Daniel Hyatt
TrainMeUK Founder
TL;DR
- CEO fraud is when attackers impersonate your CEO or a senior executive — by email, phone, or messaging — to trick employees into transferring money or handing over sensitive data.
- It is the most financially damaging form of social engineering. The FBI reports global BEC losses have exceeded $55 billion over the past decade (FBI IC3).
- UK GDPR Article 32 requires appropriate organisational measures — staff awareness training is one of them.
- The ICO can fine up to £17.5 million or 4% of global annual turnover if inadequate training contributed to a breach.
- Cyber Essentials and the NCSC 10 Steps both expect staff awareness training as part of a holistic security posture.
- Most UK SMBs have no training records to show an ICO investigator — that is the compliance gap an LMS closes.
This guide fits into a broader programme: read our guide to social engineering training for employees to see the full picture.
What is CEO fraud? (And why it's not just a finance problem)
Most people assume CEO fraud only affects big corporates. It does not.
CEO fraud — also called Business Email Compromise (BEC), whaling, or executive impersonation fraud — is when a criminal impersonates your CEO or another senior executive to trick an employee into authorising a fraudulent bank transfer or handing over confidential data.
The attack surface is not your firewall. It is your people.
No amount of IT investment patches a member of staff who trusts a convincing email from "the boss." That is what makes this threat so effective — and so expensive.
Why UK SMBs are prime targets:
- Smaller finance teams with less formal approval processes
- Closer working relationships between staff and senior leadership — which attackers exploit
- Fewer dedicated IT or security resources to catch anomalies
- Less likely to have dual-authorisation controls on payments
The NCSC describes BEC as a form of phishing where criminals trick senior executives or budget holders into transferring funds or revealing sensitive information. Unlike mass phishing, these attacks are crafted for specific individuals — and are significantly harder to detect.
For a broader look at impersonation in the wider threat landscape, see our guide to social engineering training for employees.
The 4 CEO fraud scenarios your employees will face
These are not hypothetical. Each of these happens to UK businesses every week.
1. Fake wire transfer request
What it is: An urgent email, apparently from your CEO or CFO, asking a finance team member to transfer money to a new bank account — immediately, and confidentially.
Real-world example: A finance manager at a 40-person manufacturing firm receives an email from "the MD" at 4:45 pm on a Friday. The MD is travelling. The email requests a £22,000 transfer to a new supplier account "before the banks close." The domain is company-name.co instead of company-name.co.uk. The transfer goes through.
Red flags to train your team on:
- Extreme urgency ("before end of day", "right now")
- Request for secrecy ("don't mention this to anyone")
- New or slightly different sender domain
- Payment to an account your team has not used before
2. Supplier invoice fraud
What it is: The attacker poses as a known supplier and requests that payment be redirected to a new bank account — often with detailed knowledge of your existing supplier relationship.
Real-world example: A legitimate supplier's email account is compromised. The attacker monitors it for weeks, then sends a convincing email to your accounts team saying bank details have changed. The next invoice payment — £8,500 — goes to a criminal account.
Red flags:
- Mid-relationship request to change bank details
- Email from a slightly different address (one character off)
- Pressure to update records quickly
- No follow-up phone call to confirm
3. Payroll diversion
What it is: The attacker poses as an employee — or as HR — and requests that payroll bank details be updated before the next pay run.
Real-world example: An "employee" emails HR asking to change their bank account ahead of month-end payroll. HR updates the record. The employee's salary goes to a criminal account. The real employee only discovers it when their salary does not arrive.
Red flags:
- Payroll change requests via email only (no verbal confirmation)
- Urgency tied to an upcoming pay date
- Request from a personal email address or slightly altered work address
4. Data harvesting
What it is: The attacker poses as the CEO requesting employee PII — payslips, National Insurance numbers, contracts, or HR records — then uses the data for identity fraud or further attacks.
Real-world example: An "executive" emails the HR manager requesting a spreadsheet of all employee salary and NI data for "an urgent board report." The HR manager sends it. The data is used to file fraudulent tax returns.
Red flags:
- Unusual request for bulk employee data
- No clear business reason given
- Request to send data externally or to a personal email
- Pressure to respond quickly without verification
Why CEO fraud is a UK compliance obligation — not just a cyber risk
This is where many UK SMBs get caught out. CEO fraud is not just a financial risk. It is a compliance risk — with specific regulatory obligations attached.
UK GDPR Article 32
Article 32 requires organisations to implement "appropriate technical and organisational measures" to protect personal data. Staff training is an organisational measure. If a CEO fraud attack leads to the disclosure of employee or customer data and you cannot evidence that staff were trained, you are exposed.
The ICO's audit framework confirms that failing to train staff may breach UK GDPR Articles 5(1)(f) and 32.
ICO Accountability Framework
The ICO expects data protection and information governance training for all staff — including induction training before staff access personal data, and refresher training at regular intervals. You must be able to demonstrate that staff understood the training. A policy document in a shared drive is not enough. You need dated, individual completion records.
Cyber Essentials
Cyber Essentials protects businesses against common cyber attacks. While its five technical controls focus on firewalls, secure configuration, access controls, malware protection, and patch management, the NCSC expects staff awareness training as part of a holistic security posture.
NCSC 10 Steps to Cyber Security
The NCSC's 10 Steps dedicate a full step to user education and awareness — with ongoing reminders and top-up training to maintain skills.
The ICO fine exposure
The ICO can fine up to £17.5 million or 4% of global annual turnover (whichever is higher) for serious breaches. If CEO fraud causes a data breach — and you cannot evidence training — you have no defence.
