The Long Con
Angela in finance receives an email from her CFO, David:
Subject: Re: Q3 Vendor Payment
Hi Angela,
Following up on our discussion last week about the new vendor payment process. Can you wire $47,500 to the account below for the software license renewal? Time-sensitive as the discount expires Friday.
Bank: First National
Account: 8847291034
Routing: 021000089
Let me know when it's done.
Thanks,
David
Sent from my iPhone
This looks completely legitimate. It's from David's real email address. The writing style matches his patterns. There really was a vendor discussion last week. Angela processes the wire transfer.
Except David's email account had been compromised weeks ago. Attackers read his emails, learned his writing style, and waited for the perfect moment.
How BEC Attacks Work
Compromise: Attackers gain access to an executive's email via phishing or password breach
Reconnaissance: They read emails silently for weeks, learning relationships, projects, writing styles
Setup: They set up email rules to hide their activity and monitor for wire transfer opportunities
Strike: They send a perfectly timed, contextually accurate request for a wire transfer
Why These Attacks Succeed
- The email comes from a real, legitimate address
- It references actual ongoing projects
- The writing style matches the real person
- The amount is plausible for normal business
- There's artificial urgency but not panic-level
Defense Strategies
Use a known number (not from the email) to confirm every wire request
Require two people to approve wire transfers over a threshold
"Please use these new bank details" is a major red flag
Urgency is a manipulation tactic. Real business can wait for verification