Legal perspectives on cybercrime offences

Introduction

Cybercrime represents one of the most dynamic and complex forms of contemporary crime, emerging as a result of the accelerated digitalisation of all economic sectors and of the society’s increasing dependence on technology. In academic doctrine¹, cybercrime is defined as an “umbrella concept”, encompassing all offences committed through or against IT systems, in which perpetrators primarily utilising computer data and digital infrastructure.

Cybercrime manifests itself in a wide variety of forms and methods, reflecting both the complexity of the digital environment and the vulnerabilities of IT infrastructures. Specialist literature² identifies the main types of cybercrime as including unauthorised access to IT systems (hacking), the distribution of malicious software (malware, ransomware), IT fraud and digital identity theft, as well as social engineering techniques such as phishing, which aim to fraudulently obtain personal or financial data. Other forms include Denial-of-Service(DoS) attacks designed to disrupt networks or services, the compromise of critical infrastructure, software piracy and cyberstalking, all of which have significant legal and economic consequences³.

This article aims to examine, from a legal perspective, fake CEO/Presidentfraud (also known as a form of business email compromise – BEC), given the significant rise in this criminal phenomenon and, in some instances, the complexity and debate surrounding the legal classification of this type of fraud and its constitutive elements.

Before defining this concept and discussing in detail the criminal mechanisms specific to business email compromise, it is useful to outline the concept of phishingas a social engineering technique. Phishing generally constitutes the operational premise for the compromising of online communications, identity theft and, ultimately, the initiation of fraudulent payment instructions through which funds are transferred to accounts other than those originally intended.

According to legal doctrine⁴, phishing can be defined as a form of IT fraud involving the communication of e-mails or other types of electronic communications that create the appearance of originating from legitimate entities (e.g. banking institutions) or from members of a company’s management. The aim of this illegal practice is to mislead the recipient in order to obtain personal data, induce them to access fake web pages or cause them to initiate payment transactions.

The fraud is carried out by replicating authentic visual elements (logos, graphic design, distinctive features within communications, etc.) or by falsifying the sender’s email address, a technique known as e-mail spoofing. This involves manipulating the metadata in the message header so that an e-mail appears to have been sent from a legitimate source⁵.

In many cases, perpetrators modify only a single letter or digit in an otherwise legitimate e-mail address, making the discrepancy difficult to detect. As a result, recipients may unknowingly comply with fraudulent requests. Detecting such activity typically requires a review of the message metadata to verify its true origin (e.g. the sending server, the country of transmission, etc.).

Fake CEO/President fraud is a specific form of the phenomenon known as business email compromise⁶. This scheme relies on social engineering tactics to deceive targeted individuals within an organisation, typically finance staff or senior personnel (e.g., directors or managers) with authority to approve payments, into initiating bank transfers or other transactions that they would not ordinarily authorise.

Perpetrators typically impersonate senior individuals within the target company (e.g., the CEO, CFO/finance director or regional manager) and send urgent, seemingly legitimate electronic communications. This is achieved either by registering look‑alike email addresses that closely mimic genuine accounts or by compromising authentic email accounts and sending messages from them. These methods are not exhaustive, as offenders tend to employ a range of additional techniques in practice to facilitate the commission of the offence.

Modus operandi and key characteristics of fake CEO/President fraud

Fake CEO fraud operates through a complex method based on social engineering⁷, which exploits the relationship of authority and the urgency associated with completing work tasks or cooperating with business partners. Victims are induced to comply with exceptional and confidential requests that cause them to deviate from normal workflows and the company’s internal rules, such as the urgent authorisation of payments⁸ or the transmission of confidential information relating to the company’s activities.

Technically, the typical method involves compromising a legitimate account or altering the appearance of a domain’s authenticity (spoofing), integrating the fraudulent message into pre-existing business conversations (thread hijacking) or the absence of an obvious payload⁹. As a result, the focus shifts to analysing the content of the transmitted email, changes to the email’s metadata and correlation with the internal procedures of an entity targeted by such fraud¹⁰.

From an operational perspective, in some cases, criminal activity is observed to be synchronised with a company’s invoicing cycles and the discreet alteration of the counterparty’s payment details (compromised vendor email¹¹), accompanied by an explicit request to waive secondary-channel verification procedures¹². Furthermore, in practice, there have been cases in which, immediately following the acquisition of a Romanian company by a group of foreign firms, criminals who had been monitoring and tracking communications relating to the transaction requested that the acquired company carry out bank transfers. The purported beneficiaries were presented as entities within the acquiring group, allowing perpetrators to obtain large sums of money unlawfully by claiming to be members of the management of the foreign group. In all cases, the bank accounts to which the funds were requested to be transferred belonged to the perpetrators.

Once the funds have been obtained unlawfully, their rapid dispersal through cross-border mechanisms, including the use of intermediary accounts and the execution of international transfers, drastically reduces the likelihood of the victims recovering the transferred sums.

This feature amplifies the complexity of this criminal scheme and justifies prompt intervention to block financial flows. Such intervention may be carried out by banking institutions promptly notified by the victims or by law enforcement authorities and must be coupled with effective international judicial cooperation¹³ where funds are transferred abroad).

