Why Your Vendor's Email Got Your Company Robbed

Business Email Compromise (BEC) makes the attack look like your CFO

A routine wire transfer, an email from a familiar address, or a request with the right tone, context, and urgency allowed a payment to go through.

It wasn't until days later — when the actual vendor followed up on an unpaid invoice — that anyone realized the original email hadn't come from the vendor at all.

This is Business Email Compromise. And it doesn't need to break into your systems, guess your passwords, or deploy malware. It needs one thing: for someone on your team to believe a familiar email is real.

Social engineering is becoming a business operation and a security problem.

The attack doesn't look like an attack

Most people imagine cybercrime as something technical: a hacker in a dark room running software against your firewall. Business Email Compromise works differently. The sophistication is social.

Attackers study your business before they contact you. They review your LinkedIn, your website, your public filings, and your press releases. They learn who your vendors are, who handles payments, what your communication style sounds like, and when invoices are typically due. By the time they send the email, they already know enough to be convincing.

The message arrives as a vendor updating their banking details. Or a CFO requesting an urgent transfer before a deal closes. Or an IT contact asking for login credentials ahead of a system migration. The email address is close, familiar, sometimes just one character off, sometimes a spoofed domain that looks identical on a mobile screen. The language matches. The timing makes sense.

There is no malicious link to click and no suspicious attachment to avoid. Just a request that fits neatly into the normal rhythm of your business day.

For growing companies in Florida and California, where real estate transactions, legal services, and tech procurement involve frequent wire transfers, this pattern is particularly common. High-value payments, fast-moving deals, and distributed teams create exactly the conditions BEC exploits.

What generic security advice misses

Security awareness training usually focuses on spotting phishing: look for misspellings, check the sender's email address, and hover over links before clicking. That advice has its place. But BEC attacks are built to pass those checks.

A well-crafted BEC email has no misspellings. The domain may be registered specifically for the attack. The link, if there is one, may lead to a legitimate-looking page.

Similarly, password policies and multi-factor authentication (the standard recommendations) protect account access. They do not stop an attacker who never needs access to your systems. BEC succeeds before any login ever happens.

The gap between standard security practice and actual BEC exposure is not a technology problem. It is a process problem. Most businesses have no formal verification step for payment changes, no out-of-band confirmation protocol, and no documented rule about what requires a second approval. Those gaps exist not because leadership doesn't care, but because no one has mapped the specific points in the business where BEC finds its entry.

The process layer that most businesses skip

Stopping BEC is not primarily about technology. It is about designing a workflow where a convincing email alone is never sufficient authorization for a financial action. That means a few specific things in practice.

• Any request to change payment or banking information requires verification through a channel that is completely separate from email. The verification is not optional, and it is not triggered by whether the email looks suspicious. It is triggered by the nature of the request.

• Payment approvals above a defined threshold require a second person to confirm, not by forwarding the email, but by reviewing the underlying request and the verification step independently.

• Teams handling vendor communications or financial operations need a shared understanding of what this process looks like and why it exists. Not a one-time training session, but a clear, documented procedure that becomes part of how the work gets done.

None of this requires new software. It requires intention and someone to map where the vulnerabilities actually are in your specific operation, rather than applying a standard checklist that wasn't written for your business.

What this looks like in practice for mid-sized businesses

A 40-person professional services firm in Miami received an email from what appeared to be their property management company. It referenced an upcoming lease renewal, included accurate details about their current contract, and asked for a payment to a new account ahead of the deadline. The email passed every surface-level check. The payment was made. The property manager had never sent it.

A distribution company in San Diego received a message from their largest supplier. The email mentioned an audit requiring temporary changes to their billing process and provided new ACH information. Three payments totaling over $180,000 left before the real supplier called to ask why the account was behind.

In both cases, the organizations had antivirus software, spam filters, and employee security training. In both cases, none of those protections were relevant to how the attack worked. The common thread is not a missing tool but a missing process.

That is the kind of exposure that a checklist cannot find. It requires understanding how your business actually operates: who approves what, who communicates with which vendors, where financial decisions are made, and where verification currently depends entirely on trust.

Where orientation comes before tools

In our IT Compass Map, we describe a region called Phishfall Lake: a place where security threats rely not on force, but on familiarity. The water is calm, requests seem reasonable, and senders are recognizable. The depth is only visible once you're already in.

What makes Phishfall Lake dangerous isn't the sophistication of the attack but the ordinariness of it. BEC exploits the pace of normal business, the trust placed in familiar names, and the absence of a process that would slow things down just enough to catch it.

Getting out of that lake doesn't require a security overhaul. It requires knowing you're in it, and then building the specific controls that match how your business operates, not how a generic security framework says you should operate.

That is the difference between a best practice and a strategy. Best practices are written for everyone. A strategy is built for your business, your team, your vendors, and the specific places where a convincing email can still become a costly mistake.

-

If your organization handles wire transfers, manages vendor payments, or operates with distributed teams across locations, BEC is an active risk.

The IT Compass Scan is a structured conversation designed to identify where your operation is exposed, not based on a generic framework, but based on how your business actually works.

Book a FREE IT Compass Scan Today!