Email Security Blog

The Ins and Outs of CEO Impersonation

The boss needs your help and it’s urgent!

It’s fair to say that when the boss – or even the boss’s boss – says ‘jump’, you do.  It’s what keeps us employed, and maybe even favored.  Don’t ask questions, just get the job done. 

Well, that’s exactly what an unnamed finance executive working for toymaker, Mattel did. Had it not been for the FBI stepping in and a little luck with a bank holiday, the company would have lost more than $3 million to cybercrime.1 And that adds up to a whole lot of Barbie dolls. 

As the story goes, Mattel had just hired a new CEO, by the name of Christopher Sinclair.  Hackers devised a very savvy phishing email scheme, centered around CEO impersonation. They did their homework ahead of time and understood the Mattel payment processes as well as executive clearance levels.  Once they were ready, they went after one of the executives in the finance department who had the authority to approve large transfers of cash.  The phishing email appeared to come from Christopher Sinclair and asked for a new vendor in China to be paid.  The company was preparing to expand their operations in China so nothing seemed out of line. Mattel’s protocol required two executives to approve a payment of this size – she was one and the CEO was the other.  The money was sent to the Bank of Wenzhou, China.

When the finance executive mentioned the transaction to Sinclair shortly thereafter, they quickly discovered they were victims of an elaborate CEO impersonation phishing scam.  They contracted the proper authorities and, in the end, they got lucky. The next days was a bank holiday in China and the FBI had time to work with local officials in Wenzhou to recover the funds. 

CEO impersonation goes by various names, including Business Email Compromise, or BEC for short, and email account compromise.  Regardless of what you call it, it’s costly.  In 2019, the FBI’s Internet Crime Complaint Center (IC3) recorded 23,775 complaints about BEC, which resulted in more than $1.7 billion in losses.2 Sadly, this billion-dollar price tag will likely pale in comparison to the 2020 figure.  With so many remote workers due to COVID-19, there are fewer opportunities for employees to have a face-to-face chat with their boss over email requests that are actually phishing scams. 

So, what is a company to do?  First, educate yourself and your employees.  Simply knowing what CEO impersonation and business email compromise are helps in the fight against cybercrime.  Secondly, understand that battles of this magnitude cannot be fought alone.  These cybercriminals are using LinkedIn and social media to understand their targets beforehand. You need to have mechanisms in place to alert staff members of all types of potential cybercrime – and there are many other forms outside of CEO impersonation.

That’s where INKY comes in.   As the nation’s leading anti-phishing software, INKY sees things we can’t and detects forgery on many levels using computer vision, artificial intelligence, and machine learning.  Then, the INKY banner system alerts employees of potential fraud and phishing scams on all suspicious emails.  As a result, your company quickly goes from “at risk” to protected.

If you would like to learn more about CEO impersonation, see some actual examples, and learn why INKY is so good at stopping these phishing attacks, take a few moments to read our guide, Understanding Phishing – CEO Impersonation.  Then, call us for a free demonstration to see just how well we can protect your company.

This blog was updated on December 9th, 2021.


INKY® is the emerging hero in the war against phishing. An award-winning cloud-based email security solution, INKY® prevents the most complex phishing threats from disrupting or even immobilizing your company’s day-to-day business operations. Using computer vision, artificial intelligence, and machine learning, INKY® is the smartest investment you can make in the security of your organization. INKY® is a proud winner of the NYCx Cybersecurity Moonshot Challenge and finalist in the 2020 RSAC Innovation Sandbox Competition. Learn more about INKY® or request an online demonstration today.