Controversies regarding the definition and legal classification of the criminal activity

As noted above, fake President/CEO fraud, as a form of the BEC scheme, involves the use of various methods, techniques and tactics through which perpetrators deceive targeted individuals by using computer data and systems or other means of electronic communication.

Regardless of the mere use of IT systems and data (primarily electronic correspondence), BEC is characterised by the fact that the perpetrator exploits the victims’ habitual use of electronic means of communication and manipulates their behaviour in order to induce them to disclose confidential data or information or, in particular, to make financial transfers resulting in significant financial losses to a company’s assets¹⁴.

From the perspective of analysing the offences committed, such unlawful activities may fulfil the constituent elements of fraud(Art. 244 of the Criminal Code) or IT fraud (Art. 249 of the Criminal Code). In this context, the distinction drawn above between phishingand fake President/CEO fraud is essential, as it relates to the nature of the damage caused and the perpetrator’s intended purpose in carrying out the manipulation.

Considering the varied legal classifications adopted across different prosecution offices, it is useful to highlight certain key aspects relevant to the legal classification of the acts associated with fake President/CEO-type criminal activity.

We agree with the prevailing doctrinal view¹⁵ that, in the absence of any resulting damage arising from phishing activities conducted through electronic means, the offences referred to in the preceding paragraph (fraudor IT fraud) cannot be established.

Consequently, although such methods are designed to mislead, the relevant conduct may instead be regarded as preparatory to the commission of other offences or as an instrumental modality for achieving a distinct criminal purpose, including IT forgery, as regulated by Art. 325 of the Criminal Code. The same approach should be adopted in relation to pharming and analogous techniques aimed solely at obtaining data or information, insofar as no damage has materialised, that is, where the conduct consists exclusively of the acquisition or collection of such data or information.

In the context of the fake President/CEO fraud, the distinction between IT fraud and deception is determined by reference to the subject (person) or object of the perpetrator’s conduct.

Where the offence of fraudis alleged, the perpetrator typically relies on deception as the primary means of carrying out the criminal conduct directed against the victim. The effectiveness of such conduct is enhanced in the absence of direct contact, where interactions take place via remote means of communication (email or equivalent electronic channels).

The success of the scheme depends on the credibility of the information conveyed, which usually consists of a calibrated combination of accurate (or easily verifiable) details and falsified, truncated or incomplete elements. This construction serves to lower the victim’s level of alertness, induce a sense of reassurance and ultimately generate trust in the perpetrator’s message.

The offender exploits an established relationship of trust and perpetuates the deception so as to induce the victim to engage in conduct capable of producing harm, including the execution of payment transactions, the disclosure of authentication information or the implementation of instructions that generate financial repercussions.

IT fraud consists of actions that affect the integrity, availability or reliability of the digital environment, namely through the creation, modification, deletion, suppression or concealment of computer data and/or through interference with the operation of an IT system, where the consequence is the production of patrimonial damage, including the loss of assets or money. The distinctive feature of this offence lies in the fact that it does not necessarily depend on the victim’s behaviour. In such circumstances, the victim plays no role either in the commission of the fraud or in the loss of property or money¹⁶.

The correct distinction between the offence of deception and that of IT fraud remains a recurring issue, including in judicial practice, with some courts finding that the two offences are concurrent (see Bucharest Court of Appeal, Second Criminal Division, Decision No. 854/2016). Other courts, where fraud is committed by computerised means, apply either the offence provided for in Art. 244 of the Criminal Code (see Pitești Court of Appeal, Criminal Judgment No. 689/R/2008) or that provided for under Art. 249 of the Criminal Code (see Pitești Court of Appeal, Criminal Judgment No. 672/2013).

It can therefore be argued that there remains a need for a clear distinction. In this context, it should be noted that a ruling of the High Court of Cassation and Justice¹⁷ concerning the ideal concurrence between the provisions of Art. 244 and Art. 249 of the Criminal Code, in relation to the same damage, requires the application of the special rule in order to avoid double punishment of the defendant. These ruling resolves, to some extent, the practical difficulties encountered.

On the other hand, the argument regarding the connection between the act provided for in Art. 249 of the Criminal Code –as a means offence – and that provided for in Art. 244 (2) of the Criminal Code cannot always be upheld, as the factual situation under analysis may qualify as the commission of the offence of fraud in an aggravated form.

Similarly, doctrinal analysis¹⁸ indicates that, in most cases, the product does not involve the misleading of a person, but rather the manipulation of an IT system. Such conduct may fulfil the constituent elements of IT forgery, an offence provided for in Art. 325 of the Criminal Code, while the constituent elements of IT fraud are not applicable.

In the context of fake President/CEO fraud, the prevailing factual pattern involves the impersonation of a person in a position of authority and the transmission of messages to the victim which, in most cases, request or prompt the transfer of funds. As is apparent, this modality does not typically entail the manipulation of an IT system or interference with computer data of a nature that would satisfy the constituent elements of IT fraud. Rather, it primarily engages the constituent elements of fraud, based on deception induces the victim to dispose of assets to their detriment. In recent criminal cases involving fake President/CEO fraud, the prosecuting authorities have ordered the commencement of criminal proceedings on the basis of the offences of fraud and IT forgery.

