CEO fraud, payment diversion, fake buyer fraud: how social engineering  targets human decisions

Modern fraudsters rarely start with code, they start with people. Instead of trying to break your systems, they try to bend your decisions.

60% of breaches involve a human element¹. CEO fraud, payment diversion, and fake buyer fraud all have one thing in common: they use social engineering to manipulate trusted employees into approving payments, changing bank details, or releasing goods. Even when your IT security is robust, a single human decision can bypass multiple layers of technical control and internal policy.

In the following sections, you’ll see why they’re so successful at exploiting the human element, what you can do to reduce the risk and why many companies choose Business Fraud Insurance as an essential financial safety net when fraud does occur.

CEO fraud (also called “fake president fraud”) is a targeted scam in which criminals impersonate a senior executive or decision‑maker to trick employees into making urgent, unauthorized payments.

The typical goal is to convince someone in finance, treasury, or accounting to transfer funds to a fraudulent account.

How this scheme typically unfolds:

• An email, message or call appears to come from the CEO’s address, or a very similar one.
• The request is labelled as confidential, time sensitive, or linked to a strategic deal.
• The employee is asked to bypass normal procedures:
• “Don’t involve anyone else”, “Handle this personally”, “We will regularize later.”

The communication often appears to come directly from the CEO, CFO, or high-ranking  manager, and plays on hierarchy, urgency, and confidentiality. If the employee complies, funds are transferred to the fraudster’s account, with minimal chances of recovering the money.

Why CEO fraud works

• Employees are conditioned to respect hierarchy and respond quickly to senior leaders.
• Urgency and confidentiality make it socially hard to push back or ask questions.
• The message often arrives at busy times (end of day, month‑end, holidays).
• Attackers may have gathered details from social media, company news, or previous emails to make the story credible.

Payment diversion (also called “invoice fraud” or “mandate fraud”) aims to divert genuine payments to a fraudulent account by manipulating your trust in suppliers or customers.

The typical goal is to convince someone in accounts payable or finance to:

• Update bank details for a supplier or creditor.
• Pay a real invoice to a new, fraudulent account.
• Accept a “one‑off” bank change for a specific high‑value payment.

How This Scheme Typically Unfolds:

• A fraudster either compromises a genuine supplier email account or uses a very convincing lookalike email address to request a bank detail change. Some may also use other channels such as phone, letter or even messaging apps to pass on the new, fraudulent bank details.
• Your accounts team receives a message that appears to come from the supplier’s finance department, announcing new bank details.
• The request looks professional and familiar, often including the correct supplier name, reference numbers, logos, and signatures copied from real documents, along with plausible reasons like a "bank merger" or "internal reorganization."
• The email asks that all future invoices or a specific urgent invoice be paid to the new account.

If the change is accepted without independent verification, your next legitimate payment is sent straight to the fraudster’s account.

Why payment diversion works

• Bank detail changes are often treated as administrative updates, not high‑risk events.
• Staff may trust email as a primary channel and skip additional verification.
• The request is embedded in an otherwise normal process (paying a routine invoice).
• The fraud may only be detected weeks later, when the real supplier chases unpaid invoices.

Fake buyer fraud targets your sales and delivery processes. Criminals pose as genuine customers - either by imitating an existing client or by presenting themselves as a well-known company – to obtain goods on credit and disappear without paying.

The typical goal is to convince your sales and credit teams to:

• Accept a large order on open terms or extended credit.
• Deliver goods to a location controlled by the fraudster.
• Trust a buyer identity based on brand recognition and convincing details.

How This Scheme Typically Unfolds:

• Fraudsters impersonate regular customers or reputable companies, often registering domain names that closely resemble the real customer’s (e.g., changing one letter or adding a hyphen).
• They contact your sales team using a real buyer’s name or a plausible contact with a similar email address and place large orders.
• Delivery addresses appear legitimate, and references or PO numbers look authentic, leading your credit team to approve the order under normal terms.
• The goods are delivered to the specified location, controlled by the fraudsters, who then vanish with the goods without making any payment.

Everything appears routine. Only when the invoice remains unpaid and your receivables team contacts the real customer the fraud becomes clear: they never placed the order, and the email address is not theirs.
It is to note that Trade Credit Insurance doesn’t cover payment defaults resulting from buyer fraud, since it stems from a fraudulent action and not a valid business debt.

Why fake buyer fraud works

• It closely mimics normal, profitable business with a reputable name.
• It leverages your trust in established customers and recognized brands 
• It uses real‑world details (names, past orders, addresses) to overcome suspicion.
• The loss is often discovered late, when recovery of goods is no longer possible.

Business Email Compromise (BEC) is a broader category that underpins many of the attacks described above. In BEC, criminals gain control over, or convincingly impersonate, a legitimate business email account to influence payments and approvals.

Typical goal:

• Insert themselves into real email conversations,
• Misuse trust in known names, brands or roles (e.g. “CEO”, “key account”)
• Manipulate payment details or instructions,
• Steer money or information to accounts they control.

Typical pattern:

• An employee, supplier, or customer falls for a phishing email and enters their credentials on a fake login page, or clicks a malicious link.
• The attacker logs into the genuine mailbox and silently monitors email traffic over days or weeks.
• They learn how your teams communicate, which invoices are due, how orders are placed, who approves payments, and which relationships are critical.
• At the right moment such as before a large invoice is paid or a big order is approved  the attacker intervenes within an existing email thread, using the real account or a convincing spoofed address to provide fraudulent payment details, request urgent transfers, amend orders, or send altered invoices.

Because the message is part of a real, ongoing conversation, it appears trustworthy. If your team implements the change without independent verification, the payment or the goods will be diverted to the fraudster. According to the FBI, $2.7 billion² in losses were caused by BEC worldwide in 2024.

Social engineering attacks - such as CEO fraud, payment diversion, fake buyer fraud, and Business Email Compromise (BEC) - all exploit the same vulnerabilities: people, trust, and routine processes. Understanding how these schemes operate and identifying their patterns is a critical first step in order to develop effective protection strategies.