[This article was co-written with Daniel Shkedi, a product marketing manager at BioCatch.] A CFO at a cybersecurity startup receives an urgent email from his CEO, who happened to be on a business trip at the time. \u201cDavid, we need to transfer $40,000 to X this morning to lock in a discount price from this supplier. The bank details are below. I will be in a meeting so please confirm with me by email it was done. Thank you.\u201d The CEO returns to the office later that day and the CFO proudly tells him that the transaction has been completed. \u201cWhat are you talking about?\u201d says the CEO. \u201cI never asked you to transfer any funds!\u201dThis is Fraud Stories, a monthly blog focused on digital identity and online fraud, one of the most defining issues of our day.CEO fraud losses exceed $3 billion per yearBusiness email compromise, also known as CEO fraud, is a scam in which fraudsters spoof company email accounts of senior executives or the CEO, impersonate them, and send emails to financial departments trying to deceive them into executing payments.Business email compromise is sophisticated and hard to spot because it tends to target businesses that work with foreign suppliers and\/or businesses that regularly perform wire transfer payments. The scam is carried out by fraudsters who compromise the email accounts of known contacts of their victim and represents a 2-part attack since it usually originates with social engineering or computer intrusion techniques to gain access to the CEO\u2019s email account in the first place. The fraudster then uses the access to send the message to the victim requesting the money transfer.\u00a0According to the Federal Bureau of Investigation, from January 2015 to June 2016, fraudsters had stolen approximately $3.1 billion from more than 22,000 victims through this type of fraud, marking a 1,300% rise in losses. And in a recently released video, Citibank calls business email compromise the most dangerous online scam, where about one in four victims in the United States respond and transfer money to fraudsters.Types of CEO fraud emails\u201cI\u2019m unavailable\u201d emails: Just like in our fictional anecdote above, the fraudster impersonating the CEO supposedly needs an urgent transaction done and mentions that he will not be available.Direct billing emails: The CEO supplies a list of details for a money transfer, including amount, bank account number, SWIFT code, route number, and requests that the payment be processed immediately. It will typically be to a new account.CEO emails with malware: The CEO sends an email with a supposed invoice attached. Once opened, the attachment injects malicious code to create a \u201cbackdoor,\u201d which can enable further attacks to the internal network of the organization and enabling post-login account takeovers into corporate online banking accounts.\u00a0Malicious persuasion under the guise of authorityThe use of the CEO\u2019s name and email address has a powerful psychological effect on employees that creates a sense of authority and legitimacy. If you are a typical employee that wants to excel in the workplace, in most cases you will take such an email very seriously and comply. Psychologists call this phenomenon the \u201cauthority bias,\u201d the attribution of greater importance to opinions or requests by authority figures without any regard to content. This effect makes this type of fraud especially cunning and much more dangerous than other types of email scams, because of its disarming effect on individual judgment and critical thinking.Organizational practices and safeguardsPreventing business email compromise requires a series of practices to strengthen your organization\u2019s security posture. Here are three basic steps to take:Create training programs for employees to educate them about the risk of CEO fraud, how to recognize phishing emails and what practicing \u201cgood cyber hygiene\u201d means.Develop rigid payment authorization processes with financial personnel, using various confirmation methods (e.g., large payments require written or verbal confirmation).Incorporate dynamic authentication protocols that go beyond traditional verification to enable access to email accounts.