We had a client whose accounting manager almost wired $47,000 to the wrong account.
The email looked perfect. It came from an address that was one letter off from their regular vendor’s domain. The formatting matched. The invoice number was plausible. It referenced a project the company was actually working on. The only ask was a change to the bank account for the next payment. Please update your records.
She almost did it. She forwarded it to her boss first, something felt slightly off, and the boss called the vendor directly. The vendor had never sent it. The email was a fake.
This is called business email compromise, or BEC. It is the most financially damaging form of cybercrime targeting small businesses. The FBI’s 2023 Internet Crime Report put total BEC losses at over $2.9 billion in that year alone. The attacks do not require sophisticated technical skills. They require patience, research, and one person who does not pause before acting.
How the attack works
The attacker identifies a target company and conducts research on it. They look at LinkedIn to find who handles finances. They look at the website to learn about vendor relationships. They look at any public information to find project names, client names, or contract details. Then they craft an email using that context. The more specific the email, the more believable it is.
The most common versions: a vendor requesting a bank account change before payment is due; an executive asking an employee to buy gift cards urgently and keep it confidential; a client confirming a new payment address; a login alert asking you to verify your account before it is suspended.
What makes these hard to catch is the urgency and the authority they carry. The email from “the CEO” asking for something quickly creates pressure to act before thinking. The invoice from “a vendor” feels routine. Routine is dangerous.
Training is the best defense
Training is the most effective defense, and it does not require an annual all-day session. A 10-minute monthly reminder covering what current attacks look like, what red flags to watch for, and what to do when something feels off is more effective than one big annual training people forget by the following week. Keep it current. The tactics shift. A monthly touchpoint keeps your team calibrated.
The specific behaviors to train for:
- Never click a login link inside an email. Go to the site directly, type the address yourself, and log in from there. If there is a real alert, it will be visible when you log in.
- Verify any payment change by phone before processing it. Do not reply to the same email thread, that is controlled by the attacker. Call a number you already have on file, or look it up independently.
- When an email creates urgency (“do this before end of day,” “I need this now,” “please do not discuss this with anyone”), slow down. Urgency is a manipulation tactic. Real emergencies can survive a 10-minute verification call.
- Check sender addresses, not just names. An email that shows “Microsoft Support” in the display name can come from any address. Look at the actual sending address. If it does not exactly match the organization, it is suspicious.
- Report suspicious emails to your I.T. team or MSP, even if you did not click anything. Reporting helps your team identify patterns and block future attempts before someone else in the company sees the same email and acts on it.
At CIO Landing, we use tools like inky.com that add a banner to the email if it looks like impersonation or is the first time receiving an email, and create a warning note. This will not prevent the issue, but it is an additional layer of defense.
The accounting manager who almost wired $47,000 did everything right when it counted. Something felt off, and she stopped. That instinct is trainable. The companies that get hit are the ones where nobody gave the team permission to slow down and question an email. Give your team that permission explicitly, and remind them of it regularly.