Years ago, I sat across a jittery CEO of a large logistics company in Zambia. His eyes told the story before his lips did. “We almost lost $1.5 million last month,” he confessed. How? One fake email. One “urgent” request. One careless click. And therein lies today’s lesson.
Old wisdom says, “The hyena does not need a big hole; it only looks for one loose plank in the kraal.” That is precisely how the fake CEO scam works.
How the scam unfolds
It starts simple. Cybercriminals spend weeks quietly studying your company. They learn your reporting structure, who approves payments, and even how the CEO writes emails. Then boom they strike. A finance officer receives an email seemingly from the CEO or MD, urgently requesting a wire transfer to a new supplier. The email domain is almost identical, maybe one letter off, but who is checking under pressure?
The finance team, trained to obey hierarchy, processes the payment. Hours later, the money is gone, sitting comfortably in a shell account overseas.
During a board risk review at a client in the hospitality sector, I saw the same trick used. Attackers spoofed the GM’s email, approving a $250,000 invoice to a “vendor” who did not exist. Nobody questioned it because the chain of command was clear you obey.
It works because of leadership weakness.
Do you think your cyber threat is purely technical? Think again. This scam thrives not because your firewall failed, but because of weak governance and zero verification culture.
The logistics company I advised had one glaring issue: no dual control on large payments. Finance trusted emails at face value, assuming no one could impersonate their CEO. They lacked an “always verify, never assume” protocol.
This is the classic case of ‘trust over verify’. Cultural complacency, mixed with poor controls, is a disaster cocktail.
In the Zambia case, they were lucky. The transaction was flagged late, but before completion, thanks to a sharp-eyed junior accountant who noticed the slight domain mismatch.
In another manufacturing firm in Kenya, they weren’t so fortunate. $800,000 wired. No recovery.
The key lesson here is kill the blind obedience
What can you, as a leader, do today?
a) Enforce dual authorization policies. No large payment gets processed on email instruction alone, regardless of the sender’s title.
b) Implement mandatory voice verification. Always call back to confirm high-risk requests, using known numbers, not ones provided in emails.
c) Train staff to question. Yes, even when the email says ‘from the CEO’. Remove fear culture. Encourage them to double-check.
d) Audit email domain controls. Your IT should monitor look-alike domain registrations and flag them.
This week, gather your finance, IT, and operations heads. Ask them a simple question: “If someone impersonated me right now and ordered a payment, what checks exist to stop it?”
If they hesitate, your system is broken.
The leadership tool we recommend at IFIS is the zero-trust wire transfer protocol
Draft a one-page policy today. No payment above a set threshold is actioned without:
- Dual sign-off (preferably across departments),
- Voice verification with at least one signatory,
- Domain and sender authenticity check by IT before approval.
Print it. Circulate it. Enforce it.
In my village, the cattle owner who sleeps without locking the kraal cries first in the morning. Don’t be that leader. Tighten the kraal.
Institute of Forensics & ICT Security, is a training Institute of Summit Consulting Ltd
