Q: What is CEO fraud and how does it differ from phishing?

Phishing is broad fraudulent email designed to steal credentials or install malware, usually at scale. CEO fraud (Business Email Compromise) is targeted impersonation of your CEO or senior executive to authorise fraudulent transfers or extract sensitive data. BEC attacks are researched, timed, and exploit trust in authority.

Q: Is CEO fraud training a legal requirement in the UK?

Not in those exact words, but effectively yes. UK GDPR Article 32 requires appropriate organisational measures, and the ICO expects induction and refresher training for all staff. If CEO fraud causes a breach and you cannot evidence training, you are exposed to ICO enforcement and fines up to £17.5 million or 4% of global turnover.

Q: How often should employees receive CEO fraud awareness training?

At minimum annually. New starters should train before accessing personal data. Refresh sooner after near-miss incidents, role changes, or significant threat changes. Automated renewal reminders help SMBs maintain evidence without manual chasing.

Q: What should an employee do if they receive a suspicious CEO email?

Stop. Do not reply or use phone numbers from the email. Call the supposed sender on a verified number, flag to your manager or IT contact, and report to reportfraud.police.uk. If money was transferred, contact your bank immediately.

Q: Can online training satisfy the Cyber Essentials staff awareness requirement?

Yes. Online LMS delivery with completion records and assessments is widely accepted. Documented, timestamped individual records are stronger evidence than policy PDFs or ad-hoc team briefings.

Q: How does an LMS help with CEO fraud training compliance?

An LMS automates assignment for new starters, tracks individual completions with timestamps, triggers renewal reminders, and exports audit-ready reports when regulators ask for evidence.

Daniel Hyatt

TrainMeUK Founder

TL;DR

CEO fraud is when attackers impersonate your CEO or a senior executive — by email, phone, or messaging — to trick employees into transferring money or handing over sensitive data.
It is the most financially damaging form of social engineering. The FBI reports global BEC losses have exceeded $55 billion over the past decade (FBI IC3).
UK GDPR Article 32 requires appropriate organisational measures — staff awareness training is one of them.
The ICO can fine up to £17.5 million or 4% of global annual turnover if inadequate training contributed to a breach.
Cyber Essentials and the NCSC 10 Steps both expect staff awareness training as part of a holistic security posture.
Most UK SMBs have no training records to show an ICO investigator — that is the compliance gap an LMS closes.

This guide fits into a broader programme: read our guide to social engineering training for employees to see the full picture.

What is CEO fraud? (And why it's not just a finance problem)

Most people assume CEO fraud only affects big corporates. It does not.

CEO fraud — also called Business Email Compromise (BEC), whaling, or executive impersonation fraud — is when a criminal impersonates your CEO or another senior executive to trick an employee into authorising a fraudulent bank transfer or handing over confidential data.

The attack surface is not your firewall. It is your people.

No amount of IT investment patches a member of staff who trusts a convincing email from "the boss." That is what makes this threat so effective — and so expensive.

Why UK SMBs are prime targets:

Smaller finance teams with less formal approval processes
Closer working relationships between staff and senior leadership — which attackers exploit
Fewer dedicated IT or security resources to catch anomalies
Less likely to have dual-authorisation controls on payments

The NCSC describes BEC as a form of phishing where criminals trick senior executives or budget holders into transferring funds or revealing sensitive information. Unlike mass phishing, these attacks are crafted for specific individuals — and are significantly harder to detect.

For a broader look at impersonation in the wider threat landscape, see our guide to social engineering training for employees.

The 4 CEO fraud scenarios your employees will face

These are not hypothetical. Each of these happens to UK businesses every week.

1. Fake wire transfer request

What it is: An urgent email, apparently from your CEO or CFO, asking a finance team member to transfer money to a new bank account — immediately, and confidentially.

Real-world example: A finance manager at a 40-person manufacturing firm receives an email from "the MD" at 4:45 pm on a Friday. The MD is travelling. The email requests a £22,000 transfer to a new supplier account "before the banks close." The domain is company-name.co instead of company-name.co.uk. The transfer goes through.

Red flags to train your team on:

Extreme urgency ("before end of day", "right now")
Request for secrecy ("don't mention this to anyone")
New or slightly different sender domain
Payment to an account your team has not used before

2. Supplier invoice fraud

What it is: The attacker poses as a known supplier and requests that payment be redirected to a new bank account — often with detailed knowledge of your existing supplier relationship.

Real-world example: A legitimate supplier's email account is compromised. The attacker monitors it for weeks, then sends a convincing email to your accounts team saying bank details have changed. The next invoice payment — £8,500 — goes to a criminal account.

Red flags:

Mid-relationship request to change bank details
Email from a slightly different address (one character off)
Pressure to update records quickly
No follow-up phone call to confirm

3. Payroll diversion

What it is: The attacker poses as an employee — or as HR — and requests that payroll bank details be updated before the next pay run.

