CEO Fraud and Targeted Phishing: The Most Costly BEC Cases in France

On March 8, 2018, the managing director of Pathé Films in Amsterdam received an email from what he believed to be the group's Paris headquarters. Subject: a confidential acquisition in progress, requiring immediate fund transfers. Over four weeks, he authorized wire transfers totaling EUR 19.2 million to accounts in Dubai. By the time headquarters discovered the scheme, the money was gone.

The Pathé case was neither isolated nor an anomaly. It is how CEO fraud works - a scam that has cost French businesses hundreds of millions of euros since 2010, and that continues to strike in 2026 with increasingly sophisticated techniques.

What Americans call BEC (Business Email Compromise), the French call "fraude au président" or FOVI (Faux Ordres de Virement International - fraudulent international wire transfer orders). The mechanism is always the same: a scammer impersonates an executive and orders an urgent wire transfer from an employee who has access to the accounts. The scam relies on hierarchical trust, not on exploiting technical vulnerabilities.

This article reviews the most costly cases that have occurred in France, breaks down the techniques used by scammers, explains why France is a prime hunting ground, and details how to defend against it. With names, amounts, dates, and court rulings.

The Scale of the Problem: Staggering Numbers

Before diving into individual cases, let's establish the orders of magnitude.

The FBI IC3 (Internet Crime Complaint Center) classifies BEC as the most costly category of cybercrime in the world. In 2023, reported losses in the United States alone reached USD 2.9 billion - more than ransomware, investment fraud, and data theft combined (FBI, Internet Crime Report 2023). Between June 2016 and December 2023, cumulative reported FBI losses exceeded USD 55 billion.

In France, OCLTIC (Office central de lutte contre la criminalité liée aux technologies de l'information et de la communication - the central office for combating IT-related crime, part of the national police) estimated in 2017 that CEO fraud had cost French businesses over EUR 485 million since 2010. That figure only covers reported cases. DCPJ (Direction centrale de la Police judiciaire - France's central directorate of the criminal investigation service) has publicly acknowledged that the reporting rate for this type of fraud remains low: many companies prefer to absorb the loss rather than publicly expose a human failure.

Cybermalveillance.gouv.fr, the national platform for assisting victims of cybercrime, has ranked fraudulent wire transfers in its top 5 business threats since the program launched in 2020. In its 2024 activity report, the platform noted a resurgence of wire transfer scams targeting SMBs, often combined with email and phone phishing.

Why Official Numbers Understate Reality

Three factors explain the gap between official statistics and actual losses.

Failure to report. An SMB that loses EUR 80,000 to CEO fraud does not always file a complaint. The owner fears negative publicity, doubts that police will recover the money (and is usually right), and dreads that clients, bankers, and insurers will find out. According to DCPJ estimates, the effective reporting rate for fraudulent wire transfers hovers between 30% and 50% of actual cases.

Category confusion. CEO fraud cases are sometimes classified as "fraud" in criminal statistics, sometimes as "cybercrime," sometimes as "banking fraud." The Ministry of the Interior publishes aggregate statistics where fraudulent wire transfers get buried in broader categories.

No centralized registry. Unlike personal data breaches (reported to the CNIL - Commission nationale de l'informatique et des libertés, France's data protection authority) or incidents affecting critical infrastructure operators (reported to ANSSI - Agence nationale de la sécurité des systèmes d'information, France's national cybersecurity agency), there is no mandatory reporting requirement for wire transfer fraud. Each case stays in the files of the local police station or gendarmerie that took the complaint.

Pathé Netherlands (2018): EUR 19.2 Million Gone

The Pathé case is probably the most widely reported CEO fraud case in France and the Netherlands. It deserves a detailed examination because it illustrates, step by step, how the scam works against experienced professionals.

The Timeline

In March 2018, Dertje Meijer, managing director of Pathé Netherlands (the Dutch subsidiary of the French Pathé group), and Edwin Slutter, the CFO, received emails seemingly from the group's Paris headquarters. The messages referenced the confidential acquisition of a company in Dubai - an operation requiring cash advances.

The emails were written in professional English, signed with the name of the CEO of Pathé France, and insisted on absolute confidentiality. "Do not discuss this with anyone, not even other board members. Market regulators are watching."

Over a period of four weeks, Meijer and Slutter authorized five wire transfers totaling EUR 19.2 million to accounts in the United Arab Emirates. Each request was accompanied by forged documents - attorney letters, transfer slips, escrow account confirmations.

The fraud was discovered when the Paris headquarters asked the subsidiary about abnormal cash movements. Both executives were fired. The money was never recovered.

What This Case Reveals

The quality of preliminary research. The scammers knew Pathé's governance structure, the names of executives, the relationship between the subsidiary and headquarters, and the available cash balances. This level of preparation implies weeks - possibly months - of reconnaissance: consulting the commercial registry, annual reports, LinkedIn profiles, press releases.

Exploiting geographic distance. The Dutch subsidiary and the French headquarters did not share offices. Interactions happened via email. This distance made it impossible to verify the request with a quick visit to the CEO's office.

The power of secrecy. The confidentiality requirement prevented the victims from consulting anyone. This mechanism isolates the target and disables the primary safety net against fraud: third-party verification.

Escalating amounts. The first wire transfer was not for EUR 19 million. The scammers started with a more modest amount, then gradually increased. This "foot-in-the-door" pattern is a textbook social engineering technique documented in psychology since Freedman and Fraser (1966). For a full analysis of the cognitive biases exploited by these techniques: Phishing Psychology: Why Smart People Click.

Legal Aftermath

Pathé sued its former executives in the Netherlands for negligence. In 2022, the Amsterdam court ruled that Meijer and Slutter had been "grossly negligent" in failing to verify the authenticity of the requests, despite red flags (unusual amounts, unusual destination, unusual procedure). The two former executives were ordered to pay damages.

The case resulted in no criminal convictions of the scammers, who were never identified.

