Earlier this year, a professional services firm came within one click of wiring a six-figure sum of client money straight into a criminal’s bank account.
No funds were lost. Not because of a firewall, not because of antivirus, and not because of anything I did. The save came from one employee who picked up the phone.
I spent the following weeks doing the forensic cleanup on that incident, and I’m sharing the story — with the firm’s details blurred to protect them — because the attack that almost worked on them is being run against small businesses every single day. In 2024 alone, this exact type of scam cost U.S. victims about $2.77 billion in reported losses, according to the FBI’s Internet Crime Complaint Center. And the defense that beats it costs nothing.
How the attack worked
This was a Business Email Compromise, or BEC. Despite the technical-sounding name, BEC is less “hacking” and more “professional impersonation.” Here’s the playbook the attackers ran:
Step 1: Get into one mailbox. An employee received a convincing phishing email and entered their password on a fake login page. The attackers logged into that mailbox from across the country.
Step 2: Sit quietly and read. The attackers didn’t deploy ransomware or send spam. They created a hidden inbox rule — a mail filter — that automatically forwarded any email containing words like “wire,” “payment,” or “transfer” to their own address. Then they waited. Think of it as a wiretap on the company’s money conversations.
Step 3: Strike at the right moment. When a real transaction with a large wire was in motion, the attackers stepped in. Posing as one of the parties to the deal, they sent revised wire instructions. The email looked right. The account number was formatted the way the real party formatted it. The timing matched the deal. Only the destination account was different — theirs.
This is the part people miss about BEC: by the time the fake wire instructions arrive, the attacker has been reading the real correspondence for weeks. They know the deal, the names, the amounts, and the deadlines. The fraud email isn’t a shot in the dark. It’s a forgery built from the originals.
The save
A staff member noticed something small: the email signature looked slightly off from earlier messages in the same thread. Not wrong — off. A formatting detail most people would scroll right past.
Instead of replying to the email, they called the other party using a phone number the firm already had on file — not the number in the suspicious email. The conversation took about five minutes:
“Did you send us new wire instructions?”
“No. We didn’t.”
Wire held. Funds safe. A six-figure theft stopped by a phone call.
Why “just call them” is the whole defense
Every technical control in that attack chain had already been defeated. The phishing email got through. The password worked. The forwarding rule ran silently. The fraud email was nearly perfect.
The one thing the attackers could not fake was a phone call to a number they didn’t control. That’s why the single most effective anti-wire-fraud rule in existence is also the simplest:
Before sending any wire — or acting on any change to payment instructions — verbally confirm with the recipient using a phone number you obtained independently. Never use a number provided in the request itself.
Calling the number in the email is like asking the burglar to vouch for himself. Of course he says he’s the homeowner.
What your business should do this week
- Adopt a written wire verification rule. Every wire and every banking-detail change gets a verbal confirmation on a known-good number. No exceptions for urgency — real business partners can wait five minutes for a phone call. Criminals can’t.
- Check your inbox rules. In Outlook or Gmail, open your mail rules and filters. If you find a rule you didn’t create — especially one forwarding mail to an outside address or quietly shoving messages into an archive folder — you may already have a visitor.
- Confirm your MFA is actually enforced. Many businesses have multi-factor authentication “set up” but not actually required at sign-in. Those are very different things, and that gap is exactly what let this attacker in. (That’s a future post of its own.)
- Treat urgency and secrecy as red flags. “The deal closes today,” “keep this between us,” “I’m in a meeting, just send it” — pressure and secrecy are the attacker’s tools, not your client’s.
If you think it already happened
Speed is everything. Money sent by wire can sometimes be clawed back, but the window is measured in hours, not days. If you suspect a fraudulent wire has gone out:
- Call your bank’s fraud department immediately and ask them to initiate a recall or hold. The sooner the bank acts, the better the odds the funds are still sitting in the receiving account.
- File a report with the FBI at ic3.gov. The IC3’s Recovery Asset Team can work with banks to freeze fraudulent transfers, and a report is often required for any cyber-insurance claim.
- Preserve everything and call your IT person before deleting suspicious emails or “fixing” the mailbox. Those messages and the hidden rules in them are the evidence trail.
The bottom line
The firm in this story had email security products in place and still nearly lost a six-figure wire. What saved them was a human habit, not a piece of software. Technology should absolutely be hardened — that’s a big part of what I do — but the last line of defense for your money is a process: slow down, pick up the phone, and verify.
A delayed legitimate wire is recoverable. A wired theft usually is not.
I am Geek helps small businesses and high-end residential clients across Middle Tennessee secure their networks, email, and devices. If you’d like a review of your email security — or help putting a wire verification policy in place for your business — reach out at iamgeek.com.
Source: FBI 2024 IC3 Annual Report.
Worried about business email compromise? I am Geek provides business IT support and email security for companies across the Nashville area.
Leave a Reply