Real-world example: An "employee" emails HR asking to change their bank account ahead of month-end payroll. HR updates the record. The employee's salary goes to a criminal account. The real employee only discovers it when their salary does not arrive.

Red flags:

Payroll change requests via email only (no verbal confirmation)
Urgency tied to an upcoming pay date
Request from a personal email address or slightly altered work address

4. Data harvesting

What it is: The attacker poses as the CEO requesting employee PII — payslips, National Insurance numbers, contracts, or HR records — then uses the data for identity fraud or further attacks.

Real-world example: An "executive" emails the HR manager requesting a spreadsheet of all employee salary and NI data for "an urgent board report." The HR manager sends it. The data is used to file fraudulent tax returns.

Red flags:

Unusual request for bulk employee data
No clear business reason given
Request to send data externally or to a personal email
Pressure to respond quickly without verification

Why CEO fraud is a UK compliance obligation — not just a cyber risk

This is where many UK SMBs get caught out. CEO fraud is not just a financial risk. It is a compliance risk — with specific regulatory obligations attached.

UK GDPR Article 32

Article 32 requires organisations to implement "appropriate technical and organisational measures" to protect personal data. Staff training is an organisational measure. If a CEO fraud attack leads to the disclosure of employee or customer data and you cannot evidence that staff were trained, you are exposed.

The ICO's audit framework confirms that failing to train staff may breach UK GDPR Articles 5(1)(f) and 32.

ICO Accountability Framework

The ICO expects data protection and information governance training for all staff — including induction training before staff access personal data, and refresher training at regular intervals. You must be able to demonstrate that staff understood the training. A policy document in a shared drive is not enough. You need dated, individual completion records.

Cyber Essentials

Cyber Essentials protects businesses against common cyber attacks. While its five technical controls focus on firewalls, secure configuration, access controls, malware protection, and patch management, the NCSC expects staff awareness training as part of a holistic security posture.

NCSC 10 Steps to Cyber Security

The NCSC's 10 Steps dedicate a full step to user education and awareness — with ongoing reminders and top-up training to maintain skills.

The ICO fine exposure

The ICO can fine up to £17.5 million or 4% of global annual turnover (whichever is higher) for serious breaches. If CEO fraud causes a data breach — and you cannot evidence training — you have no defence.

Our take — Daniel Hyatt, TrainMeUK Founder

Most UK SMBs treat CEO fraud training as an IT problem. It is not. It is an HR problem. The ICO does not ask your IT manager for evidence of training — they ask HR. If HR does not own the training programme, track completions, and trigger annual renewals, no one does. At TrainMeUK, we built the platform so HR can own this without needing IT involvement at all.

For more on the legal framework, see our guides on why GDPR training is legally required and our ISO 27001 & Cyber Essentials training guide.

Expert insights

Have you seen ICO investigations where CEO fraud triggered a breach notification?

Yes — and training records often determine whether enforcement treats the incident as negligent or as a controlled failure despite an attack. Organisations that can show dated, role-appropriate awareness training fare materially better than those with only a policy PDF and good intentions.

What does good evidence of CEO fraud training look like to a regulator?

Individual completion records with timestamps, the content covered (wire transfer verification, payroll change process, data requests), evidence of annual renewal, and proof that new starters were assigned before accessing sensitive systems. A team-wide email saying "we did training" is not evidence.

What should HR look for in an LMS for CEO fraud compliance?

Automatic assignment for joiners, renewal reminders without spreadsheet chasing, per-person audit exports, and role-based visibility for finance and HR teams. If you need IT to run reports before an investigation, you are already behind.

CEO fraud frequently triggers a reportable breach — payroll diversion, data harvesting, and wire fraud all involve personal data. When it happens, regulators ask what training staff had before and after the incident. See our guide to data breach training.

How to spot a CEO fraud attempt: a checklist for employees

Print this. Share it. Train your team on it.

Before acting on any unusual request, check for these warning signs:

☐ Unexpected urgency: "do this now", "before end of day", "I need this immediately"
☐ Request to bypass normal approval: "just this once", "skip the usual sign-off"
☐ Slightly wrong sender domain: one character swapped or added
☐ Request for secrecy: "don't tell anyone about this yet"
☐ Wire transfer to a new or overseas account you have not used before
☐ Request for employee PII or payroll data — NI numbers, salary data, bank details
☐ Pressure not to call back — "I'm in a meeting, just email me"
☐ Timed when the sender is away — Friday afternoons, holidays, known travel

The golden rule: if a request involves money or sensitive data and feels even slightly off — stop, call back on a known number, and verify verbally. Do not reply to the email. Do not use a phone number from the email.

The compliance headache: tracking who's done CEO fraud training

No training records. No proof. No defence.

