27.01.2026 - CEO fraud is one of the types of fraud most frequently reported to the NCSC. Last year, the number of reported cases increased from 719 to 971, compared to the previous year. Reports received last week show that scammers are continuously refining their methods. They no longer rely solely on fake emails, but increasingly use psychological manipulation and artificial intelligence. This week’s review looks at how to recognise these subtle warning signs in everyday business.
In the fast pace of daily business, emails from superiors often set priorities. When senior management issues an instruction, it is usually carried out quickly and without question. This reflex is deliberately exploited in CEO fraud. Attacks often occur in waves and target SMEs and associations of all sizes. Scammers primarily rely on information from public sources. This means that companies, associations and communes that publish details about their staff or teams on their websites or social media are particularly at risk.
It all starts with research
Unlike mass phishing emails, CEO fraud requires careful preparation. Scammers analyse social networks such as LinkedIn, company websites, and the commercial register to identify hierarchies, responsibilities, and absences. They know exactly who has access to accounts in the finance department and who is authorised to issue instructions at management level.
We repeatedly receive reports of the following scenario: an employee in the finance department receives an email that appears to be from the CEO. The sender name is correct, and at first glance, the email address also appears legitimate. Only on closer inspection do inconsistencies become apparent. Scammers often use typosquatting domains – web addresses that closely resemble a legitimate domain name but contain small spelling changes.
Authority paired with time pressure
The message is usually framed as an urgent request. Common pretexts include:
- An urgent payment to a foreign supplier, often followed by a question about the current or available account balance;
- The purchase of gift cards or vouchers for partners, said to be required immediately.
Scammers apply psychological pressure. They use phrases such as "I’m counting on you to be discreet", "I’d be extremely grateful" or "Please pay this immediately" to stop employees from following normal security procedures or asking follow-up questions.
New scams on WhatsApp and using AI
CEO fraud does not only occur via email. Fraud attempts are increasingly being made via WhatsApp or by phone. A particularly worrying development is the growing use of artificial intelligence (AI). Scammers use AI tools to mimic the writing style of real people, down to their typical greetings and turns of phrase. As revealed last week in a case in the canton of Schwyz – in which a company lost several million Swiss francs – scammers are now also using deepfake audio calls and voice messages. In these cases, the voice of a manager or business partner is convincingly imitated using AI.
Manipulated video conferences created using AI have also been observed, but they currently appear to be too complex for widespread use. They are probably still in the experimental stage. Attackers are focusing more on phone calls and voice cloning.
Lawyers as intermediaries – a recurring theme
We also regularly receive reports in which initial contact is made through lawyers. The names of real law firms based in Switzerland are used to create trust. In these cases, the supposed superior asks whether a specific lawyer has already been in touch regarding a confidential matter or an urgent mandate. Mentioning a third party is intended to lend credibility and add legal pressure. Victims are generally familiar with the habits and communication style of their manager or colleagues, but have no comparable point of reference when it comes to a lawyer they know only superficially, if at all. Consequently, scammers do not need to impersonate the lawyer as convincingly. They then typically pose as the lawyer in question and, under the pretext of strict confidentiality, demand an urgent international transfer.
Recommendations
The NCSC recommends that organisations implement technical and organisational safeguards.
- Two-person principle (dual control): For payments or changes to master data (e.g. a supplier's new IBAN number), always require joint authorisation or approval by a second person.
- Verification via a second channel: If you receive an email requesting a payment – especially if it is labelled "urgent" or "confidential" – call the person who sent it. Do not use the phone number provided in the email; instead, use a number you already know.
- No exceptions: Clearly establish that security processes must not be bypassed, even – and especially – for instructions from senior management. Healthy scepticism should be recognised as a strength in organisational culture, not as disobedience.
- Mark external emails: Configure your mail server to clearly mark emails from external senders in the subject line or message body (e.g. "EXTERNAL"). This makes it immediately obvious when an email supposedly from the (internal) CEO is actually sent from an external address.
Current statistics
Last week's reports by category:
Last modification 27.01.2026
