Ceo fraud in Portugal: how to react fast, recover funds and strengthen payment security

Imagine you are the CFO of a multinational group. You receive an urgent WhatsApp message from your CEO:

“We’re closing an acquisition in Portugal. I need you to transfer 850,000 EUR to this account immediately. It’s confidential and urgent.”

The pressure feels real. The profile picture matches. The context sounds plausible.

Or imagine a long‑standing foreign supplier suddenly “updates” the IBAN for the payment of a recent order. The email arrives inside an existing email thread about that very supply. Same document style, same signatures, same tone. Everything looks normal.

The next day, you discover the CEO never sent that message – and the supplier never changed bank details. Your company’s funds have been transferred to a Portuguese bank account controlled by fraudsters.

These scenarios are not hypothetical. In recent years, Portuguese authorities have dismantled networks that diverted millions of euros through these methods, often using Portugal as a transit jurisdiction to receive and rapidly dissipate fraudulent proceeds.

What is CEO Fraud (BEC) and how does “money mulling” work?

CEO Fraud is part of a broader family of schemes commonly referred to as Business Email Compromise (BEC), invoice fraud, or CEO impersonation. The objective is simple: induce a company to make a payment to an account controlled by criminals by exploiting trust, urgency, confidentiality, and internal processes.

The tactics have evolved well beyond crude spoofed emails. Today, fraudsters frequently use:

• Messaging apps (WhatsApp, Telegram, Signal) to impersonate senior executives;
• Compromised email accounts (real inbox access) to insert themselves into legitimate conversations;
• Typosquatting (look‑alike domains), e.g. companybeta.com vs companybetas.com;
• Payment diversion at the last minute (“new bank account details”, “audit reason”, “confidential deal”, etc.).

Once funds are transferred, they are typically routed through money mules (or “money mulling” schemes): individuals (often young or in financial distress) who allow their bank accounts to be used to receive and quickly forward funds. The most common method is doing this operation scheme through newly incorporated companies whose accounts are used as temporary “pass‑through” vehicles.

In many cases, the money mule is the only identifiable link when the fraud is detected, while the organisers remain behind layers of transfers and cross‑border complexity.

Why immediate action matters: the first 48–72 hours

Speed is a decisive factor in the recovery of assets. The first 48 to 72 hours are often critical to prevent funds from being fragmented across multiple accounts, moved abroad, or converted into cryptoassets.

Even if that immediate reaction does not occur, companies should act as quickly as possible. A coordinated response is typically required across multiple jurisdictions (e.g., where the company is based, where the recipient account is located, and where subsequent transfers may have gone). This coordination helps ensure urgent engagement with the banks involved (payer bank and recipient bank), payment service providers, and the relevant judicial authorities.

The goal is to preserve evidence, obtain timely information, and pursue measures that may prevent dissipation of funds.

Criminal investigation in Portugal: effective tools, practical limitations

CEO Fraud schemes typically involve conduct that may qualify (depending on the factual pattern) as offences such as computer fraud, money laundering and criminal association.

Portuguese criminal procedure provides mechanisms that can be effective in these cases, including measures that may lead to freezing the movement of funds and seizing amounts held in bank accounts.

In practice, however, the pace of criminal investigations does not always match the operational speed of fraud networks. These cases are usually handled under judicial secrecy, follow their own procedural rhythm, and may require international cooperation to track transfers and identify the individuals behind the scheme.

For victim companies, this can mean long periods without meaningful updates – a reality that often generates understandable frustration and prompts consideration of alternative or parallel strategies.

Civil alternatives: information gathering and precautionary freezing measures

A route that is often overlooked in the initial crisis — but can be valuable — is the civil strategy.

Depending on the circumstances, civil proceedings (including precautionary measures) may help a victim company:

• obtain relevant information regarding the recipient account(s) and transaction flows (subject to judicial assessment and proportionality), and/or
• seek preventive freezing of available balances.

This approach is case‑specific and must be assessed urgently. When viable, it can play an important role in bridging information gaps and acting before funds are dissipated.

Can the recipient bank be liable? Traditional stance and a changing landscape

When fraudulent funds are received into Portuguese bank accounts — especially accounts opened by newly created companies, followed by rapid high‑value outgoing transfers — questions often arise about the role of the recipient bank.

Historically, Portuguese courts have tended to take a restrictive approach to the civil liability of recipient banks, particularly where the payer provided the correct IBAN (even if under deception). In addition, breaches of anti‑money laundering (AML) obligations have often been treated primarily as matters of regulatory, administrative or criminal enforcement, rather than as a straightforward basis for civil liability towards third parties.

That said, each case should be assessed on its own facts, including what was knowable and observable by the recipient bank, the transaction pattern, the customer profile, the timing, and the specific compliance obligations at play.

For additional perspectives within the Legalmondo network, see the Spanish analysis on Man‑in‑the‑Middle fraud and bank liability and the Italian perspective on CEO fraud in international groups.

Verification of Payee (VoP): a major compliance and fraud‑prevention shift in Europe

Against this background, the regulatory environment is evolving.

Regulation (EU) 2024/886 (the “Instant Payments Regulation”) strengthens the framework for euro credit transfers and introduces, among other measures, the obligation for payment service providers to offer a Verification of Payee (VoP) service. In short, before a transfer is authorised, the payer should be informed whether the beneficiary name matches the IBAN (or whether there is a close match/no match), helping reduce misdirected payments and social‑engineering fraud.

In Portugal, the Central Bank (Banco de Portugal) has indicated that its VoP service is available from 5 October 2025, and EU‑level implementation deadlines for banks in the euro area are tied to October 2025 obligations under the Regulation.

For corporate finance teams, VoP will not eliminate CEO Fraud (criminals adapt quickly) but it adds a meaningful friction point that can prevent (or at least flag) certain payment diversions.

Practical checklist: what companies should do immediately after discovering CEO Fraud

• Stop and document: Preserve emails (including headers), chat logs, attachments, invoices, and internal approvals.
• Notify banks urgently: Contact both the payer bank and the recipient bank; request immediate action to trace/freeze funds where possible.
• Escalate internally: Finance, legal, IT/security, and management should coordinate a single incident response.
• Engage counsel across jurisdictions: Parallel steps may be needed in the jurisdictions involved.
• Consider criminal and civil paths: Criminal complaint and cooperation with authorities; assess civil/precautionary measures for speed and information.
• Contain the breach: If email compromise is suspected, secure accounts, reset credentials, review forwarding rules, and harden Multi-factor authentication (MFA).

Conclusion

CEO Fraud (BEC) is a fast‑moving threat that exploits corporate trust and payment workflows. When Portugal is part of the payment chain (whether as recipient jurisdiction or as a transit route) a successful response depends on speed, cross‑border coordination, and a clear strategy combining criminal and, where appropriate, civil measures.

At the same time, regulatory developments such as Verification of Payee under Regulation (EU) 2024/886 signal a new European focus on preventing misdirected payments — an important step, particularly for corporates exposed to high‑value cross‑border transfers.