Vallourec (2013): EUR 22 Million - France's Record

The Vallourec case holds an unenviable record: it is the largest known CEO fraud in France at the time of the incident.

The Facts

In 2013, Vallourec, a multinational specializing in seamless steel tubes (EUR 13 billion in revenue at the time, 20,000 employees), fell victim to CEO fraud that cost it EUR 22 million.

Details of the case received less media coverage than Pathé's - Vallourec worked to limit press attention. What is known: scammers impersonated group executives and convinced accounting staff to execute international wire transfers. As in the Pathé case, the confidentiality of the operation was hammered home in every exchange.

The amount - EUR 22 million - is staggering, but it needs to be put in proportion to Vallourec's revenue at the time. For the multinational, it was an absorbable loss. For a 50-employee SMB, a proportionally equivalent amount would represent its entire cash reserve. To understand what a cyber incident truly costs a small business: What a Cyberattack Really Costs a 50-Person SMB.

Why Large Corporations Are Targeted

You might assume that large companies - with their internal audit procedures, audit directors, and CISOs - are less vulnerable. The opposite is true.

Large corporations are prime targets for three reasons.

First, available funds are high. A EUR 5 million wire transfer does not necessarily trigger an alert in a company that moves hundreds of millions. The detection threshold is higher.

Second, organizational complexity creates blind spots. A group with subsidiaries in 30 countries, dozens of regional CFOs, and matrix reporting relationships offers multiple entry points. The scammer does not need to fool the group CEO: they just need to fool an accountant in a subsidiary by impersonating the regional CFO.

Third, information is public. Annual reports, press releases, organizational charts on the corporate website, LinkedIn profiles of senior executives - it is all accessible. A competent scammer can reconstruct a wire transfer's decision chain in a few hours of research.

Etna Industrie (2016): The SMB That Sued Its Bank - and Won

The Etna Industrie case has become a textbook example in French banking law, and it is directly relevant to every SMB.

The Facts

In 2014, Etna Industrie, an industrial SMB in the Paris region with roughly 50 employees, fell victim to CEO fraud. A scammer impersonated the company's owner and convinced the accountant to process international wire transfers. Total amount: EUR 542,000, spread across three transfers to accounts in China and Estonia.

The accountant, a long-tenured employee, described a textbook scenario after the fact: the caller used the informal "tu" form of address, knew the names of other employees, insisted on urgency and confidentiality, and claimed that a law firm would be in touch to finalize the operation.

The Legal Battle with the Bank

Where the Etna Industrie case stands apart is in its legal aftermath. The company did not stop at filing a complaint against the scammers (who were never found). It sued its bank, Banque CIC, before the commercial court and then the court of appeal, for breach of the duty of vigilance.

Etna Industrie's argument: the wire transfers were clearly abnormal. The company had never made transfers to China or Estonia. The amounts were disproportionate relative to the account's usual activity. The bank should have alerted the account holder before executing the orders.

The bank defended itself by invoking its obligation to execute the account holder's wire transfer orders, in accordance with the European Payment Services Directive.

The Cour de Cassation Ruling

In 2018, the Cour de cassation (France's supreme court for civil and criminal matters) ruled in favor of Etna Industrie (Cass. com., October 24, 2018, No. 17-21.112). The ruling established a principle that became precedent: the banker has a duty of vigilance when processing unusual transactions, even in the absence of an irregular power of attorney. The abnormal nature of the transfers (amounts, frequency, destinations) should have triggered verification with the actual company owner.

The bank was ordered to reimburse a portion of the misappropriated funds.

What This Ruling Means for SMBs

The Etna Industrie ruling had two effects.

First, it encouraged other victim companies to take legal action against their banks. Since 2018, French commercial courts have handled dozens of similar cases, with varying outcomes. Some banks were found liable; others prevailed by showing that the client had itself committed a fault (lack of internal procedures, for example).

Second, it pushed banks to strengthen their suspicious transaction detection systems. Several institutions implemented automatic alerts for wire transfers to new countries, unusual amounts, or multiple transfers in a short period. Paradoxically, this made businesses somewhat more cautious: when your bank calls to verify a transfer, you think twice.

Intermarché (2015): EUR 15 Million Attempt Partially Thwarted

In 2015, the Intermarché group (Les Mousquetaires) was targeted by a CEO fraud attempt for EUR 15.7 million. The scam was partially thwarted, but not entirely.

Scammers contacted a finance executive at the group, impersonating a member of senior management. The scenario was identical to other cases: confidential acquisition, need for discretion, urgent wire transfers abroad. Several transfers were executed before the alarm was raised.

This case is notable because it targets a retail group - a sector less commonly associated with cybercrime than finance or manufacturing. In reality, retail groups handle massive cash flows (thin margins but enormous volumes), making them attractive to scammers.

The Intermarché case also illustrates a point well known to security professionals: the alert rarely comes from the detection system. In most CEO fraud cases, it is a human who eventually asks a question - "something feels off about this" - and picks up the phone to verify. The problem is that this question usually comes after the first transfer, not before.

Michelin: The Subsidiary Trapped by a Fake Executive

Michelin, the Clermont-Ferrand-based group, was also hit by CEO fraud targeting one of its subsidiaries. The precise details received less media coverage than other cases - Michelin did not publicly disclose the exact amount - but the incident was confirmed by multiple sources close to the case and referenced in OCLTIC presentations on financial cybercrime.

The pattern: a phone call allegedly from Clermont-Ferrand headquarters to a financial manager at a foreign subsidiary, followed by forged emails confirming the wire transfer operation. The scammer knew the internal procedures, the names of usual contacts, and the group's specific vocabulary.

Michelin is among the CAC 40 companies that, after the incident, completely overhauled their wire transfer approval procedures. The group implemented a mandatory dual-authorization system with a callback to a pre-registered number - a system that most major French corporations have since adopted.

