A CFO lost $43K to this email

4 min read

A real story of how a seasoned CFO wired $43,000 to a scammer in under two minutes. Learn the Double Verification Rule to protect your organization from Business Email Compromise attacks.

business email compromiseBEC scamsemail securityfinancial fraud preventioncybersecurity awareness

Introduction

Last month, a CFO I know wired $43,000 to a scammer.

He wasn't careless. He wasn't new. He wasn't distracted.

Someone deceived him.

The email looked like a routine vendor update. New banking details. Same tone. Same formatting. Same signature.

He approved it in under two minutes.

By the time his team spotted the real invoice that afternoon, the money had already moved through three international accounts.

Gone.

And here's the part no one wants to admit:

This can happen to anyone who moves fast, signs off on invoices, and operates under pressure.

Why Business Email Compromise is so dangerous

The FBI's 2024 PSA on Business Email Compromise (BEC) names it the costliest cybercrime in America for a reason.

It preys on authority. Executives have signing power and approval authority.

It preys on workflow. Routine requests get routine approvals.

It preys on trust. Vendor relationships are built on predictable communication patterns.

BEC attacks don't need malware or technical exploits. They need one thing: a convincing email that fits seamlessly into your daily workflow.

How the attack worked

Here's what made this scam so effective:

  • The attacker studied the vendor's communication style
  • The email matched previous invoices in tone, formatting, and signature
  • The "update" seemed routine,just new banking details
  • There was no sense of urgency that might trigger suspicion
  • The request arrived during a busy period when approvals happen quickly

The sophistication wasn't technical, it was psychological. The attacker understood how busy executives process information and exploited that pattern.

The double verification rule

Here's the framework I give to every exec:

Before approving any financial change request:

Step 1: Verify the email

  • Check the domain character by character (attackers use lookalike domains)
  • Inspect the headers for routing anomalies
  • Examine the reply-to-address to ensure it matches the sender

Step 2: Verify the request

  • Call the vendor or internal team on a known number
  • Never use contact information from the email itself
  • Confirm the request through a separate communication channel

If both checks don't align, you stop. No exceptions.

One quick call would have saved him $43K and a week of crisis management.

Red flags that signal BEC attacks

Watch for these warning signs in financial requests:

  • Banking detail changes from established vendors
  • Requests to change payment methods or destinations
  • Slight variations in email domains or display names
  • Unusual timing or context for the request
  • Pressure to complete the transaction quickly
  • Requests to bypass normal approval processes

Remember: Attackers often target requests that seem "routine." The absence of urgency can itself be a tactic.

Building organizational defenses

Protect your organization with these systematic safeguards:

Financial Controls

  • Dual approval requirements for all payment changes
  • Mandatory verification calls for banking detail updates
  • Waiting periods before processing new payment instructions
  • Segregation of duties between request and approval

Communication protocols

  • Establish verification channels separate from email
  • Create code words for confirming sensitive requests
  • Document vendor contacts in a secure, centralized system
  • Train staff to expect verification calls as standard practice

Technology support

  • Email authentication (DKIM, SPF, DMARC) to detect spoofing
  • Phishing detection tools that flag suspicious sender patterns
  • Domain monitoring to catch lookalike registrations
  • Link scanning to identify malicious URLs before clicks

What to do if you've been compromised

If you suspect a BEC attack has succeeded:

  • Contact your bank immediately to attempt a wire recall
  • Report to the FBI's IC3 (Internet Crime Complaint Center)
  • Preserve all evidence including emails, headers, and transaction records
  • Notify affected vendors about the compromise
  • Conduct an internal review to identify how the attack succeeded
  • Update procedures to prevent similar incidents

Speed matters. The faster you act, the higher the chance of recovering funds.

Your takeaway today

Attackers often target requests that seem "routine." Slow down. Verify out of band. Protect your organization's money like your own.

The double verification rule takes less than five minutes. Recovering from BEC fraud takes weeks if recovery is even possible.

If you want the full breakdown and checklist, tell me, and I will send it.

Frequently Asked Questions

Q: Why didn't the CFO's email security catch this attack? A: Many BEC attacks use legitimate email accounts (either compromised vendor accounts or carefully spoofed domains) that pass standard security filters. The attack's effectiveness comes from social engineering, not technical exploits.

Q: How do attackers know about vendor relationships and payment patterns? A: Attackers often compromise email accounts first and spend weeks or months monitoring communication patterns. They learn invoice timing, amounts, tone, and formatting before launching their attack.

Q: Should I verify every single financial email? A: Focus verification on any request involving payment changes, new banking details, or unusual amounts. Routine payments to established accounts with no changes require less scrutiny, but any modification should trigger the double verification rule.

Q: What if verifying slows down our payment processes? A: A brief verification call adds minutes to a process. Recovering from wire fraud takes weeks and may never succeed. Build verification into your standard workflow so it becomes automatic, not an exception.

Q: Can wire transfers be reversed once sent? A: Sometimes, but success depends on speed. Contact your bank within 24-48 hours for the best chance of recall. Once funds move through multiple international accounts, recovery becomes extremely difficult.

Q: How do I train my team to spot these attacks? A: Regular training sessions with real BEC examples, simulated phishing tests, and clear verification procedures help. Normalize the expectation that verification calls are standard practice, not a sign of distrust.

Q: Are small businesses targeted by BEC attacks? A: Yes, increasingly so. Small businesses often have fewer security controls and verification procedures, making them attractive targets. The double verification rule works regardless of organization size.

Q: What's the difference between BEC and regular phishing? A: Regular phishing typically casts a wide net trying to steal credentials or install malware. BEC attacks are highly targeted, researched, and focused on manipulating specific individuals into authorizing fraudulent transactions.