Defending Against Business Email Compromise and Wire Fraud
Why BEC quietly outranks ransomware in dollars lost
Business email compromise (BEC) rarely makes headlines the way ransomware does, yet it moves far more money out of organizations. The FBI's Internet Crime Complaint Center (IC3) has for years ranked BEC among the most damaging categories of cybercrime it tracks, with reported losses running into the billions of dollars annually and cumulative exposure well past fifty billion dollars worldwide. The reason it hurts so much is structural: a successful BEC does not encrypt a server or trip an endpoint alarm. It convinces a real person with real authority to send a real payment to the wrong bank account.
There is usually no malware to detect. The attacker either compromises a mailbox with stolen credentials or simply spoofs and look-alike-domains their way into a finance conversation, then patiently waits for a legitimate invoice or payroll cycle to hijack. By the time anyone notices, the funds have left the building and entered a money-laundering chain that empties within hours. This is why BEC is a payment-process problem as much as a technical one, and why the organizations that beat it treat both halves as a single cyber security discipline.
The four plays that account for most losses
Attackers reuse a small number of scripts because they work. Recognizing the pattern is half the defense.
- Vendor invoice fraud (also called supplier swap). The attacker monitors a compromised inbox, learns the billing relationship, and sends an email that looks like the vendor updating their remittance details. The next legitimate invoice gets paid to the attacker's account. This is the single most expensive variant because the amounts match real, expected payments.
- CEO fraud (executive impersonation). A message that appears to come from a senior leader instructs finance to make an urgent, confidential wire, often framed as an acquisition or a time-sensitive deal. Authority plus urgency plus secrecy is the tell.
- Payroll diversion. An employee appears to email HR or payroll asking to change their direct-deposit account. The next pay run routes their salary to the attacker. Amounts are smaller but the attack scales across many employees and is easy to miss.
- Attorney or closing impersonation. Timed around a real estate closing, legal settlement, or M&A event, the attacker inserts fraudulent wire instructions into a high-value, high-pressure transaction where a large one-time transfer is already expected.
Figure: the goal is not to catch every fraudulent email, but to route every payment-detail change down a verification path an attacker cannot follow.
Technical controls that shrink the attack surface
No single control stops BEC, but each one removes attacker options and buys your people time and signal.
- Phishing-resistant MFA everywhere it matters. Credential theft is the usual entry point, so multifactor authentication on email and finance systems is non-negotiable. Prefer FIDO2 security keys or passkeys over SMS or push, because attackers routinely defeat push fatigue and one-time codes. Consistent identity and access management closes the gaps where legacy protocols still allow single-factor logins.
- Email authentication at enforcement. SPF, DKIM, and an enforced DMARC policy of quarantine or reject stop exact-domain spoofing of your own domain. Pair it with look-alike-domain monitoring, because DMARC cannot touch a cousin domain the attacker registered.
- Mailbox rule monitoring. Once inside, attackers create hidden inbox rules that auto-delete or forward messages containing words like invoice, payment, or wire, so the real employee never sees the fraud in progress. Alert on the creation of forwarding and delete rules, and on new mail-forwarding to external addresses.
- Anomaly and impossible-travel detection. Logins from new geographies, atypical hours, anonymizing infrastructure, or two locations too far apart to be one person should raise a signal. A monitored detection capability such as managed detection and response turns those signals into investigated events rather than log entries nobody reads.
The common thread: assume a mailbox will eventually be compromised, and instrument so you can see the attacker's post-access behavior quickly.
Process controls: where BEC is actually beaten
Technology narrows the odds, but BEC is won or lost in the payment workflow. The following controls are cheap, unglamorous, and more effective than any tool.
- Out-of-band verification for every payment-detail change. Any request to change bank details, remittance information, or a wire destination must be confirmed by calling the requester back on a known, previously verified phone number, never a number or link supplied in the email itself. This one habit defeats vendor invoice fraud and payroll diversion outright.
- Dual approval for wires above a threshold. Require two authorized people to approve transfers over a defined dollar amount. An attacker has to compromise the process, not just one inbox.
- A written vendor bank-change policy. Vendors should know in advance that you will always call to verify changes, so a legitimate change is never delayed and a fraudulent one is always caught.
- Slow down urgency. Train staff that urgency plus secrecy plus a payment change is the fraud signature, not a reason to skip steps. Regular security awareness training that includes finance-specific simulations measurably lowers click and payment rates.
Verification only works if it is mandatory and frictionless enough to survive a busy Friday afternoon. Make it policy, put it in the payment system, and remove the discretion that lets a well-meaning employee skip it under pressure.
If the wire already left: the first hours decide recovery
Speed is everything. Funds are often recoverable in the first 24 to 72 hours and rarely afterward, because the money is quickly moved through mule accounts.
- Call your bank immediately and ask them to initiate a recall or SWIFT indemnity and to freeze the transfer. Do this before anything else.
- Report to the FBI IC3 at ic3.gov and request the Financial Fraud Kill Chain, the mechanism the FBI uses to work with receiving banks to freeze domestic and some international transfers. Time is the deciding factor.
- Preserve evidence. Do not delete the fraudulent emails or headers. Capture inbox rules, sign-in logs, and the full message source for investigators.
- Contain the account. Reset credentials, revoke active sessions, remove malicious inbox rules, and re-enroll MFA in case the attacker still has access.
- Notify and review. Alert affected vendors or employees, notify your cyber insurer, and review whether other transactions were touched.
Rehearse this sequence before you need it. A tested incident response plan that names who calls the bank, who files with IC3, and who contains the mailbox turns a chaotic scramble into a recovery with a real chance of clawing funds back.
Make the payment process the last line that never bends
BEC succeeds because it attacks trust and process, not just technology. The durable defense layers phishing-resistant MFA, enforced email authentication, and mailbox and anomaly monitoring underneath a payment workflow where every bank-detail change is verified out of band and every large wire needs two approvals. None of it is exotic, and all of it is far cheaper than a single diverted invoice.
If you want an assessment of where your organization is exposed to wire fraud, from email authentication posture to finance-team verification habits, talk to intSignal's security team about a BEC readiness review and a tested response plan.