The KPMG Cases: When the Auditors Get Audited

KPMG, one of the "Big Four" audit and consulting firms, has been cited in multiple CEO fraud cases, both in France and internationally. The irony is painful: a firm whose business is verifying companies' internal controls finds itself victimized by a lack of controls.

In several cases documented by the financial press, employees at KPMG offices executed fraudulent wire transfers after receiving emails supposedly from senior partners. The total losses were not made public, with KPMG citing confidentiality.

The takeaway: no organization is immunized by its expertise. Audit firms, banks, insurance companies, even law enforcement agencies themselves (DGSI - Direction générale de la Sécurité intérieure, France's domestic intelligence agency - has flagged attempts targeting government departments) - every organization that handles funds is a potential target. CEO fraud does not exploit a technical flaw. It exploits the human condition: deference to authority, fear of disappointing the boss, the desire to be the one handling a "confidential and strategic" operation.

SMBs in the Crosshairs: Thousands of Cases Kept Quiet

The Pathé, Vallourec, and Intermarché cases make headlines because the amounts are spectacular. But the everyday reality of CEO fraud in France involves the 20-to-200-employee SMB that loses between EUR 50,000 and EUR 500,000. Amounts that never make the news but that sometimes threaten the company's survival.

Cases from the Commercial Courts

The registries of French commercial courts hold dozens of rulings involving SMBs that fell victim to fraudulent wire transfers. Here are a few examples, drawn from legal databases, without naming the companies when the rulings are not public.

Construction company in Île-de-France (2019). CEO fraud via email and phone. The accountant executed two wire transfers of EUR 130,000 and EUR 85,000 to Poland. The owner was on vacation. The company sued its bank and obtained a partial reimbursement of EUR 85,000 (the first transfer was deemed "not abnormal" by the court, since the amount fell within the account's usual range).

Trading firm in southwestern France (2020). The scammer impersonated the CEO and convinced a sales assistant to change the bank details of a regular supplier. Three invoices were paid to the new account - EUR 210,000 in total - before the real supplier demanded payment. This variant, known as "bank detail fraud" or "supplier fraud," is growing rapidly and now accounts for nearly 40% of fraudulent wire transfer cases according to French criminal investigation data.

Medical practice in the Lyon area (2021). An employee received a call from the practice's "accountant" asking them to initiate a EUR 47,000 wire transfer for "urgent medical equipment." The employee complied. The practice lost the entire amount. No legal action was taken against the bank - the amount was too small to justify the legal fees.

Agri-food SMB in Brittany (2022). Combined email and voice deepfake attack. The scammer called the CFO, imitating the CEO's voice (likely using a voice synthesis tool). The call was followed by a "confirmation" email with bank details in Hungary. Loss: EUR 340,000. The company filed a complaint, but the investigation is still ongoing.

The Typical Victim SMB Profile

Consolidated data from GIP ACYMA (Groupement d'Intérêt Public Action contre la Cybermalveillance - the public interest group that operates Cybermalveillance.gouv.fr) and from law enforcement paint a consistent profile.

Size. 20 to 250 employees. Large enough to handle significant sums, too small to have a dedicated internal audit team.

Sector. No sector is spared, but companies that regularly make international wire transfers (trading, manufacturing, construction with overseas subcontractors) are overrepresented.

Accounting setup. Bookkeeping is often handled by one to three people. Segregation of duties (the person who initiates the transfer is not the person who approves it) is absent or easy to circumvent.

Lack of formal procedures. No wire transfer ceiling requiring dual authorization. No verification protocol for bank detail changes. No mandatory callback procedure.

Timing. Attacks occur preferentially during the owner's vacation, long weekends, or year-end closing periods - in short, when the person who could say "stop, let's verify" is not there.

How CEO Fraud Works Technically

To defend against it, you need to understand the mechanics. CEO fraud combines social engineering (human manipulation) and technical tools (email identity spoofing). Here is the breakdown.

Phase 1: Reconnaissance

The scammer starts by collecting as much information as possible about the target company. The sources are legal and accessible to anyone.

Commercial registry. Infogreffe and Societe.com (France's public company registries) provide the owner's name, registered address, revenue, and the names of corporate officers. Cost: a few euros for a full Kbis extract (the official company registration document).

LinkedIn. Employee profiles reveal the organizational chart, reporting lines, departments ("Accountant at X since 2019"), and sometimes professional email addresses. A scammer who knows that Marie Dupont is the accountant at Acme SAS and that her manager is Jean Martin already has half of what they need.

The company website. "Team" and "Contact" pages often list names and roles. Press releases announce acquisitions, appointments, and projects - all plausible pretexts for a wire transfer.

The owner's social media. An Instagram post from the Maldives = the owner is unreachable by phone. Time to strike.

Phase 2: Email Identity Spoofing

The scammer needs to send an email that appears to come from the executive. Three techniques exist, in increasing order of sophistication.

Lookalike domain. The scammer registers a domain name that closely resembles the company's: acme-group.com instead of acme.com, acmesas.com instead of acme-sas.com, arme.com instead of acme.com. Registration cost: EUR 10. Emails sent from this domain will pass SPF and DKIM checks (because the domain is legitimately configured). Only a sharp eye will spot the difference.

Address spoofing. The scammer forges the "From" field of the email to display the executive's real address. If the company's domain does not have a DMARC policy set to reject, any server can send an email displaying jean.martin@acme-sas.com in the sender field. This is where SPF, DKIM, and DMARC configuration matters. To check whether your domain is protected: SMB Email Security: Why Testing SPF, DKIM, and DMARC Is Urgent.

Compromised email account (Account Takeover). The most dangerous method. The scammer gains control of the executive's actual email account, typically by exploiting a weak password, a prior phishing attack, or the absence of MFA (multi-factor authentication). The email genuinely originates from the correct address, passes all technical checks, and lands in the victim's inbox like any legitimate message. Technical controls are powerless in this scenario: only a human procedure (callback) provides protection.

