The CEO Email Scam at a Small Marketing Agency
An accounts assistant at a 12-person agency transferred £18,000 after receiving what looked like a genuine email from her director.
Attack Chain
- 1Director's travel researched via LinkedIn/Instagram
- 2Spoofed email sent impersonating director
- 3Urgency used to prevent verification
- 4Payment processed to criminal account
Background
A small marketing agency in Bristol had 12 staff. The finance assistant was trusted to handle routine supplier payments. The company director was travelling, which criminals had worked out from his public LinkedIn profile and a recent Instagram post showing an airport.
The Attack
An email arrived from what appeared to be the director's address, asking the assistant to process an urgent supplier payment of £18,000 before end of day. The email looked genuine — it had his name, job title, and even his typical sign-off phrase. The assistant did not know the supplier but assumed it was a new client the director had signed while travelling. She processed the payment.
Response
The director discovered the fraud that evening when the real supplier chased payment. The agency immediately contacted their bank but the receiving account had already been emptied. Police were informed, an Action Fraud report was filed, and the agency's cyber insurance was contacted.
Outcome
The agency recovered £4,200 through their bank's fraud team but lost £13,800. The finance assistant was devastated. The business implemented a call-back verification policy for any payment over £500.
Key Takeaways
- Always verify any payment request over a certain amount by calling the person who sent it — use a known phone number, not one in the email
- Criminals research targets on social media to time their attacks when key staff are away
- Check the actual email address carefully — scammers use addresses like director@company-invoice.com to look legitimate
- Set a policy that no payment above a threshold can be made without verbal confirmation from a second person
- Email alone should never be sufficient authorisation for a financial transfer
How to Prevent This
All guidesReview your social media privacy settings
Information that is publicly visible on your social media profiles is information that criminals can use against you — to impersonate you, to tailor a scam, or to answer your security questions. Full name, birthday, phone number, home town, workplace, and family members' names — all of these are useful to a scammer. The business email compromise at the Bristol agency succeeded partly because the director's travel plans were visible on his public LinkedIn and Instagram. Review your settings on each platform: - Facebook: Settings → Privacy → Check your privacy settings, review your public profile - Instagram: Settings → Privacy → set account to Private if you're an individual (not a business) - LinkedIn: Settings → Visibility → Profile viewing options - TikTok: Settings → Privacy → set account to Private For business accounts where visibility is important, consider what information is genuinely necessary to display publicly. Your business phone number and location are useful. Your director's personal travel diary is not. This takes about 15 minutes and should be done annually as platforms change their defaults.
Set a rule: always verify payment requests by phone
Business Email Compromise — where criminals impersonate a director, supplier, or client to redirect payments — is one of the most costly frauds affecting small businesses. The defence is simple: a phone verification rule. Implement a policy that any payment request above a set amount (start with £500 or whatever feels right for your business) must be verbally confirmed before processing. The key is to call using a phone number you independently know — not the one in the suspicious email. Use the number from the contact's business card, your records, or their official website. Do not reply to the same email chain. This rule should apply to: - Unexpected payment requests from management or directors - Any supplier asking you to update their bank account details - Solicitors or estate agents sharing bank details for large transfers - Any email claiming urgency around financial matters Fraud at the Bristol marketing agency was only possible because the assistant processed a payment without picking up the phone. A 30-second call would have prevented £13,800 in losses.