CEO Fraud & Whaling Attacks UK

Spot the three dominant CEO fraud / whaling patterns in 2026 — urgent CEO wire-transfer emails, deepfake video instructions on Zoom / Teams, and fake supplier bank-account-change requests — with the procurement controls that defeat them.

Last reviewed: 13 May 2026 · ScamSupport research

CEO fraud (whaling) in 2026: the economic context

CEO fraud, also called whaling because it targets the “big fish”, is a Business Email Compromise (BEC) variant where criminals impersonate senior executives to authorise urgent payments outside the standard approval workflow. UK Finance’s 2025 Annual Fraud Report attributed over £110m in UK business losses to BEC variants, with whaling the largest sub-category by average loss-per-incident (typically £30,000-£180,000 per successful attack).

2024-2026 has seen the attack pattern evolve in two directions: (a) email-only attacks remain by far the largest volume, exploiting trust in displayed sender names and the absence of out-of-band verification, and (b) deepfake video and voice attacks have crossed the consumer-cost threshold — we now see UK SMEs targeted with brief deepfake CEO Zoom / Teams calls reinforcing an urgent email request. The defence is the same in both cases: out-of-band verification through a known-good channel before any payment exits.

Three CEO fraud / whaling variants currently in circulation

Variant 1 — Classic urgent-payment CEO email

From: Either a spoofed display name on a near-lookalike domain (j.smith@company-name.co instead of .co.uk), or a compromised real executive account.

Subject: “Urgent — please action before close of business” / “Confidential transfer required” / “Can you handle this quickly?”

Body: The “CEO” explains they’re in a meeting / on a flight / mid-acquisition negotiation and need an urgent transfer to a new supplier / legal escrow / acquisition target. The amount is typically £15k-£180k. The recipient (finance director, finance manager, accounts payable, sometimes the CEO’s PA) is asked to keep the matter confidential and not to call back.

Red flags:

  • The sender domain doesn’t exactly match your company’s. Examples of spoofed lookalikes: company-name.co instead of company-name.co.uk, company-name-uk.com instead of company-name.com, missing letters, transposed characters. Always check the full sender address (after “@”), not just the display name.
  • Urgency outside normal workflow. Real CEO payment authorisations follow established procurement / treasury workflows. “Outside normal channels” framing is itself the diagnostic feature.
  • “Don’t mention this to anyone” / “confidential between us”. Real corporate payments require multiple sign-offs, even at CEO level. Confidentiality framing suppresses verification.
  • Refusal of voice / video verification. “I’m in a meeting, can’t talk now”. A real executive making a non-routine payment request is happy to be called back — the verification call protects them too.
  • New supplier / new bank details. Verify against the standing supplier list. Real new supplier onboarding goes through procurement, not via direct CEO email instruction.
  • Payment to a UK-personal or overseas account. Most legitimate corporate payments go to corporate bank accounts at UK or established overseas banks. Personal accounts or unusual offshore destinations are diagnostic.

Variant 2 — Deepfake CEO video on Zoom / Teams (BEC + video)

How it presents: A finance / payroll / M&A staff member receives a brief calendar invitation for an urgent Zoom or Teams call with the “CEO”, “CFO”, or external counsel. On the call, the executive’s face and voice appear (deepfake video + voice clone). They verbally instruct the staff member to make a transfer to a new supplier / acquisition target / legal escrow account before close of business. Often paired with a follow-up email from a lookalike domain to add written authority.

Red flags:

  • The call is unusually short. Deepfakes degrade over time; scammers keep calls under 5 minutes. Real CEO instructions often warrant longer discussion.
  • The executive’s blink rate is off, lip-sync slightly lags, the face is preternaturally still. See our deepfake detection guide for the full visual signal list. Apply the side-profile or three-fingers challenge: ask the executive to turn fully sideways or hold three fingers up next to their face. Real executives do this without comment; deepfakes degrade or have a sudden “connection problem”.
  • Calendar invite from outside the company’s domain. Real internal meetings come from your company’s own scheduling. Externally-routed Zoom links should ring alarms.
  • The new transfer destination is unknown. Cross-check against the standing supplier file before any signature / approval. Real new-supplier onboarding has documented authorisation.
  • Verification by callback is always available. Tell the executive on the call you’ll call back via their saved internal number / Slack / Teams DM. Real executives welcome the verification. Deepfakes cannot survive a callback to a verified channel.

Variant 3 — Fake supplier bank-account-change request

From: An email apparently from a legitimate existing supplier (often the impersonated supplier’s real domain has been spoofed, or a compromised account at the supplier sends the message). Sometimes from a lookalike of the supplier’s domain.

