In January 2023, we received a phone call from the CEO of a well-known logistics company. His voice carried the weight of urgency and frustration.

“Mr. Strategy, I think we’ve been scammed, but I can’t understand how. We wired about seventy-one thousand United States dollars to what we believed was our supplier’s account, only to find out it never reached them. The finance team insists they followed the right process, but the supplier says they never changed their banking details. I need answers. Fast.”

It was a classic case of Business Email Compromise (BEC), but as we would soon uncover, the attackers had executed their scheme with surgical precision.

The fraudster’s playbook  you it all happened

By the time we stepped into the company’s headquarters, panic was evident. The finance director, the IT manager, and the CEO were all waiting. They needed an explanation.

Here’s what we found out:

Initial compromise

After analysis of their systems, we found out that the company’s finance officer, Subject 1, had unknowingly clicked on a phishing email a few weeks earlier. The email, disguised as a routine Microsoft 365 security update, asked her to verify her credentials. The attackers, operating as Subject 2, captured her email login details in real time and immediately accessed her inbox.

Email monitoring and reconnaissance

The criminals did not act immediately. Instead, they watched. Sophisticated cybercriminals are very patient people. They take their time. For three weeks, they studied email conversations between the finance team and key suppliers. They identified the payment patterns, the tone of the emails, and the key players in financial transactions. They examined the approval limits, and emmergency instances when finance is allowed to process the payment quickly.

The deception begins

Once the attackers had a full picture, they acted. They created a lookalike email domain, changing just one letter in the supplier’s email address—something barely noticeable to the human eye. Using this fraudulent email address, Subject 2 posed as the supplier’s accounts manager, informing the company of a “recent banking update” due to an “ongoing audit.”

Social engineering at its best

To further authenticate their claim, the fraudsters compromised the supplier’s actual email account and forwarded previous legitimate invoices. They even used the supplier’s real email signature, adding credibility to the deception.

Execution of the fraud

With all the pieces in place, Subject 1 received a final email instructing payment to the “new” bank account. The finance team, trusting the familiar conversation thread, wired $71,240 without hesitation.

The aftermath

Two days later, the real supplier followed up for payment, completely unaware of the fraud. By then, the money had already been withdrawn from an offshore account.

What went wrong? The investigations

Once we pieced together the fraud, the next step was to determine how the company let this happen.

1. Weak email security. The finance officer’s email was compromised because the company did not enforce multi-factor authentication (MFA) on their accounts.
2. Lack of financial verification protocols. The finance department had no internal process for verifying bank detail changes. A simple phone call to the supplier’s known contact number would have stopped the fraud.
3. Poor cyber awareness. Employees were last trained two years ago to identify phishing emails, making them easy prey for attackers.

Lessons learned

1. Enforce email security. Implement multi-factor authentication (MFA) for all corporate email accounts.
2. Tighten financial processes. No banking details should ever be changed based on email instructions alone. Always verify via phone calls to known contacts.
3. Train employees. Conduct phishing awareness training and test employees regularly with simulated attacks.

The cost of negligence