Back to Blog

Business Email Compromise: How Invoice and Wire Fraud Actually Lands

BomberJacket Networks
7 min read
Business Email Compromise: How Invoice and Wire Fraud Actually Lands

Business Email Compromise: How Invoice and Wire Fraud Actually Lands

Business email compromise is not a technical problem that stays in the IT department. It is a payment problem. The attacker wants one thing: to make a real person send real money to the wrong account.

For small and mid-sized businesses, the most common version is vendor-invoice-swap fraud. A criminal gets into an email account, spoofs a vendor, or watches a conversation long enough to know who approves payments. Then they send a believable request at the exact moment it looks normal.

How does BEC invoice fraud usually start?

It usually starts with email access or impersonation.

An attacker may compromise a vendor mailbox through a stolen Microsoft 365 password. They may compromise one of your employee mailboxes after a phishing email. They may register a lookalike domain, changing one letter in a vendor name. Or they may simply spoof the display name so the message looks like it came from a familiar contact.

The first email is rarely loud. It does not look like malware. It looks like normal business:

  • "Please use our updated ACH instructions for this invoice."
  • "Our bank changed. Can you update the payment details?"
  • "Can you get this wire out today? The project is waiting on it."
  • "Looping in accounting so we can close this before end of day."

That is why this fraud works. It rides on top of existing trust.

Why do invoice and wire scams get past good employees?

Most businesses train people to spot bad grammar, strange attachments, and obvious phishing links. BEC often has none of those.

The email may come from a real mailbox. The invoice may match an open project. The amount may be close to what accounting expects. The sender may know the vendor contact, payment timing, and internal approval chain.

We have seen attacks where the criminal waited inside a mailbox until the right invoice thread appeared. Then they replied in the same thread with new bank details. From the employee's point of view, nothing looked out of place.

That is the lesson: you cannot rely on employee suspicion alone. You need controls that assume a believable email will eventually reach the person who can approve payment.

What are the warning signs of vendor-invoice-swap fraud?

The red flags are usually procedural, not technical.

Watch closely for:

  • A request to change ACH, wire, or bank routing details
  • Pressure to pay before a deadline
  • A sender who avoids phone confirmation
  • A new contact joining an existing invoice thread
  • Slight changes in domain spelling or email signature
  • Payment instructions sent as a PDF or forwarded attachment
  • A vendor asking to bypass the normal portal or payment process

None of these proves fraud by itself. But any one of them should trigger a verification step before money moves.

Control 1: Verify payment changes out of band

Out-of-band verification means confirming the request through a channel the attacker does not control.

If a vendor emails new ACH or wire instructions, do not reply to the email. Do not call the phone number in the email signature. Do not use the phone number printed on the new invoice.

Use a known-good number from your vendor master record, contract, or previous onboarding file. Call the vendor and confirm the change with an established contact. If your process uses a vendor portal, require the change to be confirmed there.

This control sounds simple because it is. It is also one of the strongest defenses against invoice fraud. The key is making it mandatory, not optional.

A good policy is clear:

  • Any new bank account requires out-of-band verification
  • Any changed routing or ACH detail requires out-of-band verification
  • Any urgent wire request requires out-of-band verification
  • Verification must be documented before payment release

If the money is gone, recovery is uncertain. A five-minute phone call is cheap compared to a six-figure wire loss.

Control 2: Require dual approval for wire and ACH changes

One person should not be able to change vendor banking details and release payment without a second review.

Dual approval gives the business a second chance to catch a bad request. It also removes pressure from one employee who may be dealing with a convincing vendor email, an impatient executive, or an end-of-day deadline.

For SMBs, this does not need to be complicated. Start with the highest-risk actions:

Payment actionRecommended control
New vendor bank accountTwo-person approval before activation
Change to ACH or wire instructionsOut-of-band verification plus second approver
First payment after banking changeSecond review before release
Wire above a set dollar amountExecutive or finance lead approval
Urgent payment requestMandatory call-back to known-good contact

The policy should apply even when the request appears to come from the owner, CFO, or a long-time vendor. Especially then.