Phase 3: Pretext and Social Engineering

The email is sent. Now the target needs to be persuaded to act. Scammers deploy a cocktail of psychological biases documented in cognitive science research.

Authority. "I'm the CEO, and I'm personally asking you to handle this operation." Robert Cialdini, professor at Arizona State University, demonstrated in his work on influence (1984) that individuals spontaneously obey authority figures, even when the instruction is unusual. It is the Milgram experiment applied to wire transfers.

Urgency. "This transfer must go out today before 4 PM." Urgency prevents the victim from engaging System 2 (the analytical, deliberate mode) and keeps them in System 1 (the automatic, fast mode). It is the same mechanism exploited by standard phishing.

Confidentiality. "This operation is strictly confidential. Do not discuss it with anyone, including other members of the executive team." This mechanism is devastatingly effective: it isolates the victim from any possibility of verification and flatters their ego ("the CEO trusts me with this mission").

Flattery. "I chose you because you are the most reliable person on the team." The scammer turns the victim into a willing accomplice.

The fake trusted third party. "Maître Dupont from the law firm Dupont & Associates will call you to provide the bank details." An accomplice poses as a lawyer, notary, or auditor, adding a layer of credibility. The hesitant victim is reassured by a "professional."

Phase 4: The Transfer and Disappearance

Once the wire transfer is executed, the money moves quickly through multiple accounts across different countries (often China, Hong Kong, UAE, Eastern European countries, then West Africa). Each hop takes a few hours. Within 48 hours, the money is split, converted to cash or cryptocurrency, and becomes untraceable.

The FBI estimates that you must act within 24 to 48 hours of the transfer to have any chance of recovering funds through interbank recall procedures. After that window, the recovery rate drops below 10%.

Voice and Video Deepfakes: The Scammer's New Weapon

CEO fraud is entering a new era with the arrival of deepfakes. What was science fiction in 2018 has become an operational tool in 2024.

The Foundational Case: The British Subsidiary (2019)

In 2019, the Wall Street Journal reported the first documented case of CEO fraud using voice deepfake. The CEO of a British subsidiary of a German energy group received a call from his superior, the group CEO. He recognized his voice, his German accent, his intonation. The caller asked him to transfer EUR 220,000 to a supplier in Hungary. The subsidiary CEO complied.

The voice was AI-generated. The scammer had used publicly available recordings of the real CEO (interviews, conference talks) to train a voice cloning model.

Arup in Hong Kong (2024): USD 25.6 Million

The Arup case, reported by the Guardian in February 2024, marks a qualitative leap. An employee at the Hong Kong office of Arup, the British engineering giant, received a suspicious email from his CFO. He hesitated. Then he joined the video conference referenced in the message. On screen, he saw and heard his CFO, accompanied by several colleagues. All were real-time deepfake video.

Reassured by this "meeting," he approved 15 wire transfers totaling USD 25.6 million (roughly EUR 23.5 million at the time).

For a full overview of emerging threats including voice deepfake: Malicious QR Codes, Voice Deepfakes, Trap SMS: New Phishing Forms in 2026.

The Accessibility of Voice Cloning in 2026

Voice cloning is no longer the preserve of sophisticated criminal groups. According to McAfee (2025), just 3 seconds of audio is enough to reproduce a voice at a fidelity level sufficient to fool a phone caller. Fortune reported in December 2025 that human listeners can no longer reliably distinguish a cloned voice from a real one.

The tools are available online, often for free or for a few dozen euros per month. A scammer who has a sample of the executive's voice (a YouTube conference video, a voicemail greeting on the company line, a podcast interview) can generate a real-time call for less than EUR 50 of investment.

CESIN (Club des Experts de la Sécurité de l'Information et du Numérique - France's top association of information security professionals) warned its members in 2025 about the rise in fraudulent wire transfer attempts using voice deepfake. The CESIN 2026 barometer, published in January, notes that 14% of surveyed companies reported at least one fraud attempt using a synthetic voice in the past 12 months.

Possible Countermeasures

Against voice deepfakes, phone-based verification loses its value. If I call you and you recognize my voice, that no longer proves anything.

Several approaches are emerging:

Vocal passphrase. A code agreed upon in advance between the executive and the people authorized to process wire transfers. Simple, free, effective - as long as it stays secret. Some companies change this code every week.

Callback to a verified number. Not the number displayed on the incoming call (easily spoofed), but a number pre-registered in the internal directory. If the CEO calls to request a wire transfer, you hang up and call them back on their usual number.

Video call with verification. Asking the caller to perform a specific gesture (hold up an object, turn their head, write something) that current deepfake video systems still struggle to replicate - but this safeguard is temporary, as tools are improving fast.

Abandoning the voice channel as proof of identity. In the long run, voice and video will no longer serve as authentication factors. Only formal procedures (dual authorization, approval within a secure treasury management tool, MFA-backed approval workflows) will hold up.

Why France Is a Prime Hunting Ground

CEO fraud exists in every country. But France ranks among the most targeted nations in the world, disproportionately relative to the size of its economy. Several cultural and structural factors explain why.

Hierarchical Culture

Dutch sociologist Geert Hofstede developed a cultural dimensions model that ranks countries by their "power distance" (Power Distance Index). France scores 68 out of 100, compared with 40 for the United States, 35 for the United Kingdom, and 31 for Germany. This high score means that French employees more readily accept power imbalances and more spontaneously obey instructions from a hierarchical superior.

In the context of CEO fraud, this cultural dimension has a direct consequence: a French accountant asked by the "CEO" to make an urgent wire transfer is statistically less likely to question the instruction than a Dutch or German counterpart. This is not a matter of intelligence - it is a matter of internalized social norms.

Philippe Herlin, economist and researcher at CNAM (Conservatoire national des arts et métiers - a leading French public institution for higher education and research), wrote on this subject in 2017: "CEO fraud exploits the authority relationship, which is more pronounced in French companies than in Anglo-Saxon ones. Questioning a CEO's order is perceived as defiance, not prudence."

