The Setup
This is a composite case drawn from multiple BEC investigations we have handled. Names and dollar amounts are adjusted but the sequence of events and forensic findings are real. Every step described here happened in investigations we worked between 2023 and 2026.
The target was a mid-size manufacturing company with roughly 200 employees and annual revenue around $80 million. They had a small IT department. Two people covered everything from helpdesk tickets to firewall management. Email ran on Microsoft 365 with default settings. No conditional access policies. No multi-factor authentication on executive accounts. DMARC was published but set to p=none which meant it monitored failures without blocking anything.
The CFO handled wire transfers personally. She had a direct relationship with three major vendors and routinely approved payments between $500,000 and $3 million. The attacker did not pick this company at random. They picked it because the CFO's email address appeared on a public SEC filing and because the company's DMARC record told them spoofed emails would sail through unchallenged.
Day 1-3: The Initial Compromise
The phishing email arrived on a Tuesday morning at 7:14 AM Pacific. It landed in the CFO's inbox disguised as a Microsoft 365 password expiration notice. The email came from a domain registered 48 hours earlier. The domain name was one character off from the company's actual domain. A classic typosquat.
The landing page was a near-perfect replica of the Microsoft login portal. It even included the company logo pulled from their public website. The CFO entered her credentials at 7:22 AM. Eight minutes from delivery to compromise.
Within 90 minutes the attacker logged into her Microsoft 365 account from an IP address geolocated to Lagos, Nigeria. They did not change the password. They did not send any emails. They did not do anything that would trigger an alert. What they did was methodical and deliberate.
First they created an inbox rule. The rule intercepted any email containing the words "wire" or "payment" or "bank details" and moved it to a folder called RSS Feeds. That folder exists by default in Outlook but almost nobody looks at it. Any replies the CFO might receive about altered payment instructions would vanish before she saw them.
Second they enabled email forwarding to an external Gmail address. Every inbound message to the CFO was now copied to the attacker in real time. This forwarding rule was buried under the display name "Compliance Archive" to look routine if anyone checked.
Third they accessed the CFO's sent items and read through six months of email history. They downloaded every attachment related to vendor payments. They now had invoice templates, banking details, payment schedules and the informal language the CFO used with each vendor.
Day 4-14: Silent Surveillance
For eleven days the attacker did nothing visible. They read every email in real time through the forwarding rule. They built a detailed profile of how the company handled payments.
They learned that the CFO approved wires verbally with the controller. They learned that the controller processed payments through the bank's online portal every Thursday. They learned that a $2.1 million payment to a key vendor was scheduled for the end of the month. They learned the vendor's account manager by name and knew his email signature format down to the font.
The attacker also registered another domain during this period. This one mimicked the vendor's domain. If the vendor was acmeparts.com the attacker registered acme-parts.com. They configured this domain with SPF and DKIM records so emails from it would pass basic authentication checks. They set up a mailbox matching the vendor account manager's name.
This is the part that separates BEC from ordinary phishing. Ordinary phishing is a volume game. BEC is surveillance. The attacker spent nearly two weeks doing nothing but reading and learning. By the time they acted they knew more about this company's payment processes than most of the company's own employees did.
Day 15: The Wire
On a Wednesday afternoon at 3:47 PM the spoofed email arrived. It appeared to come from the vendor's account manager. The display name was correct. The email signature was an exact copy. The language matched previous correspondence. The email referenced the specific invoice number for the upcoming payment. It stated that due to a change in banking relationships the vendor had updated their wire instructions and attached a new W-9 form along with the revised banking details.
The CFO read the email. It looked normal. She forwarded it to the controller with a note: "Updated wire info for the Thursday run." The controller updated the banking details in the payment system. On Thursday morning at 9:15 AM the wire for $2,037,500 went out to an account at a domestic bank. Within four hours the funds were moved to a second domestic account. By end of day they had been wired to an account in Hong Kong. By Friday morning the Hong Kong account had been emptied.
Total elapsed time from the spoofed email to funds gone: 42 hours.
Day 16: Discovery
The company's bank flagged the transaction as part of their routine review on Friday afternoon. The receiving account had been opened only two weeks prior and had no prior transaction history. The bank called the controller to verify the payment. The controller called the vendor. The vendor said they had not changed their banking details.
The company's CEO called their cyber insurance carrier. The carrier called us.
By the time we received the call it was Friday at 5:30 PM Pacific. The funds had been offshore for over 24 hours. The realistic chance of recovery was near zero. We advised immediate contact with the FBI's IC3 and the receiving bank's fraud department. We also told them to expect the recovery process to take months with no guarantee of getting anything back. They ultimately recovered $140,000 of the $2,037,500. About seven cents on the dollar.
The Forensic Investigation
We began evidence collection Saturday morning. Here is what we found.
Mail Rules
The hidden inbox rule targeting "wire" and "payment" keywords was still active. It had processed 23 emails during the 14-day surveillance period. Three of those were internal messages about the upcoming vendor payment that the CFO never saw. The forwarding rule to the external Gmail address had copied over 1,400 emails.
Authentication Logs
Microsoft 365 sign-in logs showed 47 successful authentications from three IP addresses in Nigeria between Day 1 and Day 16. Every login used the CFO's legitimate credentials. No MFA challenge was triggered because MFA was not enabled on her account. The logins occurred primarily between 2:00 AM and 5:00 AM Pacific which corresponded to business hours in West Africa. Nobody noticed because nobody was looking at sign-in logs.
