BEC and Invoice Fraud: How Money Actually Walks Out

A Gulf Coast marine contractor was finalizing a $47,000 payment to a equipment supplier in February when their bookkeeper received a follow-up email: new banking details, new account, immediate payment needed to "keep the order on schedule." The email came from ceo@theircompany.com replying to their thread. It was their bookkeeper's own email—hijacked, searched for vendor payment threads, and used to reply from inside the conversation.

The payment went out. The real vendor called two weeks later asking where their check was.

This is how BEC works in practice. Not some hacker in a basement guessing passwords—someone living inside your email, reading your conversations, and waiting for the right moment to strike.

What this actually is

Business Email Compromise (BEC) and invoice fraud are two related attacks that exploit one thing: your trust in familiar email threads.

Invoice fraud happens when an attacker sends a fake invoice or changes payment details on a real one. They might register a domain one letter off from your vendor (acme-supply.com vs acme-supply.com), send a forged invoice, and wait for payment.

BEC is broader—attackers impersonate executives, lawyers, or vendors to trick employees into wiring money, revealing payroll data, or sending sensitive documents. The FBI's Internet Crime Complaint Center reported over $2.7 billion in BEC losses in 2023 alone, and that's just what got reported.

What can go wrong

The "urgent CEO" attack: Your employee gets an email supposedly from you asking them to buy gift cards or wire money to a new vendor immediately. The email looks legitimate. They're not going to call you to double-check when you said "urgent and confidential."

Vendor impersonation: Someone registers gulfcoast-supplies.com (note: not gulfcoastsupplies.com) and sends fake invoices to your AP department. If your staff isn't checking the exact domain, they might pay it.

Lawyer impersonation: Attackers research your business, find your outside counsel, and send emails "from" the attorney asking for urgent settlement payments. Restaurants and small businesses get hit with this one regularly.

Payroll diversion: Someone compromises an executive's email and sends HR a new direct deposit allocation. Payroll gets changed. The next payroll run goes to the attacker's account.

The account takeover twist: The marine contractor example above. The attacker doesn't need to spoof anything—they're in your actual email, replying to threads, and changing details mid-conversation.

What it costs

• Direct financial loss: $500 to $500,000+ depending on the payment. SMBs typically lose $25,000 to $75,000 per incident.
• Incident response: $5,000 to $50,000 to investigate the breach, secure email, and notify affected parties.
• Recovery attempts: Banks can sometimes freeze wire transfers, but only within a narrow window. Most recovery efforts fail.
• Legal costs: If vendor contracts or customer data were exposed, $2,000 to $10,000 in legal review.
• Business disruption: Staff time spent on remediation, victim notification, and re-establishing payment processes.

Vendor questions (copy/paste)

When evaluating email security or incident response services:

"Our bookkeeper almost paid a fake invoice from our vendor's 'new' banking account. What email protections catch this, and what slips through?"

"Can your solution detect when someone has taken over an email account and is replying to existing threads?"

"We handle wire transfers and invoice payments. What's your recommended verification process that doesn't grind our AP department to a halt?"

"Our employees work from personal phones and home computers. Does your solution work outside our office network?"

"Walk me through your incident response process. If we wire money to the wrong account today, what happens next?"

Minimum viable implementation

1. Implement email authentication (SPF, DKIM, DMARC) on your domain. This won't stop account takeovers, but it prevents attackers from sending emails "from" your domain to others. Your IT person or email provider can set this up in an afternoon.

2. Establish a verbal verification requirement for payment changes. Any request to change vendor banking details, new wire instructions, or urgent payments requires a phone call to a known number (not one in the email). This single control stops most BEC attacks.

3. Disable email forwarding rules for shared inboxes and executive accounts. Attackers often set up auto-forwarding rules to steal your email after getting in.

4. Use a password manager and MFA on all email accounts. Most account takeovers start with phishing or credential stuffing—strong, unique passwords and phishing-resistant MFA (like hardware keys or passkeys) prevent this.

5. Limit who can send wire transfers and require dual approval for any payment over a threshold you set ($5,000, $10,000—pick what makes sense for your business).

6. Educate your staff on the specific attack patterns above. Run a quick simulation or just talk through the scenarios. People catch on faster when they know what the actual attack looks like.

When to hire help

Call someone today if:

• You received a suspicious email and already clicked something or provided information
• An employee wired money and you're not sure if it was legitimate
• You can't log into your email account or noticed auto-forwarding rules you didn't create
• Your antivirus or computer has been acting strange after opening an attachment

Call someone this week if:

• You want someone to set up SPF/DKIM/DMARC properly and test it
• You need help implementing MFA across your email and accounting systems
• You want a policy written down for payment verification that your staff will actually follow

You can probably handle it yourself if:

• You have an IT person already, and you just need them to configure email authentication and review forwarding rules
• Your team is small enough that you can have direct conversations about payment verification

BEC doesn't require sophisticated hacking. It requires someone paying attention to your email and knowing when to strike. The controls that stop it are unglamorous—phone calls, MFA, and not trusting email alone for financial requests.