Our take — Daniel Hyatt, TrainMeUK Founder
Most UK SMBs treat CEO fraud training as an IT problem. It is not. It is an HR problem. The ICO does not ask your IT manager for evidence of training — they ask HR. If HR does not own the training programme, track completions, and trigger annual renewals, no one does. At TrainMeUK, we built the platform so HR can own this without needing IT involvement at all.
For more on the legal framework, see our guides on why GDPR training is legally required and our ISO 27001 & Cyber Essentials training guide.
Expert insights
Have you seen ICO investigations where CEO fraud triggered a breach notification?
Yes — and training records often determine whether enforcement treats the incident as negligent or as a controlled failure despite an attack. Organisations that can show dated, role-appropriate awareness training fare materially better than those with only a policy PDF and good intentions.
What does good evidence of CEO fraud training look like to a regulator?
Individual completion records with timestamps, the content covered (wire transfer verification, payroll change process, data requests), evidence of annual renewal, and proof that new starters were assigned before accessing sensitive systems. A team-wide email saying "we did training" is not evidence.
What should HR look for in an LMS for CEO fraud compliance?
Automatic assignment for joiners, renewal reminders without spreadsheet chasing, per-person audit exports, and role-based visibility for finance and HR teams. If you need IT to run reports before an investigation, you are already behind.
CEO fraud frequently triggers a reportable breach — payroll diversion, data harvesting, and wire fraud all involve personal data. When it happens, regulators ask what training staff had before and after the incident. See our guide to data breach training.
How to spot a CEO fraud attempt: a checklist for employees
Print this. Share it. Train your team on it.
Before acting on any unusual request, check for these warning signs:
- ☐ Unexpected urgency: "do this now", "before end of day", "I need this immediately"
- ☐ Request to bypass normal approval: "just this once", "skip the usual sign-off"
- ☐ Slightly wrong sender domain: one character swapped or added
- ☐ Request for secrecy: "don't tell anyone about this yet"
- ☐ Wire transfer to a new or overseas account you have not used before
- ☐ Request for employee PII or payroll data — NI numbers, salary data, bank details
- ☐ Pressure not to call back — "I'm in a meeting, just email me"
- ☐ Timed when the sender is away — Friday afternoons, holidays, known travel
The golden rule: if a request involves money or sensitive data and feels even slightly off — stop, call back on a known number, and verify verbally. Do not reply to the email. Do not use a phone number from the email.
The compliance headache: tracking who's done CEO fraud training
No training records. No proof. No defence.
This is the reality for most UK SMBs. Even when training happens, the tracking does not.
The common failure points:
- HR has no visibility — no proof of who completed training, when, or what was covered
- Spreadsheets break — manual tracking fails at scale, especially across multi-site or remote teams
- Annual refreshers never happen — without automation, renewal reminders fall through the cracks
- ICO investigators ask for specifics — dated, individual completion records, not a calendar invite screenshot
The real cost of non-compliance goes beyond ICO fines — direct financial loss from a successful CEO fraud attack, reputational damage, and investigation cost add up fast.
See also our compliance audit preparation checklist for exactly what evidence to have ready.
How TrainMeUK removes the compliance headache — automatically
Most training platforms add admin work. TrainMeUK removes it. Here is how it works for a UK SMB with 20–250 employees:
1. Auto-assign training via Azure AD
Connect TrainMeUK to Azure AD. New starters get CEO fraud awareness training assigned automatically — see our Azure AD integration guide.
2. Completion tracked per employee, per course
Every completion is logged with a timestamp — individual records, per person, not "the team did training."
3. Automatic renewal reminders
Annual refresher training triggers automatically. No spreadsheet. No one falls through the cracks.
4. Real-time compliance dashboard
See compliance rate by department, course, or employee — know instantly who is overdue.
5. Audit-ready reports in one click
When the ICO asks for evidence, export a dated report. That is your defence.
Everything just runs. No chasing. No spreadsheets. No stress.
How CEO fraud training fits into your wider cyber cluster
CEO fraud is one vector in a broader social engineering landscape. Your training programme needs to cover all of it.
| Training area | What it covers | Guide |
|---|---|---|
| Phishing awareness | Recognising and reporting phishing emails, links, and attachments | Phishing awareness training for employees |
| Social engineering | Vishing, pretexting, baiting, tailgating, and impersonation tactics | Social engineering training for employees |
| CEO fraud / BEC | Executive impersonation, wire transfer fraud, payroll diversion, data harvesting | This guide |
Together, these three areas form a complete cyber awareness programme that satisfies UK GDPR Article 32, aligns with Cyber Essentials expectations, and gives you training records to evidence compliance.
For the full regulatory picture, see our cyber security training requirements guide for UK SMEs.
You can also enrol your team in our cyber security awareness course — which covers these areas in a single, trackable programme.
FAQ: CEO fraud training UK
Common questions about CEO fraud awareness training for UK employers.
What is CEO fraud and how does it differ from phishing?
Is CEO fraud training a legal requirement in the UK?
How often should employees receive CEO fraud awareness training?
What should an employee do if they receive a suspicious CEO email?
Can online training satisfy the Cyber Essentials staff awareness requirement?
How does an LMS help with CEO fraud training compliance?
Useful sources
- NCSC: Business Email Compromise — Defending Your Organisation
- NCSC: Business Payment Fraud guidance
- ICO: Training and Awareness (Accountability Framework)
- ICO: All-Staff Training Programme toolkit
- Gov.uk: Cyber Security Breaches Survey 2025
- Report Fraud: UK's fraud and cyber crime reporting service
- NCSC: Cyber Essentials scheme overview
- FBI IC3: Business Email Compromise — The $55 Billion Scam
- NCA: National Strategic Assessment 2025 — Fraud
Ready to automate CEO fraud training?
Book a live walkthrough and see how TrainMeUK assigns, tracks, and renews training automatically — or start a free trial and have your first course live today.