wire fraud

$50 billion. That’s what business email compromise (BEC) attacks have stolen since the FBI started tracking them. The average hit is $125,000, though some organizations lose millions in a single attack.

Here’s what makes BEC particularly frustrating to defend against: there’s no malware to scan, no suspicious attachment to sandbox, no sketchy link for your email gateway to flag. These attacks work by impersonating someone the target trusts, asking for something that sounds reasonable, and relying on normal business processes to deliver the money.

Your technical controls won’t catch them. Your employees have to.

BEC attackers study organizations before striking. They learn:

• Who authorizes payments
• Who processes wire transfers
• Vendor relationships and payment patterns
• Executive communication styles
• Organizational hierarchies

Armed with this intelligence, they craft emails that appear completely legitimate.

1. CEO Fraud

Attacker impersonates the CEO or another executive to request urgent wire transfers.

“Hi Sarah, I’m closing a confidential acquisition and need you to wire $47,000 to this account today. Time-sensitive, so don’t mention this to anyone until the deal is announced.”

The request comes from what appears to be the CEO’s email (either spoofed or from a compromised account). It creates urgency, invokes authority, and discourages verification through the confidentiality request.

2. Invoice Manipulation

Attacker compromises or impersonates a vendor to change payment details.

“Please update our banking information for future invoices. Our previous account is being migrated.”

The email arrives when a legitimate payment is expected. Everything looks correct except the routing numbers.

3. Account Compromise

Attacker compromises an employee’s email account and uses it to request payments from contacts.

Because emails come from the actual compromised account with full conversation history, recipients have no reason to suspect fraud.

4. Attorney Impersonation

Attacker poses as legal counsel during sensitive transactions: M&A deals, litigation settlements, real estate closings.

The legal context creates urgency and confidentiality that discourage normal verification.

5. Data Theft

Attacker requests W-2s, employee records, or other sensitive data rather than direct payment.

“HR, I need all employee W-2s for a tax compliance audit. Please send by end of day.”

This variant enables identity theft and tax fraud against employees.

BEC attacks are engineered to bypass security tools:

Email security catches obvious fraud. BEC attacks aren’t obvious. They’re crafted to appear completely normal.

Employees can’t stop what they don’t recognize. Training must cover:

Request characteristics:

• Unusual urgency (“must be done today”)
• Confidentiality demands (“keep this between us”)
• Authority pressure (“the CEO needs this”)
• Process bypass requests (“skip normal approval this once”)
• Changed payment details (“use this new account”)

Context indicators:

• First-time requests from executives
• Requests outside normal business hours
• Unusual vendors or payment amounts
• Timing aligned with executive travel or unavailability
• Email threads that don’t match previous conversation history

Training must include clear verification requirements:

For wire transfers:

• Verbal confirmation through known phone numbers (not numbers in the email)
• Dual authorization for transfers above threshold
• Cooling-off period for unexpected requests
• Standard process that cannot be bypassed by claimed urgency

For payment detail changes:

• Independent verification with vendor through established contacts
• Comparison against historical payment records
• Review of any recent correspondence for signs of compromise

For sensitive data requests:

• Verification of requestor identity through separate channel
• Manager approval regardless of apparent sender
• Confirmation that request matches legitimate business need

BEC training requires simulation exercises that test whether procedures are actually followed.

Effective simulations:

• Mimic real attack patterns employees might face
• Create time pressure without being unfair
• Test whether employees verify before acting
• Provide immediate education when procedures aren’t followed

What to measure:

• Percentage who attempt verification before acting
• Time between request and verification attempt
• Proper use of established verification procedures
• Willingness to question requests from apparent authority

Highest-risk group for direct financial loss.

Training focus:

• Wire transfer verification procedures (no exceptions)
• Vendor payment change protocols
• Recognition of urgency manipulation
• Authority to delay suspicious requests

Often targeted as gatekeepers with broad access and trust.

Training focus:

• Verifying executive identity on unusual requests
• Recognizing when executive accounts may be compromised
• Procedures when executives are traveling or unavailable
• Protection of executive schedules and travel information

Targets for W-2 fraud and payroll diversion.

Training focus:

• Verification requirements for bulk data requests
• Recognition of tax-season attack patterns
• Direct deposit change verification
• Sensitivity to “urgent compliance” pretexts

High-value transaction targets.

Training focus:

• Wire instruction verification for closings
• Recognition of last-minute change requests
• Independent confirmation of attorney identity
• Awareness of public transaction information attackers exploit

Training works best alongside process controls that create natural verification checkpoints.

Require two people to approve significant transactions. This creates a natural verification step. The second approver has no reason to feel urgency pressure from the original request.

Before processing wire transfers or payment changes, require phone verification using independently obtained contact information. Never use numbers provided in the request.

Establish minimum processing times for large or unusual transactions. A 24-hour hold on unexpected wire requests gives time for verification and reduces attacker leverage from manufactured urgency.

Any change to vendor payment information triggers independent verification through established contacts, not contacts provided in the change request.

• Reduction in successful social engineering attempts
• Increase in suspicious request reports
• Decrease in process bypass attempts
• Employee confidence in verification procedures

Run quarterly BEC simulations targeting different attack scenarios:

• CEO fraud wire requests
• Vendor payment change requests
• Sensitive data requests
• Last-minute transaction modifications

Track whether employees follow verification procedures, not just whether they “pass” or “fail.”

When BEC attacks occur, rapid response can sometimes recover funds.

1. Contact bank immediately - Request wire recall or hold
2. Preserve evidence - Don’t delete emails or modify anything
3. Identify scope - Determine what else may be compromised
4. Report to FBI IC3 - File complaint for law enforcement coordination

• Analyze attack vector (spoofed domain, compromised account, etc.)
• Review what information attackers had access to
• Identify other potential targets in the organization
• Assess whether accounts may still be compromised

• Implement additional controls to prevent similar attacks
• Update training based on lessons learned
• Communicate (sanitized) incident to organization for awareness
• Review and strengthen verification procedures

A CFO received an urgent email from what appeared to be the CEO during an overseas business trip:

“Need you to process a $180,000 wire transfer for equipment purchase. Confidential until we announce the expansion. Account details attached.”

The CFO prepared the transfer but called the CEO to confirm before submitting, using the CEO’s personal cell number, not a number from the email. The CEO knew nothing about it.

Investigation revealed:

• Attackers had compromised a vendor’s email account
• They had access to information about the CEO’s travel
• The email came from a lookalike domain (ceo@company-corp.com instead of ceo@companycorp.com)
• Request amount was deliberately below the CFO’s authorization threshold

What worked: Established callback verification procedure saved $180,000.

What needed improvement: Domain monitoring could have detected the lookalike registration. Travel information access needed review.

I’ve talked to dozens of CFOs and finance managers who stopped BEC attacks. Every single one of them describes the same thing: they almost didn’t make the verification call. The email looked right. The amount was reasonable. They were busy. Making a phone call to confirm felt like overkill.

They made the call anyway.

That’s what separates organizations that lose $125,000 from organizations that don’t. Not better email filters. Not smarter employees. Just a simple habit: when something involves money changing hands, you verify through a separate channel. Every time. No exceptions.

The attackers know you’re busy. They know that calling feels awkward. They’re counting on it.

Build verification reflexes that stop BEC attacks. Try our free security awareness exercises featuring realistic business email compromise scenarios.