and potential investigation

Stay Vigilant, Stay Safe

Email fraud isn’t going away—if anything, it’s becoming more sophisticated as criminals leverage AI tools to craft more convincing messages. But with the right combination of awareness, processes, and technology, your business can stay protected.

The key message for everyone in your organisation: if something feels unusual, check. A 30-second phone call to verify a payment request is far better than explaining to clients why their data was compromised or trying to recover £50,000 from a fraudster’s account.

Concerned about email security?

Get in touch for a security review of your email systems and staff training options.

Give our friendly experts a call on 020 3327 0310.