CEO and executive impersonation works because organizations are built on hierarchical trust. When a message appears to come from the top of the org chart, the recipient's natural skepticism is suppressed. Attackers have industrialized this psychological dynamic.
Executive impersonation is a category of BEC that specifically exploits the authority of the C-suite. The attack targets whoever is one level below: the CFO receives a request from the CEO, the finance director receives a request from the CFO, the legal assistant receives a request from the General Counsel.
The authority dynamic removes the normal friction of approval processes. Employees are conditioned to comply with executive requests quickly and without interrogation — a dynamic that is entirely reasonable in normal operations and entirely exploitable in a fraud context.
The FBI IC3 has tracked cumulative CEO fraud losses exceeding $50 billion globally since 2013. The attack is not declining — it is growing in sophistication with AI voice and video synthesis adding a new attack surface that text-only impersonation did not have.
Executive impersonation attacks are increasingly personalized. Attackers study executive communication styles from public interviews, earnings calls, and internal leaks. They time attacks to known travel schedules, board meeting windows, and acquisition announcements. The context is always specific enough to be credible and urgent enough to suppress deliberation.
Attack anatomy — step by step
- 1
Attacker profiles the target organization, identifying exec names, reporting relationships, and communication channels.
- 2
Attacker establishes communication from an impersonated executive channel — compromised email, lookalike domain, or AI-synthesized voice/video.
- 3
Attack is timed for maximum pressure: travel, board meetings, acquisition windows, or end-of-quarter periods.
- 4
Request is specific, urgent, and framed to bypass normal approval processes ('Don't loop in legal yet').
- 5
Target complies, driven by authority bias and artificial urgency.
- 6
Funds are transferred or credentials disclosed before the fraud is discovered.
Why your stack fails
Authority bias is a cognitive vulnerability that security training cannot fully neutralize. Training reduces susceptibility in generic scenarios — it does not reliably override the conditioned response to a request from a known superior, especially under artificial urgency. Email controls protect headers, not the psychological dynamics of organizational hierarchy.
How Real Authenticator stops it
A code request from a CFO to a CEO — or from a finance manager to an approving executive — takes five seconds and bypasses authority bias entirely. The code proves physical device possession regardless of how urgent or authoritative the request feels. Organizations that normalize code verification for any high-stakes request eliminate the attack surface entirely.
Documented real-world cases
Shark Tank judge Barbara Corcoran — $388K
In 2020, Corcoran's bookkeeper wired $388,000 after receiving an email appearing to be from Corcoran's assistant approving a real estate investment. The email domain had one letter changed. The funds were recovered only because the bank was notified before the wire cleared.
Source: CNBC, February 2020
Levitas Capital — company collapse
Australian hedge fund Levitas Capital collapsed in 2020 after its co-founder clicked a fraudulent Zoom link that installed malware, eventually leading to $8.7 million in fraudulent invoices. The resulting reputational damage caused the fund's largest client to withdraw, forcing closure.
Source: Australian Financial Review, 2020
Frequently asked questions
Does security awareness training help?
Training helps with generic phishing recognition. It is significantly less effective against targeted executive impersonation, which is personalized to the recipient and designed to exploit organizational authority structures. The FBI has noted continued growth in CEO fraud despite widespread training adoption.
Sources & citations
- 1.
- 2.
- 3.
Statistics reflect data available at time of publication. Real Authenticator is not affiliated with cited organizations. Links to external sources are provided for reference only.