CEO Fraud Exposed: How One Email Nearly Cost Thousands

janna7555
4 days ago
4 min read

Email scams are becoming so convincing that even switched-on businesses can get caught. Criminals now specialise in impersonating CEOs or finance directors to trick staff or suppliers into sending money.

This blog shares a real-world style case where a company had good email protection in place, but a supplier without the same safeguards was nearly duped. The lesson is simple: protecting only your own business isn’t enough — you need to think about your supply chain too.

First, What Are These Email Protections?

Before diving into the story, let’s explain three common (but confusing) terms in simple business language:

· SPF (Sender Policy Framework) → Think of this like a “guest list” for your company email. It tells other mail systems which servers are allowed to send emails on your behalf. If a sender isn’t on the list, their email should be treated with suspicion.

· DKIM (DomainKeys Identified Mail) → Imagine putting a digital wax seal on your email. It proves the message hasn’t been tampered with on its way and that it really came from your company.

· DMARC (Domain-based Message Authentication, Reporting and Conformance) → This is the rulebook that sits on top of SPF and DKIM. It tells receiving mail systems what to do if an email fails those checks (for example: reject it, quarantine it, or allow it). It also gives you reports so you can see who is sending emails using your domain.

Together, these three protections stop criminals from pretending to send emails from your real company domain, a common tactic in fraud.

The Setup: Everything Looked Legit… Until It Wasn’t

ACME Consulting Partners Ltd, a UK SME, had set up SPF, DKIM, and DMARC. That meant no one could send fake emails pretending to be from @acmeconsultingpartnersltd.co.uk.

Inside their own business, things were locked down. If someone tried to send an email using Acme’s domain without permission, it would be blocked. But the criminals found another way.

The Attack: A Lookalike Domain Targets the Supply Chain

A trusted supplier, a printing company, received an email from finance@acmeconsultingpartnerltd.co.uk.

Notice the difference? The “s” was missing from “Partners.” Easy to overlook at a glance.

The email looked authentic: correct CEO name, familiar tone, company logo. It asked for brochures to be delivered to a new address and included instructions to send the invoice to a new “finance contact.”

Because the supplier’s email system didn’t check SPF, DKIM, or DMARC, it couldn’t tell the difference between the real company and the fake. The supplier nearly processed the request, until a phone call with the real CEO uncovered the scam.

What Went Wrong?

· Acme’s defences worked — their true domain was protected against impersonation.

· The criminals sidestepped by creating a lookalike domain (a fake website name that looks almost identical).

· The supplier’s email system wasn’t set up to check for authentication — so it let the fake message straight in.

This is a textbook case of CEO fraud (also called Business Email Compromise) — and it’s one of the fastest-growing cyber crimes affecting SMEs today.

How DMARC Helps Protect Against CEO Fraud

Because Acme had DMARC, nobody could send emails pretending to be from their real domain. Those would be rejected automatically.

The issue came from the fake domain, something DMARC can’t stop criminals from registering. But if the supplier had also been using SPF, DKIM, and DMARC checks, the suspicious email would have been flagged or blocked before it reached their inbox.

In short:

· Acme’s own emails were safe.

· The supplier’s lack of checks made them the weak link.

Key Takeaways

1. Your business is part of a chain. If your partners aren’t secure, you’re still at risk.

2. Lookalike domains are dangerous. Criminals rely on tiny differences people don’t spot.

3. Every business should have email authentication. SPF, DKIM, and DMARC are essential.

4. Staff training saves money. A quick verification call prevented a major loss here.

What You Can Do Next

· Test your own domain: Use a free online tool to Check Your Email Security and see if you have SPF, DKIM, and DMARC in place.

· Encourage your suppliers: Share this blog and explain why these protections matter for them too. Use this Email security and anti-spoofing guidance.

· Enforce your policy: Once your email setup is correct, move DMARC to “reject” to stop fakes.

· Keep awareness high: Remind staff never to act on unexpected payment or invoice changes without checking first.

CEO fraud works because it preys on trust. Criminals don’t just target your inbox, they exploit suppliers, vendors, and partners to sneak around your defences.

Setting up SPF, DKIM, and DMARC is one of the simplest and most effective steps you can take to protect your business identity in email. But the bigger win comes when everyone you work with uses them too.

Together with staff training and simple verification processes, these protections can stop fraud before it costs your business thousands.