The SEPA Wire Transfer Habit

French businesses rely heavily on SEPA wire transfers for supplier payments. Unlike checks (which allow a clearing period and can be canceled) or card payments (which offer chargeback mechanisms), a wire transfer is executed within hours and, once confirmed, is virtually irreversible within normal timeframes.

SEPA transfers within the European Economic Area are treated as domestic transactions by banks: no additional verification, no extra delay. A wire transfer to an account in Poland, Hungary, or Estonia does not trigger the same alerts as one to China or Nigeria. Scammers are well aware of this and use transit accounts within the EU.

The SMB Fabric

France has approximately 4 million SMBs, representing 99.9% of businesses and employing 49% of private-sector workers (INSEE - Institut national de la statistique et des études économiques, France's national statistics agency - 2024). This SMB fabric is the natural target for CEO fraud: companies that handle significant sums but that often have no CISO, no formalized internal controls, and no fraud training.

The CESIN 2026 barometer covers large enterprises and mid-caps. For SMBs with fewer than 250 employees, data is fragmented. Cybermalveillance.gouv.fr is the main source, and the trends it observes confirm: SMBs are the majority target of fraudulent wire transfers.

Late DMARC Adoption

In 2024, according to an EasyDMARC study covering over 2 million European domains, only 34% of French business domains had a DMARC record. Among those, fewer than 15% were set to reject (the only mode that actually blocks spoofed emails). This means that for the vast majority of French businesses, anyone can send an email displaying their domain name.

For comparison, Nordic countries (Denmark, Sweden, Norway) show DMARC adoption rates above 60%, with over 30% in reject mode. The Netherlands, where the government mandated DMARC for government agencies in 2018, exceeds 50%.

This technical gap directly facilitates CEO fraud via address spoofing. If your domain does not have DMARC set to reject, a scammer can send an email from any server that will display ceo@yourcompany.fr as the sender. The email will land in the accountant's inbox with the right address, the right name, and nothing to flag it as fraudulent.

Check your protection now. The free email security test at nophi.sh analyzes your SPF, DKIM, and DMARC records in seconds and gives you a score out of 10 with recommendations.

French Case Law: When Victims Sue Their Banks

One of France's distinctive features in CEO fraud is the litigation between victim companies and their banks. This litigation has produced rich case law that every business owner should know.

The Legal Basis: The Banker's Duty of Vigilance

The Code monétaire et financier (French Monetary and Financial Code) imposes a duty of vigilance on credit institutions when processing suspicious transactions. This duty, originally designed for anti-money laundering purposes (article L.561-6 and following), has been extended by case law to cover fraudulent wire transfers.

The principle is as follows: a banker who executes a clearly abnormal wire transfer order without verifying with the account holder is liable. "Clearly abnormal" is assessed against the account's history: usual amounts, usual destinations, usual transfer frequency.

Key Rulings

Beyond the Etna Industrie ruling (2018) already analyzed, several other decisions deserve attention.

Cour d'appel de Paris (Paris Court of Appeal), 2020 - textile SMB. The victim company sought reimbursement of EUR 380,000 wired to China. The bank was ordered to reimburse 70% of the amount. The court held that the bank should have been alerted by an international transfer to a country with which the company had never done business.

Tribunal de commerce de Lyon (Lyon Commercial Court), 2021 - industrial mid-cap. Four wire transfers totaling EUR 1.2 million to accounts in Estonia and Latvia. The bank was partially found liable, but the indemnification was reduced because the company had not implemented the security procedures recommended by its own bank (dual authorization, transfer ceilings).

Cour d'appel de Versailles (Versailles Court of Appeal), 2023 - consulting firm. The company lost EUR 250,000. The bank was found not liable. Reason: the company regularly made international transfers of comparable amounts. The fraudulent transfers did not appear "clearly abnormal" relative to the account's history.

Lessons for Businesses

The case law reveals a shared liability framework. Courts consider both the bank's vigilance and the company's own conduct.

What works in the company's favor:

• No prior history of wire transfers to the destination country
• An amount disproportionate to usual activity
• Multiple transfers in a short period (unusual pattern)
• The company had internal procedures that the bank failed to follow (e.g., the bank was supposed to require dual authorization but did not)

What works against the company:

• Lack of formalized internal procedures
• The employee acted outside their authority (signing a transfer without authorization)
• The company regularly makes comparable transfers to comparable countries
• The company ignored bank alerts

The practical takeaway: implementing stronger internal procedures is not just a prevention measure - it is also a prerequisite for successful legal action against the bank in the event of fraud.

The Law Enforcement Response

The fight against CEO fraud in France involves multiple police and gendarmerie units. Here are the key players.

OCLTIC

OCLTIC (Office central de lutte contre la criminalité liée aux technologies de l'information et de la communication - the central office for combating IT-related crime), part of DCPJ (the central directorate of criminal investigation), is the lead agency for large-scale fraud. OCLTIC coordinated investigations into the Vallourec, Pathé, and other major cases.

OCLTIC has specialized expertise in financial flow tracing, international cooperation (via Interpol and Europol), and digital forensics. But its resources are limited relative to case volume: a few dozen investigators for thousands of cases per year.

BEFTI and Its Successors

BEFTI (Brigade d'enquêtes sur les fraudes aux technologies de l'information - the IT fraud investigation brigade), based in Paris, was one of France's first police units dedicated to cybercrime. It has been reorganized and integrated into the new Parisian criminal investigation structures, but its expertise remains engaged for CEO fraud cases.

ComCyberGend

ComCyberGend (Commandement de la Gendarmerie dans le cyberespace - the Gendarmerie's cyber command), created in 2021, consolidates the cyber capabilities of the Gendarmerie nationale (France's military police force, which handles law enforcement across rural and suburban areas). With over 7,000 trained cyber investigators across the country, the gendarmerie is often the first point of contact for SMB victims outside major cities.