Attackers count on authority and urgency. Dual approval slows the process just enough to keep a bad payment from leaving.

Control 3: Use DMARC and impersonation defenses

Process controls stop payment fraud at the business layer. Email controls reduce how often fraudulent messages reach accounting in the first place.

At minimum, your domain should have SPF, DKIM, and DMARC configured correctly:

  • SPF identifies which mail systems are allowed to send for your domain
  • DKIM signs outbound mail so receiving systems can validate it
  • DMARC tells receiving systems what to do when SPF or DKIM fails

DMARC also gives your business visibility into who is sending mail as your domain. That matters because attackers often impersonate owners, finance staff, vendors, and project managers.

For Microsoft 365 and Google Workspace environments, also review impersonation protection, display-name spoofing controls, external sender tagging, mailbox forwarding rules, and suspicious inbox rules. A compromised mailbox with hidden forwarding can quietly feed an attacker the timing and details needed for a convincing invoice swap.

Do not treat DMARC as a one-time DNS task. Start with monitoring, fix legitimate senders, then move toward enforcement. The goal is to make it harder for criminals to send mail that looks like it came from your business.

What should an SMB do this week?

You do not need a year-long project to reduce BEC risk. Start with the controls that stop money movement.

This week:

  1. Write a one-page rule for bank-detail changes and urgent wires
  2. Require out-of-band verification using known-good contact information
  3. Require two-person approval for ACH and wire changes
  4. Review Microsoft 365 or Google Workspace for forwarding rules and risky inbox rules
  5. Confirm SPF, DKIM, and DMARC are present and properly aligned
  6. Train accounting and office managers on the exact phrases attackers use

The important part is consistency. If the policy can be bypassed when someone is busy, the policy will fail when it matters.

BEC is preventable when payment controls and email security work together

Business email compromise succeeds because it blends into normal operations. It does not need ransomware, malware, or a dramatic system outage. It needs a trusted-looking message and a payment process with one weak step.

BomberJacket Networks has worked with SMBs, professional firms, manufacturers, and defense contractors for more than 25 years. We have seen the same pattern many times: the technical email controls matter, but the payment workflow matters just as much.

If your business approves invoices, wires, or ACH changes by email, now is the time to tighten the process. Verify out of band. Require dual approval. Fix the email authentication gaps that let impersonation through.

Need a practical review of your Microsoft 365 security, vendor-payment process, and DMARC posture? Contact BomberJacket Networks and we will help you find the gaps before an attacker does.

Related Resources

Free Ebooks & Guides

View All
Ransomware Survival Guide

Ransomware Survival Guide

Essential strategies and best practices to protect your business from ransomware attacks and recover quickly if compromised.

Download Free
All Businesses Should Adopt MFA. Now

All Businesses Should Adopt MFA. Now

Learn why multi-factor authentication is essential for business security and how to implement it across your organization to prevent account takeovers.

Download Free
Inside Threat

Inside Threat

Understand and mitigate insider threats with strategies to protect your business from malicious employees, contractors, and accidental data breaches.

Download Free

Visual Guides & Infographics

View All
Cybersecurity Checklist for Data Security and Privacy

Cybersecurity Checklist for Data Security and Privacy

A comprehensive checklist to help protect your organization's sensitive data and maintain robust privacy practices.

Download Free
Beware of Business Email Compromise

Beware of Business Email Compromise

Learn how to identify and prevent business email compromise attacks that target your organization's financial transactions and sensitive communications.

Download Free
Encryption: Facts & Figures

Encryption: Facts & Figures

Essential facts and statistics about encryption technology and its critical role in protecting your organization's sensitive data.

Download Free

Need Help with Cybersecurity?

BomberJacket Networks is a Minnesota MSP with 25 years of expertise. Protect your business with 24/7 threat monitoring, managed detection and response, and comprehensive security services.

Continue Reading