The Costly Lesson of CEO Fraud: Why Employee Cybersecurity Training is Crucial

January 16, 2016 – Ried im Innkreis, Austria. At the offices of FACC Operations GmbH (an Austrian manufacturer of aerospace components), an employee from the finance department received an urgent email that appeared to come directly from the company’s CEO.

The request was clear: a million-euro transfer was needed to finalize a "strategic project".

Under pressure due to the "confidential" nature of the request and the authority of the sender, the employee proceeded with the transaction without verifying its legitimacy.

A few days later, FACC discovered it had been scammed. The email had not come from the real CEO but from cybercriminals who had forged his identity. As a result, the company lost approximately 42 million euros in a single bank transfer.

This case shows how lack of cybersecurity awareness and training can lead to massive financial losses, not necessarily due to technical failures or software vulnerabilities, but rather the human factor.

Why Invest Resources in Employee Training?

The Most Vulnerable Link

Even if you have state-of-the-art technological measures, if staff aren’t vigilant, employees become the easiest entry point for attackers.

Social Engineering and Manipulation

Phishing and BEC attacks exploit trust and authority rather than hacking technical vulnerabilities.

Economic and Reputational Consequences

A single fraudulent transaction can cause multi-million-euro losses and irreparable damage to a company's reputation.

False Sense of Security

Thinking, "This won't happen to us", is a serious mistake. Cybercriminals continuously refine their methods, targeting organizations of all sizes.

How Can We Prevent These Situations?

Continuous Training

Organize workshops, webinars, and phishing or BEC attack simulations. Teach employees to spot suspicious emails, slightly altered sender addresses, and exaggerated urgency or confidentiality tactics.

Internal Verification Policies

Establish protocols that require phone or in-person confirmation for high-value transfers. Demand dual approval or signatures from multiple executives for large financial transactions.

Multi-Factor Authentication (MFA)

A username and password alone are not enough. Two-step or multi-step verification (one-time codes, authentication apps, physical tokens) makes unauthorized access more difficult, especially when credentials are compromised through phishing.

Culture of “Constructive Distrust”

Encourage employees to report or question the legitimacy of an email whenever in doubt, without fear of repercussions. Create clear channels of communication to quickly report anomalies.

Conclusions

The FACC case proves that a single human lapse can cause millions in losses and severe reputational damage. There was no malware, no network breach—just a well-crafted email that exploited human trust.

Cybersecurity is not just about firewalls and antivirus software—it’s about building a security-first culture through training, awareness, and strict protocols. When every employee understands the risks and knows how to respond, the human factor transforms from the weakest link into the first line of defence.

Regular phishing simulations are essential for strengthening a company's cybersecurity posture. Cybercriminals continuously refine their tactics, making employees the first line of defence against attacks like Business Email Compromise (BEC) and credential theft. By conducting periodic phishing tests, organizations can reinforce security awareness, and train staff to recognize and report suspicious emails. This proactive approach reduces human error, minimizes financial and reputational risks, and fosters a security-conscious culture within the company.

Other Cases

Google and Facebook

A Lithuanian scammer sent fraudulent emails for several years, posing as a hardware supplier.
Both Google and Facebook transferred funds totalling over $100 million.
Read more on BBC | Read more on CNBC

Toyota Boshoku

A Toyota subsidiary transferred approximately $37 million to cybercriminals after receiving genuine-looking fraudulent emails disguised as supplier communications.

Crelan Bank

Belgium’s Crelan Bank lost €70 million in a Business Email Compromise (BEC) attack, where cybercriminals posed as high-ranking executives to request transfers.