ANSSI's Role

ANSSI (Agence nationale de la sécurité des systèmes d'information - France's national cybersecurity agency) does not directly intervene in criminal investigations related to CEO fraud, except when a critical infrastructure operator is affected. However, ANSSI publishes best-practice guides and alerts that include fraudulent wire transfers within their scope. The guide "Cybersecurity for VSBs/SMBs in 12 Questions" (ANSSI, 2023) devotes a chapter to wire transfer scams.

The International Cooperation Problem

The main challenge for French law enforcement is that scammers operate from abroad. The most high-profile cases have led to the doorsteps of Israel, China, the UAE, and several West African countries.

International judicial cooperation is slow, complex, and depends on the goodwill of the countries involved. International rogatory commissions (mutual legal assistance requests) take months, sometimes years. By then, funds have been scattered and the scammers have moved to another country.

The Gilbert Chikli case illustrates this difficulty. Widely considered the inventor of CEO fraud in France (he began his operations in the early 2000s), Chikli was sentenced in absentia in 2015 to 7 years in prison, then arrested in Ukraine in 2017 after years on the run between Israel and Africa. His 2020 trial resulted in an 11-year prison sentence and a EUR 1 million fine. But how many CEO fraud cases actually lead to an arrest? Fewer than 5%, according to police union estimates.

Protecting Yourself: Technical Measures

Protection against CEO fraud combines technical and organizational measures. Let's start with the technical side.

SPF, DKIM, and DMARC: Lock Down Your Domain

The first technical measure is to protect your own domain against spoofing. If a scammer cannot send an email displaying your address, they must fall back on a lookalike domain, which is easier to detect.

SPF (Sender Policy Framework) declares which servers are authorized to send emails for your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do when an email fails SPF and DKIM checks.

The technical details of configuration are covered in our dedicated article: SMB Email Security: Why Testing SPF, DKIM, and DMARC Is Urgent.

The essentials in three points:

1. Publish an SPF record with -all (hard fail), not ~all (soft fail)
2. Enable DKIM with your email provider (Google Workspace, Microsoft 365, etc.)
3. Deploy DMARC in reject mode - the only mode that actually blocks spoofed emails

Moving from p=none to p=reject takes 4 to 8 weeks of monitoring DMARC reports to ensure legitimate emails are not blocked. It is a minimal time investment for a major layer of protection.

Multi-Factor Authentication (MFA) on Email Accounts

If a scammer compromises the executive's email account, all SPF/DKIM/DMARC protections become useless: the fraudulent email genuinely comes from the legitimate address.

Enabling MFA on all business email accounts is the defense. With MFA, even if the scammer obtains the password (via phishing, credential stuffing, or dark web purchase), they cannot log in without the second factor.

According to Microsoft (Digital Defense Report 2024), MFA blocks 99.2% of account compromise attacks. It is the security measure with the best cost-to-effectiveness ratio available.

Lookalike Domain Monitoring

Domain monitoring tools detect the registration of domains similar to yours. If someone registers acme-group.com while your domain is acme.com, you are notified and can take action (report to the registrar, internal alert).

Several services offer this monitoring, at prices ranging from a few dozen to a few hundred euros per year. For an SMB, this is a modest investment.

Advanced Email Filtering

Modern email filtering solutions (Proofpoint, Mimecast, Microsoft Defender for Office 365, Barracuda) include BEC detection features: sender behavior analysis, lookalike domain detection, flagging emails with CEO fraud markers ("urgent transfer," "confidential," "do not discuss this with anyone").

These filters are not infallible - an email from a legitimately compromised account will pass most technical checks - but they add an extra layer of protection.

Protecting Yourself: Organizational Measures

Technical measures are necessary but not sufficient. CEO fraud is first and foremost an attack on human processes. Organizational measures are the real bulwark.

Dual Authorization for Wire Transfers

Every company, regardless of size, should have a simple and non-negotiable rule: no wire transfer above a certain threshold can be executed by a single person. The threshold depends on the business - EUR 5,000 for a services SMB, EUR 20,000 for an international trading company - but the principle is the same.

Dual authorization means two distinct people must approve the transfer. Ideally within a treasury management tool or online banking platform, each with their own credentials and their own MFA.

Mandatory Callback

For any unusual wire transfer (new beneficiary, large amount, unusual country, urgent request), a callback is required. Not to the number listed in the request email (it may be controlled by the scammer), but to the number recorded in the company's internal directory or professional phone contacts.

This callback must be culturally accepted within the company. An executive who gets called back by their accountant before a transfer should not be annoyed - they should commend the person for following procedure.

Bank Detail Change Procedure

The "bank detail fraud" variant is rapidly growing. The scammer poses as a supplier and notifies the company that their bank details have changed. Subsequent invoices are paid to the scammer's account.

The defense: any supplier bank detail change must be verified by calling the supplier on a known number (the one from the original contract or purchase order, not the one in the "change notification" email).

Some companies go further and require written confirmation on letterhead, sent by postal mail. It is slow, it is old-fashioned, but it works.

Awareness Training and Simulation

Procedures are useless if employees do not know about them, do not understand them, or do not follow them under pressure. That is where awareness training comes in.

Theoretical training ("phishing is dangerous") is not enough. Research from the SANS Institute (Security Awareness Report 2025) shows that only hands-on practice - simulated phishing and CEO fraud attacks - produces lasting behavioral change. Organizations that run regular simulations reduce their click rate by 75% within 12 months.

For an SMB, this means training teams with realistic CEO fraud scenarios: a fake email from the CEO requesting a wire transfer, a fake call from a "law firm," a fake supplier bank detail change. The goal is not to trick people but to build an automatic verification reflex. For a complete methodology: Phishing Simulation in Business: 2026 Practical Guide.

Train your teams to detect CEO fraud. The nophi.sh platform offers realistic simulations including BEC and CEO fraud scenarios, with per-employee results tracking.

