Business Email Compromise — CEO Fraud

How This Attack Works

Attackers spoof or compromise the email account of a company's CEO, CFO, or senior executive and send urgent wire transfer or gift card purchase requests to finance staff. The message bypasses normal approval workflows using executive authority and confidentiality demands. Victims wire funds or purchase gift cards before discovering the account was fake.

Red Flags to Watch For

• ✗
  Wire or gift card request arrives by email alone — no phone or in-person confirmation
• ✗
  Executive is described as unavailable or in a confidential meeting
• ✗
  Request emphasizes secrecy: "do not loop in anyone else on this"
• ✗
  Sender domain has a subtle variation — one extra letter, hyphen, or different TLD
• ✗
  Transfer destination is a new, previously unused bank account
• ✗
  High urgency: transaction must complete today before a deadline

Known Malicious Domains

These domains have been associated with this attack. Never click links going to these addresses.

• ceo-urgent-request.comMALICIOUS
• exec-wire-approval.netMALICIOUS
• company-cfo-request.comMALICIOUS
• finance-auth-portal.netMALICIOUS

Glance automatically blocks emails from domains on this list. Domain list is not exhaustive — attackers register new domains continuously.