Subject: “Updated bank details for [Supplier Name]” / “Account changes — please update before next invoice”

Body: The supplier “has changed banking provider” / “is moving to a new account for compliance”. They provide new sort code / account number and ask the recipient to update the supplier record. The next invoice (or an existing invoice in dispute) gets paid to the criminal’s account.

Red flags:

  • Bank-account-change requests via email alone. Real supplier changes follow a documented process: countersigned letter on supplier letterhead, often verified by phone, sometimes requiring a signed agreement. Email-only requests are the diagnostic feature.
  • The sender address is from a lookalike domain or, alarmingly, from a compromised real address at the supplier. Always verify the change via a known-good supplier contact (the supplier’s switchboard, not a number provided in the email).
  • The new account is a personal account, a fintech (Wise, Revolut), or an offshore bank. Legitimate corporate suppliers use corporate UK banking. Personal-account destinations for invoice payments are scam-shaped.
  • Timing aligns with an upcoming invoice. Criminals time bank-account-change requests to land just before a known upcoming payment, exploiting the timing pressure.
  • Standard procurement control: two-person verification of any supplier-bank change via phone call to the supplier’s switchboard. Standard practice in mature procurement; absence of this control is the organisational vulnerability the scam exploits.

The procurement controls that defeat CEO fraud / whaling

  1. Out-of-band verification on all payments above a threshold. Standard control: any payment over £5,000 (or your organisation’s threshold) requires a callback to the requestor on their saved internal number, not the number in the email. This single control defeats nearly all CEO fraud variants.
  2. Two-person verification on supplier-bank-account changes. A change request is logged, then a second staff member calls the supplier on the known switchboard number to confirm. No exceptions.
  3. Sender-domain pinning for the senior leadership team. Email rules that flag external messages claiming to be from internal executives. Microsoft 365, Google Workspace and Mimecast all support this control.
  4. Internal payment safe-word. A pre-arranged phrase that finance staff demand for any phone-initiated payment instruction. Real executives know it; deepfakes don’t. Set this up before you need it.
  5. Sandbox new suppliers. New suppliers are paid via the normal procurement onboarding flow (Companies House check, VAT registration check, bank account verification via small test payment). Direct CEO-instructed payments to new suppliers bypass these checks.
  6. Brief the finance team on whaling specifically. Staff who handle payments need to know the pattern. Anti-fraud awareness training that includes whaling-specific roleplay catches more than generic phishing training.
  7. Confidentiality framing is a flag. “Don’t mention this” / “between us” / “confidential” in a payment request is, in itself, a verification trigger — not a reason to comply.
  8. Cyber-insurance pre-loss steps. Most UK cyber-insurance policies cover BEC including whaling, but require documented controls. Confirm your policy covers it, that your controls match the policy’s requirements, and that the incident-reporting timelines are known to the finance team.

If your business has been hit by CEO fraud

  1. Call the recipient bank’s corporate fraud team immediately. Speed matters — transfers sometimes clear within hours but can be recalled if the bank acts before the funds move out. UK Faster Payments transfers are typically reversible only within 24-48 hours and only by mutual agreement of the originating + receiving banks.
  2. Use the PSR Claim Wizard — PSR Mandatory Reimbursement covers up to £85,000 within 5 working days for APP fraud against businesses (some scope restrictions apply for larger businesses; consult your bank).
  3. Notify your cyber-insurance provider within the policy reporting window (typically 24-72 hours from incident). Most policies have strict notice provisions; missing the window can void coverage.
  4. Notify your bank’s relationship manager and freeze any pending transactions. Faster Payments above certain thresholds may have additional review windows.
  5. Report to Report Fraud at 0300 123 2040 (UK national fraud reporting). Get the crime reference number for any subsequent recovery action or insurance claim.
  6. For deepfake variants: preserve any meeting recordings if available (Zoom / Teams have automatic recording options that may have captured the deepfake). Useful for both investigation and as evidence in any subsequent disciplinary or criminal proceedings.
  7. Notify the genuine executive who was impersonated. Real CEOs often want to issue a company-wide alert and review controls. This is also useful for any subsequent civil recovery action.
  8. Engage an SRA-regulated solicitor for significant losses. Civil recovery against the receiving account holder, freezing orders, and Norwich Pharmacal Orders against the receiving bank may all be appropriate. Specialist commercial-fraud solicitors are listed at Fraud Lawyers Association.

Related scam guides

Use the Scam Message Scanner →