The Legal and Regulatory Framework

Beyond criminal prosecution of scammers and litigation with banks, the French regulatory framework imposes obligations that directly affect CEO fraud prevention.

The 72-Hour Complaint Filing Requirement (LOPMI)

The LOPMI law (Loi d'Orientation et de Programmation du Ministère de l'Intérieur - France's Interior Ministry guidance and programming law, enacted in January 2023) imposes a condition on businesses seeking cyber insurance indemnification: a formal complaint must be filed within 72 hours of becoming aware of the incident. After this deadline, the insurer may refuse the claim.

For CEO fraud, this requirement has two implications. First, the fraud must be detected quickly - which requires employees trained to recognize warning signs and report any suspicion immediately. Second, a complaint must be filed promptly, which requires the business owner to default to reporting rather than silence. For everything related to cyber insurance and the training evidence required by insurers: Your Cyber Insurer Wants Proof of Employee Training?.

GDPR and CNIL Notification

If CEO fraud involves unauthorized access to personal data (for example, the scammer compromised the executive's email and gained access to customer or employee data), a notification to the CNIL (Commission nationale de l'informatique et des libertés - France's data protection authority) is mandatory within 72 hours (Article 33 of the GDPR). If the risk to affected individuals is high, individual notification is also required (Article 34).

In practice, many CEO fraud victims fail to make the connection with the GDPR. Yet if the reconnaissance phase involved access to the information system (email account hack, file server access), personal data is potentially compromised.

NIS 2

The European NIS 2 directive, transposed into French law in late 2024 (France having exceeded the original October 2024 deadline), expands cybersecurity obligations to a large number of companies, including mid-caps and SMBs in "important" sectors. Affected entities must implement risk management measures that explicitly include protection against social engineering.

For companies subject to NIS 2, employee awareness training on CEO fraud is no longer optional - it is a legal obligation, backed by penalties for non-compliance.

Anatomy of a Successful Attack: A Minute-by-Minute Reconstruction

To make the mechanics concrete, let's reconstruct a fictional but realistic attack based on patterns observed in court cases.

Day D-30: Reconnaissance

The scammer identifies the target: SAS Bontemps, a 45-employee SMB specializing in metal parts manufacturing, based in Villeurbanne, near Lyon. Revenue: EUR 8 million. Owner: Marc Bontemps. On LinkedIn, the scammer finds that the CFO is Hélène Duval (in the role since 2017) and the accountant is Nathalie Perrin.

On Infogreffe (France's commercial court registry service), they find the company's incorporation date, corporate officers, and filed financial statements. On the company website, they note the contact details and names of suppliers mentioned in the client references section.

On Marc Bontemps's Instagram account, they see that he is heading on a ski vacation the third week of February. The timing is set.

Day D-7: Technical Preparation

The scammer registers the domain bontemps-sas.com (the real domain is bontemps.fr). Cost: EUR 8. They configure a mail server on this domain with valid SPF and DKIM - ironically, they protect their fraudulent domain better than many SMBs protect their legitimate one.

They prepare the emails: header "Marc Bontemps (marc.bontemps at bontemps-sas.com)," signature identical to Marc's (copied from an email visible in a chamber of commerce discussion thread).

Day D (Monday, 10:15 AM): First Contact

Marc is on the ski slopes at La Plagne. Nathalie Perrin receives an email.

From: Marc Bontemps (marc.bontemps@bontemps-sas.com) Subject: Urgent - confidential

Nathalie, I need your help on a confidential matter. It involves an acquisition we've been preparing for weeks. I can't involve Hélène for now due to a potential conflict of interest. You're the only person I trust to handle this discreetly.

A law firm will contact you within the hour with the escrow account details. The amount is EUR 82,000. It's urgent - the signing is scheduled for Wednesday.

I'm unreachable by phone (traveling abroad). Reply to me by email only.

Day D (11:00 AM): The Fake Lawyer

Nathalie's phone rings. A man introduces himself as "Maître Laurent Mercier, Mercier & Associates, Paris." He confirms the operation, provides a reference number, and dictates the bank details for an account in Estonia. "It's an escrow account at a European bank - standard procedure for this type of acquisition."

Day D (2:30 PM): The Wire Transfer

Nathalie, after hesitating, executes the EUR 82,000 transfer. She replies to "Marc's" email to confirm. The scammer responds: "Great, thank you, Nathalie. There will be a second transfer of EUR 65,000 on Friday. I'll keep you posted."

Day D+2 (Wednesday): Suspicion

Hélène Duval, the CFO, notices an unusual movement on the bank statement. She asks Nathalie, who hesitates and then reveals the "confidential" operation. Hélène calls Marc on his mobile. Marc, on the slopes, has no idea what she is talking about - he never sent that email.

The alarm is raised. The bank attempts a transfer recall. It is too late: the Estonia account was emptied 6 hours after receiving the funds.

Outcome

SAS Bontemps loses EUR 82,000. A complaint is filed. The investigation will show that bontemps-sas.com was registered with forged identity documents. "Mercier & Associates" does not exist. The Estonia account was opened using a front and closed within the week.

The company checks its email configuration: no DMARC on bontemps.fr. Anyone could have spoofed a @bontemps.fr address without triggering an alert.

If DMARC set to reject had been configured on the real domain, it would not have prevented this particular attack (the scammer used a lookalike domain). But if Nathalie had been trained through CEO fraud simulations, would she have reacted differently? The data says yes: employees who have been through at least three BEC simulations detect 80% of real attempts, compared with 30% for untrained employees (KnowBe4, Phishing Industry Benchmarking Report 2025).

Warning Signs: How to Spot an Attempt

Here is a summary of indicators that should trigger an immediate verification reflex.