Email Headers
The spoofed vendor email on Day 15 told the entire story in the headers. The Return-Path pointed to the attacker's lookalike domain not the real vendor domain. The Received: chain showed the message originated from a mail server associated with the lookalike domain. SPF passed because the attacker had configured SPF on their own domain. DKIM passed for the same reason. DMARC was irrelevant because the sending domain was the attacker's domain not the vendor's domain. The attack did not require spoofing the vendor's actual domain. It only required a domain that looked similar enough.
DMARC Configuration
The company's own DMARC record was set to p=none. This meant that even if someone had spoofed their exact domain the receiving mail server would have delivered the message anyway. The DMARC aggregate reports had been going to a mailbox nobody monitored. Six months of data showing authentication failures sat unread.
The Attachment
The W-9 form attached to the spoofed email was a modified version of the vendor's real W-9 that the attacker had pulled from the CFO's sent items during the surveillance phase. The only changes were the bank name, routing number and account number. The rest of the document including the vendor's EIN and address was authentic. This made the document convincing enough that neither the CFO nor the controller questioned it.
What They Missed at Each Stage
Every BEC investigation ends with a list of moments where the attack could have been stopped. This case had at least six.
| Stage | What Happened | What Would Have Stopped It |
|---|---|---|
| Day 1 - Phishing email | Typosquat domain passed spam filters | Advanced email filtering with new domain detection; security awareness training focused on URL inspection |
| Day 1 - Credential harvest | CFO entered real credentials on fake page | Hardware security keys or phishing-resistant MFA (FIDO2) |
| Day 1 - Account login from Nigeria | Foreign login succeeded without challenge | Conditional access policies blocking logins from high-risk geolocations; MFA on all accounts |
| Day 1-3 - Mail rules created | Attacker created hidden forwarding and filtering rules | Alerting on new inbox rules and external forwarding; periodic audit of mail flow rules |
| Day 15 - Spoofed vendor email | Lookalike domain was not flagged | External email banner warnings; lookalike domain monitoring service |
| Day 15-16 - Wire transfer | Banking details changed without verification | Mandatory phone call to vendor using a known number before changing any wire details; dual authorization for transfers over $50,000 |
The frustrating reality is that none of these controls are exotic. Every one of them was available and affordable for a company of this size. The problem was not technology. The problem was that nobody had mapped out the specific scenario of "what happens if an executive email account is compromised" and put controls in place for each link in the chain.
Prevention: What Actually Works
After twenty years of investigating these cases I can tell you that BEC prevention is not about buying a product. It is about layered controls that assume each individual layer will fail. Here is what works.
Email Authentication: DMARC with Enforcement
Publish DMARC at p=reject for your domain. Not p=none. Not p=quarantine. Reject. This will not stop lookalike domain attacks but it will stop anyone from spoofing your exact domain when targeting your vendors or partners. Make sure SPF and DKIM are properly aligned first. Monitor the aggregate reports. CISA's BOD 18-01 mandated this for federal agencies in 2018. Your company should have done it years ago.
Multi-Factor Authentication
MFA on every account. No exceptions for executives. Preferably hardware keys or FIDO2 passkeys rather than SMS or app-based push notifications which are vulnerable to fatigue attacks and SIM swapping. The entire compromise in this case would have been prevented by a $25 hardware key on the CFO's account.
Conditional Access Policies
Block or challenge logins from countries where your company has no business. Block legacy authentication protocols that bypass MFA. Require compliant devices for email access. Microsoft 365 has these capabilities built in. You just have to turn them on.
Wire Transfer Controls
This is the most important control and the one companies resist the most because it slows things down. Any change to wire transfer banking details must be verified by phone using a number on file. Not a number from the email requesting the change. Not a number from the new invoice. A number your accounts payable team looked up independently. Dual authorization for any wire over a defined threshold. No single person should be able to both approve and send a payment.
Mail Rule Monitoring
Configure alerts for new inbox rules that forward email externally or delete/move messages based on keywords. Microsoft 365 Defender can do this natively. Review mail flow rules quarterly. This single control would have detected this compromise on Day 1 instead of Day 16.
Email Header Analysis
Train your finance team to recognize when an email comes from outside your organization. Better yet implement an automatic banner on all external emails that says "This message originated outside your organization." When someone on your team receives wire instructions from what appears to be a known vendor they should know how to check whether the sending domain is actually the vendor's domain or a lookalike. Email header analysis tools make this straightforward.
Tabletop Exercises
Run a BEC scenario with your finance team and executives at least once a year. Walk through exactly this kind of attack step by step. Ask the question: "If an attacker had our CFO's email credentials right now what controls would stop them from redirecting a wire?" If the answer involves hope rather than specific technical controls you have work to do. Would your team catch this in time? Run a BEC tabletop exercise to find out.
The Bigger Picture
The FBI's Internet Crime Complaint Center (IC3) has tracked BEC as the highest-loss cybercrime category for eight consecutive years. In 2025 reported losses in the United States alone exceeded $2.9 billion. The actual number is higher because many companies never report.
BEC works because it exploits trust not technology. The attacker in this case did not use malware. They did not exploit a zero-day vulnerability. They did not need to bypass any security product. They logged in with a valid password and sent emails that looked exactly like emails the CFO received every week. The technology to prevent every step of this attack has existed for years. The gap is implementation.
If you take one thing from this case study let it be this: the $2 million was not lost because of a sophisticated attack. It was lost because six basic controls were not in place. Every one of them costs less than the wire transfer fee on the fraudulent payment.