This is the reality for most UK SMBs. Even when training happens, the tracking does not.

The common failure points:

HR has no visibility — no proof of who completed training, when, or what was covered
Spreadsheets break — manual tracking fails at scale, especially across multi-site or remote teams
Annual refreshers never happen — without automation, renewal reminders fall through the cracks
ICO investigators ask for specifics — dated, individual completion records, not a calendar invite screenshot

TrainMeUK completion tracking dashboard by department and course — Per-employee completion tracking — timestamps and compliance rates by department.

The real cost of non-compliance goes beyond ICO fines — direct financial loss from a successful CEO fraud attack, reputational damage, and investigation cost add up fast.

See also our compliance audit preparation checklist for exactly what evidence to have ready.

How TrainMeUK removes the compliance headache — automatically

Most training platforms add admin work. TrainMeUK removes it. Here is how it works for a UK SMB with 20–250 employees:

1. Auto-assign training via Azure AD

Connect TrainMeUK to Azure AD. New starters get CEO fraud awareness training assigned automatically — see our Azure AD integration guide.

2. Completion tracked per employee, per course

Every completion is logged with a timestamp — individual records, per person, not "the team did training."

3. Automatic renewal reminders

Annual refresher training triggers automatically. No spreadsheet. No one falls through the cracks.

4. Real-time compliance dashboard

See compliance rate by department, course, or employee — know instantly who is overdue.

5. Audit-ready reports in one click

When the ICO asks for evidence, export a dated report. That is your defence.

Everything just runs. No chasing. No spreadsheets. No stress.

How CEO fraud training fits into your wider cyber cluster

CEO fraud is one vector in a broader social engineering landscape. Your training programme needs to cover all of it.

Training area	What it covers	Guide
Phishing awareness	Recognising and reporting phishing emails, links, and attachments	Phishing awareness training for employees
Social engineering	Vishing, pretexting, baiting, tailgating, and impersonation tactics	Social engineering training for employees
CEO fraud / BEC	Executive impersonation, wire transfer fraud, payroll diversion, data harvesting	This guide

Together, these three areas form a complete cyber awareness programme that satisfies UK GDPR Article 32, aligns with Cyber Essentials expectations, and gives you training records to evidence compliance.

For the full regulatory picture, see our cyber security training requirements guide for UK SMEs.

You can also enrol your team in our cyber security awareness course — which covers these areas in a single, trackable programme.

FAQ: CEO fraud training UK

Common questions about CEO fraud awareness training for UK employers.

What is CEO fraud and how does it differ from phishing? +

Phishing is a broad term for fraudulent emails designed to steal credentials or install malware — usually sent to large numbers of people. CEO fraud (Business Email Compromise) is a targeted subset where the attacker impersonates your CEO or a senior executive. The goal is usually to authorise a fraudulent bank transfer or extract sensitive data. CEO fraud attacks are far more personalised and harder to detect than standard phishing.

Is CEO fraud training a legal requirement in the UK? +

Not in those exact words — but effectively, yes. UK GDPR Article 32 requires appropriate organisational measures to protect personal data, and the ICO's Accountability Framework expects induction and refresher training for all staff. If CEO fraud causes a data breach and you cannot evidence training, you are exposed to ICO enforcement and fines of up to £17.5 million or 4% of global annual turnover.

How often should employees receive CEO fraud awareness training? +

At minimum, annually — but refresh sooner after near-miss incidents, role changes, or significant threat changes. New starters should receive training before they access personal data. For most UK SMBs, annual renewal with automated reminders is the practical baseline.

What should an employee do if they receive a suspicious CEO email? +

Stop. Do not reply to the email or use any phone number provided in it. Call the supposed sender on a known, verified number to confirm the request; flag it to your line manager or IT contact; and report it to the UK's fraud reporting service at reportfraud.police.uk. If money has already been transferred, contact your bank immediately — time is critical for fund recovery.

Can online training satisfy the Cyber Essentials staff awareness requirement? +

Yes. Cyber Essentials does not mandate a specific training format. Online training via an LMS — with completion records and assessments — is widely accepted. A completion certificate with a timestamp is far stronger evidence than a team meeting or a PDF policy document.

How does an LMS help with CEO fraud training compliance? +

An LMS like TrainMeUK automates assignment for every employee including new starters, tracks individual completions with timestamps, triggers annual renewal reminders, and exports audit-ready reports in one click when the ICO asks for evidence.

Useful sources

Ready to automate CEO fraud training?

Book a live walkthrough and see how TrainMeUK assigns, tracks, and renews training automatically — or start a free trial and have your first course live today.

Book a Free Demo Start Free Trial

CEO Fraud Training for UK SMBs: The Complete Compliance Guide (2026)

Want audit-ready reporting without spreadsheets?