Combating 'CEO' Fraud Scams

28 October 2020

Business Email Compromise (BEC), Email Account Compromise (EAC) or Authorized Push Payment (APP) scams (sometimes also known as “CEO fraud”) are the scourge of boardrooms around the world. If there was ever a type of fraud to engender angst, this was it. While Ransomware has got all the column inches in the press, BEC/EAC and APP scams have netted the most amount of money for cyber criminals. And the figure is rising year on year. In the UK alone the value of APP frauds has risen from £354m in 2018 (over 84,000 cases) to £413m (over 108,000 cases) for the rolling year ending June 2019 (figures from UK Finance).

In September 2019, the FBI, based upon victim notifications between June 2016 and July 2019, reported the value of domestic and international incidents as $26bn (over 166,000 cases). AIG released their own statistics in July 2019 showing that in 2018, BEC accounted for 23% of cyber insurance claims received from Europe, the Middle East and Asia. Ransomware stood at 18%.

In simple terms, an example of a BEC is when you receive a spoofed email asking you to urgently pay money to a new bank account.

There are two main ways that the fraudsters get a foothold in your system: Brute-force password attacks (often helped by previous breaches, reported at https:// and phishing attacks that entice the user to disclose their username and password.

Schillings recommends the following to avoid falling victim to a BEC/EAC or APP scam:

  • Use two-factor or multi-level authentication for your main personal / critical business email accounts
  • Be suspicious of any emails requesting fast actions, especially if not following your normal procedures
  • Make a phone call to check changes of bank account
  • Monitor bank accounts on a regular basis for irregularities e.g. missing deposits
  • Verify the email address used to send emails, especially when using a mobile device, ensuring the senders email address matches who it is coming from

This was first published on 26 October 2020 and you can download your copy here.

Receive our monthly newsletter

About the Author

Peter Yapp


Peter started his career in investigation and has been a leader in the field of computer forensics for nearly three decades

+44 (0)20 7034 9000
Our 24 hour number
+44 (0)20 7034 9000
Legal information

© 2021 Schillings International LLP. SCHILLINGS is a trading name of Schillings International LLP and Schillings International (USA) LLP.

Schillings International LLP is a limited liability partnership registered in England and Wales with registration number OC398731. A list of members of Schillings International LLP is available for inspection at our registered office 12 Arthur Street, London, EC4R 9AB. Schillings International LLP is an Alternative Business Structure regulated and authorised by the Solicitors Regulation Authority.

Schillings International (USA) LLP is a registered limited liability partnership organised and existing under the laws of the State of Delaware, United States of America, whose principal place of business is at One World Trade Center, Suite 8500, New York, NY 10007. Our New York based attorneys are registered as a foreign legal consultant in the State of New York.