Recently, our company has experienced a wave of CEO fraud emails. None of our team members were caught by them, but the experience was still a sharp reminder of how persistent and convincing these scams have become.
It also reinforced something important. CEO fraud is often treated as a phishing problem or a cybersecurity issue. That is true, but it is only part of the picture.
In reality, CEO fraud is also a financial crime risk. Its purpose is not simply to deceive someone by email. Its purpose is to get money moving, to alter beneficiary details, to bypass internal controls, or to push someone outside normal process. That is exactly why it should matter to fraud, compliance, and anti-money laundering teams.
What is CEO fraud?
CEO fraud is a form of business email compromise in which criminals impersonate a senior executive, founder, director, finance lead, or another trusted authority figure. The goal is usually to pressure an employee, supplier, or service provider into taking urgent action.
That action may involve making a payment, changing banking details, sharing confidential information, or handling a matter outside the usual approval process.
The tactic itself is not new, but it remains effective because it relies on something simple: trust. When a message appears to come from senior leadership and creates urgency, people can be pushed to act before they verify.
Why this matters in South Africa
This is not an abstract or distant risk. South African organisations have already had to warn the public about executive impersonation scams. City Power recently alerted businesses and service providers to a fraud scheme involving scammers impersonating its CEO in connection with a fake tender approach.
That example matters not because it is unique, but because it shows that this kind of fraud is not limited to small firms or isolated incidents. Larger institutions are being impersonated too. Criminals are willing to use the names of real executives and known organisations in order to create legitimacy and urgency.
In the South African context, that is especially relevant. Executive impersonation can overlap with supplier onboarding, procurement activity, tenders, invoice payments, and urgent operational requests. That makes the risk practical, local, and highly relevant to businesses across sectors.
Why CEO fraud is also an AML issue
This is where the discussion often needs to go further.
Many organisations still respond to CEO fraud as though it belongs only to the IT team or awareness training. But if the scam succeeds, the real damage happens after the email.
Once a fraudulent payment is made, or once funds are redirected into an illegitimate account, the issue moves beyond impersonation. It becomes a matter of suspicious financial activity. Funds may be transferred into mule accounts, moved rapidly through intermediary accounts, split across transactions, or withdrawn before recovery is possible.
That is where the connection to AML becomes clear.
A successful CEO fraud event can generate suspicious transactions, unusual beneficiary activity, and the movement of possible proceeds of crime through the financial system. In other words, the email is only the entry point. The real objective is the movement of money.
For businesses operating in the AML space, that distinction matters. CEO fraud is not only a people problem. It is also a control problem and a financial crime problem.
The real weakness is often control design
One of the most useful lessons from experiencing a wave of CEO fraud emails is that these attacks are not only testing whether employees can spot a suspicious message.
They are also testing whether a business can be pushed outside its normal controls.
If one message can trigger an exception to a payment process, a last-minute banking detail change, or an urgent transfer without proper verification, then the weakness is not just awareness. It is the design of the process itself.
That is why CEO fraud should not be viewed only as a training issue. It should also prompt questions such as:
- How easily can payment controls be bypassed?
- How are beneficiary changes verified?
- Are fraud and AML teams alerted when impersonation attempts occur?
- Would suspicious payment activity be escalated quickly enough if a scam succeeded?
These are control questions as much as they are awareness questions.
Common CEO fraud red flags
Although these scams can take different forms, there are recurring warning signs that businesses should take seriously:
- urgent payment requests that bypass standard approval channels
- requests to change supplier banking details without proper verification
- instructions that rely on secrecy or unusual urgency
- emails sent from lookalike domains or unfamiliar addresses
- procurement or tender-related communications outside official processes
- pressure to use private cellphone numbers or personal email addresses
- messages that do not match the executive’s usual tone, authority, or process
These red flags are relevant whether the target is a private business, a supplier, or a public sector organisation.
Why AML professionals should pay attention
For AML professionals, CEO fraud should be seen as part of a broader financial crime typology. It sits at the intersection of social engineering, fraud, suspicious fund movement, and possible money laundering activity.
That makes it relevant to several core control areas, including:
- payment verification
- beneficiary and counterparty monitoring
- fraud escalation
- suspicious transaction detection
- money mule risk awareness
- internal financial crime training
It is easy to be reassured when staff do not fall for a scam. That is certainly a positive outcome. But unsuccessful fraud attempts still contain useful information. They reveal where criminals believe an organisation may be vulnerable and which control points they are trying to exploit.
That makes these emails more than a nuisance. They are signals.
What businesses should do
A stronger response to CEO fraud requires more than awareness messaging alone.
Strengthen verification controls
No urgent executive request, supplier banking change, or unusual payment instruction should be actioned without independent verification through a trusted and pre-existing channel.
Tighten beneficiary change processes
Changes to supplier or customer banking details should be subject to clear verification procedures and dual controls.
Connect fraud, finance, and AML functions
If a suspicious impersonation attempt is identified, it should not stop at the inbox. Relevant teams should assess whether related payment attempts, beneficiary changes, or unusual transaction patterns need closer monitoring.
Train staff using real operational scenarios
Training should go beyond generic phishing warnings. It should reflect the way these scams actually appear in procurement, vendor payments, finance approvals, and executive communications.
Treat attempted scams as useful intelligence
Even when no loss occurs, attempted CEO fraud can reveal control weaknesses, approval gaps, or areas where escalation needs to improve.
Conclusion
CEO fraud in South Africa should not be treated as only a cyber issue. It is also a fraud risk and an AML risk.
The message may begin in an inbox, but the real objective is to move money, bypass controls, and create suspicious financial activity that can quickly become much harder to unwind.
Our recent experience with a wave of CEO fraud emails was a reminder of exactly that. Fortunately, no one in our business was caught by the scam. But the bigger lesson was not just about vigilance. It was about recognising that executive impersonation is testing far more than awareness. It is testing the strength of an organisation’s controls.
For businesses in the AML space, that means the response should go beyond awareness campaigns. It should include stronger verification processes, tighter payment controls, closer coordination between fraud and AML teams, and a clearer understanding of how CEO fraud fits into the wider financial crime landscape.
If your business is seeing signs of executive impersonation, payment fraud, or other suspicious financial activity, now is the time to strengthen your controls. Speak to us about improving your fraud detection, AML monitoring, and financial crime response framework.