Email Security Blog

The Ins and Outs of CEO Impersonation

The boss needs your help and it’s urgent!

It’s fair to say that when the boss – or even the boss’s boss – says ‘jump’, you do. It’s what keeps us employed, and maybe even favored. Don’t ask questions, just get the job done.

Well, that’s exactly what an unnamed finance executive working for the toymaker, Mattel did. Had it not been for the FBI stepping in and a little luck with a bank holiday, the company would have lost more than $3 million to cybercrime.1 And that adds up to a whole lot of Barbie dolls.

As the story goes, Mattel had just hired a new CEO, by the name of Christopher Sinclair. Hackers devised a very savvy phishing email scheme, centred around CEO impersonation. They did their homework ahead of time and understood the Mattel payment processes as well as executive clearance levels. Once they were ready, they went after one of the executives in the finance department who had the authority to approve large transfers of cash. The phishing email appeared to come from Christopher Sinclair and asked for a new vendor in China to be paid. The company was preparing to expand their operations in China so nothing seemed out of line. Mattel’s protocol required two executives to approve payment of this size – she was one and the CEO was the other. The money was sent to the Bank of Wenzhou, China.

When the finance executive mentioned the transaction to Sinclair shortly thereafter, they quickly discovered they were victims of an elaborate CEO impersonation phishing scam. They contracted the proper authorities and, in the end, they got lucky. The next day was a bank holiday in China and the FBI had time to work with local officials in Wenzhou to recover the funds.

CEO impersonation goes by various names, including Business Email Compromise, or BEC for short, and email account compromise. Regardless of what you call it, it’s costly. In 2020, the FBI’s Internet Crime Complaint Center (IC3) recorded 19,369 complaints about BEC, which resulted in more than $1.8 billion in losses.2 Costs per incident also accelerated, going from $74,723 in 2019 to $96,373 in 2020. That’s an increase of more than $21,600 each.2,3  Sadly, these expensive price tags could pale in comparison to the 2021 figures. With so many companies now working remotely, there are fewer opportunities for employees to have a face-to-face chat with their boss over email requests that are actually phishing scams.

So, what is a company to do? First, educate yourself and your employees. Simply knowing what CEO impersonation and business email compromise are helps in the fight against cybercrime. Secondly, understand that battles of this magnitude cannot be fought alone. These cybercriminals are using LinkedIn and social media to understand their targets beforehand. You need to have mechanisms in place to alert staff members of all types of potential cybercrime – and there are many other forms outside of CEO impersonation.

That’s where INKY comes in. As the nation’s leading anti-phishing software, INKY sees things we can’t and detects forgery on many levels using computer vision, artificial intelligence, and machine learning. Then, the INKY banner system alerts employees of potential fraud and phishing scams on all suspicious emails. As a result, your company quickly goes from “at-risk” to protect.

If you would like to learn more about CEO impersonation, see some actual examples, and learn why INKY is so good at stopping these phishing attacks, take a few moments to read our guide, Understanding Phishing – CEO Impersonation. Then, call us for a free demonstration to see just how well we can protect your company.


INKY™ is the most effective hero in the war against phishing. An award-winning cloud-based email security solution, INKY™ prevents the most complex phishing threats from disrupting or even immobilizing your company’s day-to-day business operations. Using computer vision, artificial intelligence, and machine learning, INKY™ is the smartest investment you can make in the security of your organization. INKY™ is a proud winner of the SINET 16 Innovation Award and was a finalist in the RSAC Innovation Sandbox Competition. Learn more about INKY™ or request an online demonstration today.