CEO fraud: How to avoid falling for It? Your essential prevention checklist | Florbs

Last week, we found out that someone was pretending to be me. Someone was sending out emails asking our team for wire transfers and WhatsApp numbers. And the emails looked real. They knew about our business. They created urgency. They asked for contact details, requesting immediate WhatsApp information for a "brief task."

Our system called it out immediately. That early warning gave us control. Without that extra shield, the request might have gone through. It made me think about what would have happened if we didn’t. Because the risk is not hypothetical. In reality, the question isn’t if this will happen again. It’s when. It’s how prepared you are for it. And readiness is what counts.

For Google Workspace teams this is CEO fraud in real life. It starts in mail, pivots to a second channel, and aims for a transfer. And it’s happening to businesses everywhere.

But, let’s take a deeper look at what it is, how it actually works and how we can prevent it.

What is CEO Fraud?

CEO fraud is a social engineering attack that impersonates a senior leader or a trusted vendor. The goal is simple: Move money or sensitive data before anyone verifies the request. Attackers study your website, LinkedIn pages, and public records to gather information about your names, roles, suppliers, and approval processes. They register domains that look almost right. They may even use a compromised mailbox to reply within an existing conversation.

That’s why the emails look so real. For Google Workspace teams, the entry point is Gmail.

And that’s where the pattern starts: copying real email threads and writing styles, and then, it often shifts to a second channel. WhatsApp, SMS, or a phone call keeps pressure high and reduces the chance of internal checks. The message requests a wire transfer, a change of bank details, or personal contact numbers for quick coordination. Everything is framed as urgent, important, and confidential.

From there, the blast radius grows through Drive and Calendar. None of this requires malware. It relies on trust and speed. Shared comments keep the thread alive. Each touch point increases the chance someone acts on:

• A calendar block that adds time pressure.

• A fake invoice that appears in a thread yet looks familiar.

• A Drive link that gives false credibility.
   

Why do these attacks work so well?

Simple: they exploit trust and time pressure.

Because it exploits exactly how teams want to work: Fast. Helpful. Trusting.

When your finance team receives an email from the CEO requesting an urgent transfer, they want to help. They don’t want to question their boss or slow down important business.

Criminals know this psychology. They use authority and urgency to bypass your team’s natural caution. The FBI refers to this as “Business Email Compromise” (BEC), and now AI is making it even more dangerous.

The FBI specifically warns that criminals use AI to increase the credibility of their fraud attempts. By using AI tools, they can scale these attacks and make them incredibly believable. Voice cloning for phone calls. Perfect grammar in emails. Even fake video calls are becoming possible.  And this evolution is showing in the numbers.

Real-world impact: In 2024, these attacks made up 73% of all cyber incidents, a massive jump as AI tools became widely available. And the financial impact has grown too: businesses are losing €6.2 billion globally each year, with an average loss per company of €126,000.

These aren’t small hits that companies can absorb. They’re business-changing losses.

So, what makes the difference? The companies that avoid these losses have one thing in common: they don’t rely on trust alone. They make verification automatic, not optional. When a transfer request comes in, verification happens every time, no matter who’s asking.

While the companies getting hit are the ones that think their team’s security training is enough, or that a quick phone call confirms everything. But with AI-generated voices and sophisticated social engineering, those old defenses aren’t holding up anymore.

The good news? You can make it difficult for cyberattackers when you know what you’re dealing with.

What should your team watch out for?

You’ve probably done security training. Your staff knows about phishing. They’re alert and careful. But here’s the problem: these attacks are getting so good that even trained people fall for them.

The emails targeting our team looked completely legitimate. They used real names, knew our business relationships, and created believable scenarios. Even knowing what to look for, they were convincing at first glance. We have made a checklist of what modern attacks look like:

• Sender's email | Lookalike domains with one letter off

• Compromised accounts and hijacked email threads

• Vendor email compromise that swaps bank details on a real invoice

• Request to pivot to phone, SMS, or WhatsApp to rush the decision

• Video calls that mimic an executive using deepfakes (face and voice)

Red flags to train for

• Urgent payment requests outside regular hours

• Requests for secrecy that exclude named colleagues

• New payment details for a known supplier

• A change in tone from a familiar sender

• A push to move to WhatsApp or a personal number

• Email address that is close to yours but not exactly

Incident playbook you can copy

• Do NOT reply to the email or message.

• Verify the request on a known phone number from your directory

• Do NOT respond to the number in the email.

• Flag the message to security AND finance.

• Keep headers, logs, and screenshots.

• If money was sent, call your bank’s fraud line immediately. Ask for a recall.

Where Google Workspace fits

Most CEO fraud starts with mail and ends with payments. However, your Google Workspace setup could reduce the blast radius. BUT it needs to be set up that way.

Practical steps you can do manually:

Enforce two-factor for all users and all admins

• Turn on alerts for new OAuth apps with high-risk scopes

• Review third-party access and revoke what you do not need

• Lock external Drive sharing to allowed domains where possible

• Use Drive DLP for sensitive files that should never leave

• Monitor for mass sharing, role changes, and odd login locations

These controls make social engineering less effective because access is limited and unusual moves trigger checks.

Bottom line

CEO fraud is personal and fast. It is also preventable.

But, here’s the hard truth: if you’re relying solely on Google’s built-in security and employee training, you could be vulnerable to the sophisticated attacks that are happening right now.

Take our 1-minute assessment to see how your Google Workspace security scores. We will highlight the gaps that matter most to your team today.

Because in Google Workspace security, what you don’t see definitely CAN hurt you. 

→ Get Your Free Security Assessment 

How Florbs helps

The fake emails targeting our team? They were flagged immediately because we use Florbs in-house. But imagine if we didn’t have it as a shield. And, what about other companies? How many businesses receive similar emails every day without knowing?

At Florbs, we help companies shield their Google Workspace from CEO fraud and other threats such as spearphishing, long before employees even see them. You can rest assured that when criminals target your Google Workspace, our intuitive platform will automatically detect suspicious emails, block fraudulent requests, and alert your security team in real-time. 

Florbs - The Security Shield for Your Google Workspace

While Google provides some built-in security features, the sophisticated attacks we’ve outlined often slip through the cracks because they abuse legitimate Google services.

That’s where Florbs comes in. We help you protect data at scale without slowing down collaboration. Through our intuitive platform, we give you complete control over your Google Workspace security from day one.

Automated Control. Complete oversight. Florbs gives you full visibility into your Workspace, letting you put critical security workflows on autopilot. Manage on/offboarding and policy enforcement across every team and user without the manual chase.

Always-on protection. Zero surprises. Florbs runs 24/7, spotting risky activity and locking it down before it impacts your business and reputation. We neutralize targeted attacks and insider threats before they become incidents.

Enterprise-level security. Without the Enterprise costs. Get enterprise-grade protection without the enterprise price tag. Florbs delivers advanced, expert-level security that works from day one. No specialized staff or costly consultants required.