Email-related indicators:

• The reply-to address differs from the apparent sender address
• The domain name is slightly different from the usual one (an extra hyphen, a missing letter, .com instead of .fr)
• The email was sent at an unusual time (early morning, late evening, weekend)
• The writing style subtly differs from the usual sender's (formal where they are usually informal, or vice versa)
• The email does not contain the usual signature, or contains a slightly modified one

Request-related indicators:

• Urgency hammered home ("today before 4 PM," "before close of business")
• Confidentiality demanded ("do not discuss this with anyone")
• New beneficiary or new destination country
• Unusual amount for this type of operation
• Request to bypass normal procedures ("no need to get Hélène's sign-off this time")
• Inability to reach the requester by phone ("I'm in a meeting / abroad / traveling")

Context-related indicators:

• The executive is on vacation, traveling, or on sick leave
• It is a Friday afternoon, a public holiday, or a school vacation period
• The company is in a year-end closing period or in a known merger/acquisition
• An unknown "lawyer" or "auditor" enters the conversation

The reflex to adopt: When in doubt, hang up and call the requester on their known business number. If it is an email, do not reply to the received message - create a new one to the executive's known address. It is a 30-second action that can save hundreds of thousands of euros.

What Insurers Expect from You

Cyber insurers are increasingly incorporating CEO fraud into their coverage terms. Here is what they check before paying out.

Contractual Prerequisites

Most cyber insurance policies contain prerequisite clauses. If the company does not meet these prerequisites, the insurer may reduce or deny the claim. The most common prerequisites related to wire transfer fraud are as follows.

Dual authorization procedure. The insurer checks that the company had a dual-signature process in place for wire transfers above a certain threshold. The absence of this procedure may be cited as a failure to meet the prevention obligation.

Employee training. Insurers increasingly require proof of awareness training. A phishing simulation report showing that employees were trained to detect CEO fraud is a valuable document in the event of a claim.

MFA enabled. Multi-factor authentication on email accounts and online banking access has become a near-universal prerequisite among cyber insurers in 2025-2026.

DMARC. Some insurers have begun checking the company's DMARC configuration. A domain without DMARC set to reject may be treated as a known and unaddressed vulnerability, which affects indemnification.

Coverage Amounts

"Fraud and embezzlement" coverage in cyber insurance policies ranges from EUR 50,000 to EUR 500,000 for SMBs, with deductibles of EUR 5,000 to EUR 25,000. For large enterprises, coverage can reach several million.

Note: CEO fraud is sometimes covered by the "fraud" guarantee (included in the cyber policy), sometimes by a separate "wire transfer fraud" or "fund misappropriation" guarantee. Check your policy with your broker.

What to Do If You Are a Victim: The First 24 Hours

If you suspect or discover CEO fraud, every minute counts. Here is the sequence of actions to follow.

Hour H: Alert the bank. Call the fraud department immediately (not your account manager, not the main line: the fraud department or the back-office wire transfer team). Request a transfer recall. The faster you act, the higher the recovery chances. For SEPA transfers, a recall is possible as long as the transfer has not been credited to the destination account.

Hour H+1: File a complaint. Head to the police station or gendarmerie. Or file online via the THESEE platform (Traitement harmonisé des enquêtes et signalements pour les e-escroqueries - the Ministry of the Interior's harmonized platform for online fraud investigations and reports). Reminder: the LOPMI law requires a complaint to be filed within 72 hours to maintain your insurance indemnification rights.

Hour H+2: Secure the evidence. Do not delete any emails, messages, or call logs. Export the full headers of the fraudulent emails. Take screenshots of the wire transfers. These items will be needed for the investigation and your insurance claim.

Hour H+3: Alert your insurer. Declare the incident to your cyber insurer (if you have one). Attach the proof of the filed complaint.

Hour H+4: Check for compromise. If the attack involved an email sent from your own domain, immediately check whether an email account has been compromised. Reset passwords, enable MFA, review recent logins in your email administration console (Google Workspace Admin Console, Microsoft 365 Admin Center).

Day D+1: Internal communication. Inform the teams about what happened, without naming the person who executed the transfer (they are a victim, not a culprit). Use the incident as an opportunity to reiterate procedures and offer an awareness session. A real incident is the most powerful training tool.

Conclusion: CEO Fraud Is Not Going Away

CEO fraud has existed since the early 2000s and costs billions worldwide every year. It will not disappear for a simple reason: it exploits human nature, not technology. As long as employees receive orders from their boss and carry them out, scammers will find a way to impersonate the boss.

Voice and video deepfakes add a new dimension. Your CEO's voice on the phone no longer proves anything. Their face on a video call no longer proves anything. The only defense that holds is procedure: dual authorization, callback to a verified number, formal approval workflows.

Technical protection (DMARC, MFA, filtering) reduces the attack surface but does not eliminate it. Theoretical training raises awareness but does not change behavior. Only the combination of all three - technical controls, procedures, simulation - provides a credible defense.

For French SMBs, the numbers are clear. DMARC adoption is too low. Dual authorization procedures are rarely formalized. CEO fraud awareness training is often absent or reduced to an annual email. That is precisely what scammers are counting on.

The Pathé, Vallourec, Etna Industrie cases, and the thousands of unreported ones all share something in common: they could have been prevented. Not with magic technology. With simple procedures and trained employees.

---

Thomas Ferreira is a cybersecurity consultant and founder of nophi.sh. He helps French SMBs implement phishing and CEO fraud awareness programs.

Additional resources:

• Free Email Security Test (SPF/DKIM/DMARC) - check whether your domain is protected against spoofing
• Phishing Psychology: Why Smart People Click - the cognitive biases exploited by scammers
• SMB Email Security: Testing SPF, DKIM, and DMARC - the technical guide to protecting your domain
• Phishing Simulation in Business: 2026 Guide - how to train your teams
• New Phishing Forms: Quishing, Vishing, Smishing - voice deepfakes and emerging threats
• Your Cyber Insurer Wants Proof of Employee Training? - what insurers check
• Cybermalveillance.gouv.fr - France's national platform for cybercrime victim assistance
• ANSSI - Cybersecurity Guide for VSBs/SMBs - best practices recommended by the French government