The email looked exactly right. Same signature, same tone, same slightly impatient way the CEO always asked for things. It told the controller to wire $48,000 to a new vendor account by end of day, and to keep it quiet because it was tied to an acquisition. She wired it. The CEO had never sent the email. The money was gone by the time anyone noticed, and most of it never came back.
This is business email compromise, and it is the most expensive kind of attack I see at small and mid-sized companies. There is no dramatic malware, no encrypted hard drive, no ransom note. There is just a convincing email and a normal employee doing what they were told. The FBI consistently ranks it among the costliest cybercrimes by dollars lost, far ahead of the ransomware that gets all the headlines.
Why it works on good people
BEC does not attack your firewall. It attacks your org chart. The attacker studies who pays the bills and who can tell them to, then impersonates authority and adds urgency and secrecy. “Do this now, and do not loop anyone in.” Those two ingredients, pressure and isolation, are designed to switch off the part of a careful person’s brain that would otherwise pause and check.
And it is getting easier for them. Attackers no longer need to guess your CEO’s writing style. They can read months of real emails from a mailbox they quietly broke into, or generate a perfect impersonation from a few public posts. The polish that used to signal “this is real” no longer means anything.
The fix is a process, not a product
You cannot buy a box that stops your controller from trusting your CEO. What stops BEC is a small set of boring rules that everyone follows even when the request feels legitimate:
- Verify any payment change out of band. A new bank account, a changed wire, an urgent transfer: confirm it by calling a known number, not by replying to the email. The phone call takes two minutes and breaks the whole attack.
- Require dual approval above a threshold. Two people on any wire over a set amount. One impersonated email cannot move money by itself.
- Make “I checked, and it was fake” a win, not an annoyance. If your finance person feels safe slowing down to verify, they will. If they fear looking paranoid, they will pay.
Lock the inbox while you are at it
The other half is keeping attackers out of the mailbox in the first place, because the most dangerous version of BEC comes from a real account that has been quietly taken over. Multi-factor authentication on email is the single highest-value control here. So is watching for the quiet signs of a takeover: mail rules that auto-forward or auto-delete messages, sign-ins from places your people have never been. And make sure your own domain is hard to spoof, so an outsider cannot send mail that appears to come from you.
The two-minute habit
If you do one thing after reading this, make it this sentence, said out loud in your next team meeting: “If anyone ever asks you to move money or change payment details by email, you call to confirm first, every time, no exceptions, and you will never be in trouble for it.” That single permission, granted in advance, has saved more of my clients than any piece of software on the market.
The $48,000 wire was a real morning for a real company. The fix that would have stopped it cost nothing but a phone call nobody felt allowed to make.
Further reading
- From Resolute Security: The Password Talk You Need to Have With Your Team
- From Resolute Security: Why Your Team Fights MFA
- From Resolute Security: When Your MSP Says They Handle Security
- CISA: avoiding social engineering and phishing
- FTC cybersecurity for small business
- Not sure where you stand? Take the free 10-minute cyber readiness assessment.
See what attackers see for your own domain, in about thirty seconds.
A free scan that checks your SPF, DKIM, and DMARC records. No account, no sales call.
Run the scan on your domain →