CEO fraud and fake invoices: is your domain being imitated?

A fraudster impersonating you or a supplier can cost your business thousands of dollars. Here's how these scams work — and how to check whether your domain is already being imitated.

In short: CEO fraud and fake invoices often rely on a lookalike domain — an imitation of your domain name. Your email protections (DMARC) don't apply to that fake domain: it has to be detected separately.

What is CEO fraud (business email compromise)?

A fraudster impersonates the company's executive (or a known supplier) and writes to your accounting team demanding an urgent wire transfer or payment of a fake invoice. It's one of the costliest scams for small businesses, because it targets people, not machines.

The role of lookalike domains (typosquatting)

To look credible, the fraudster registers a domain that resembles yours: a changed letter, an added hyphen, a different extension (.co instead of .com). They then create an email address on that fake domain and write to your customers or staff. Our lookalike detector checks for free whether such imitations already exist for your domain.

Direct spoofing vs. lookalike domain: two different problems

How to protect yourself

  1. Enable DMARC at reject to block direct spoofing.
  2. Monitor lookalike domains to spot an imitation before your customers do.
  3. Set an internal rule: any change to a supplier's banking details is confirmed by phone, never by email alone.
  4. Run the free security check to see where you stand.

Check your setup for free

Enter your domain: we test your SPF, DKIM, DMARC and website, and give you the exact action plan.

Run the free check
See also: the SPF, DKIM, DMARC guide, Microsoft 365, Google Workspace, securing your website.