Conclusions

In light of the above, it can be stated that the analysis of fake President/CEO (BEC) criminal activity is essential, given the high number of cases and the significant financial impact on victims in recent years.

Europol’s IOCTA 2024 identifies payment fraud and business email compromise among the most widespread threats, fuelled by phishing and the abuse of encrypted communication channels. The report notes the daily occurrence of victims, with a particular focus on SMEs and highlights visible effects across a country’s entire economic chain.

At the same time, ENISA’s Threat Landscape 2025 indicates that phishing and the rapid exploitation of vulnerabilities remain dominant attack vectors, while social engineering, increasingly aided by artificial intelligence, is becoming the main driver of identity theft campaigns with cross-border effects.

As regards the correct legal classification of the facts, this requires a comprehensive assessment of all circumstances and the available evidence by the criminal investigation authorities or the court, as the conduct of all parties involved (offenders, victims, etc.) may influence the scope of the applicable criminal law provisions.

In such situations, legal doctrine¹⁹ sets out key criteria for determining the appropriate classification (between Art. 244 and Art. 249 of the Criminal Code), including:

1. the absence of culpable conduct on the part of the victim;
2. the nature of the criminal conduct and the perpetrator’s relationship with the IT system;
3. the existence or absence of a subjective link between the perpetrator and the targeted person or victim;
4. the extent to which the victim’s involvement was relevant to the success of the criminal act; and
5. the voluntary or involuntary nature of the transfer of assets and the existence of consent.

---

1. G. Zlati, ‘Cybercrime in Romania’ (Criminalitatea informatică în România), Cluj Bar Association Journal No. 1, 2021, p. 8. ↩︎
2. Thomas J. Holt, Adam M. Bossler, ‘Cybercrime’, Oxford Handbook Topics in Criminology and Criminal Justice, 2014, available at: Oxford Academic. ↩︎
3. Wang X. Global, (Re-)framing of Cybercrime: An Emerging Common Interest in the Flux of Competing Normative Powers?, Leiden Journal of International Law, 2025, available at: Homepage | Cambridge University Press & Assessment. ↩︎
4. M. Richardson, Cyber Crime. Law and Practice, Wildy, Simmonds & Hill Publishing, London, 2014, p. 37. ↩︎
5. George Zlati, IT Fraud. Controversial Aspects (Frauda informatica. Aspecte controversate), Universul Juridic Premium No. 3 of 2020, available at:www.sintact.ro. ↩︎
6. M. Dobrinoiu, N. Gratii Business email compromise from the criminal law perspective, available at: CKS – Challenges of the Knowledge Society – Defined as a sophisticated fraudulent scheme targeting companies of all sizes and individuals, through the compromise of an e-mail account or via spoofing methods, with the aim of inducing the victim to make financial transfers to fictitious bank accounts or recipients. ↩︎
7. More on this concept in N. MacEwan, A Tricky Situation: Deception in Cyberspace, in The Journal of Criminal Law, vol. 77, 2013, p. 418. ↩︎
8. A. lmutairi., B. Kang., N. Alhashimy, Business email compromise: A systematic review of understanding, detection, and challenges, Computers & Security 158, 2025, available at: www.sciencedirect.com/journal/computers-and-security. ↩︎
9. In the absence of an attachment intended to compromise the availability, integrity or confidentiality of a computer system, to extract sensitive information or to facilitate unauthorised access to the operating system. ↩︎
10. A. Vorobeva, Detection of Business Email Compromise Attacks with Writing Style Analysis, Springer (MobiSec 2021 / CCIS 1544), 2022. ↩︎
11. Vendor Email Compromise (VEC) is a targeted cyberattack in which criminals hijack or impersonate trusted suppliers to trick customers into sending money or sensitive data, often by sending fake invoices or altering bank details, exploiting established business trust to gain financial gain or steal data. ↩︎
12. IEEE Xplore, Business Email Compromise – Techniques and Countermeasures, 2021, available at: IEEE Xplore. ↩︎
13. G. Simpson, T. Moore, Empirical Analysis of Losses from Business-Email Compromise, APWG eCrime, 2020. ↩︎
14. A. M. Hardy, The high cost of business email compromise fraud, available at: www.sc.com. ↩︎
15. G. Zlati, A Treatise on Cybercrime (Tratat de criminalitate informatică), Vol. I, Solomon Publishing, Bucharest, 2020, p. 358-361. ↩︎
16. M. Dobrinoiu, N. Gratii, ‘Business email compromise from the criminal law perspective’, LESIJ – Lex ET Scientia International Journal, vol. 1/2021, No. XXVIII, p. 163. ↩︎
17. High Court of Cassation and Justice, Criminal Division, Decision No. 2106/2013, available at: www.sintact.ro. ↩︎
18. G. Zlati, Treatise on Cybercrime (Tratat de criminalitate informatică), vol. I, Ed. Solomon, Bucharest, 2020, p. 458. ↩︎
19. Ibidem, p. 458-460. ↩︎