$60M Lost: Bank Wire Transfer Fraud + BEC Beat Email Security

$60 million was recently lost by Texas-based firm Orion to a massive bank wire transfer fraud scam. Unfortunately, this is not an isolated incident. As identified by the FBI, bank wire transfer fraud is a growing multibillion-dollar problem impacting many businesses. Some other newsworthy examples include:

• Toyota lost $37M to a BEC attack involving invoice fraud

• Tech Firm Ubiquiti lost $46M via CEO impersonation

• Scouler Co. lost $17.2M acquisition scam via CEO impersonation

• … and Facebook and Google lost over $100M

What is bank wire transfer fraud, and how does it work?

Bank wire transfer fraud occurs when a bad actor spoofs a vendor into paying a fraudulent account to steal funds. This type of fraud scheme is usually sophisticated and deployed via email, where the bad actors follow a playbook that follows the steps below:

1. They open a look-a-like REAL bank account of a known vendor of an organization, usually in proximity to the original authentic bank account location.

2. They create a new look-a-like email and domain OR have already successfully taken over an employee account at the target organization.

3. The bad actor sends multiple emails from the look-a-like account OR hacked account to another employee in order to establish open communication channels within the organization.  At this point, they have not yet attempted to commit fraud.

4. From there, they wait days, weeks, and sometimes months before they start submitting change requests for payments via email. In many instances, this entails editing past email chains to make it look like this request was previously discussed and approved.

So, you’re probably asking yourself how does this work? Don’t most organizations have an email security tool, such as a secure email gateway (SEG), that blocks malicious accounts from emailing employees? The answer is yes. Most do have a tool in place. Most security teams have also deployed a behavioral AI email security solution to detect anomalies from “known good” behavior.

Why Email Security is Falling Short:

Email security tools, like Secure Email Gateways (SEGs), are designed to detect malicious activity, such as bad links, domains, domain history, or attachments. When there is no malicious activity, there is no reason to set off the alarms, which ultimately allows the bad actors to remain hidden in the system. In addition, when an internal employee account is compromised, SEGs have no reason to block it since it’s not an external threat.  

This brings me to another email security solution type, Behavioral AI-based email detection. As with SEGs, these solutions can also leave organizations vulnerable to fraud via email. In this instance, they are ineffective because they rely on a baseline of “known good” behavior, which is exploited by bad actors that look to evade sending off signals of fraud early on. They instead focus on blending in by building relationships that look safe within the organization long before they attempt any actual fraud. Moreover, these models often only scan emails, missing key signs of fraud within the broader payment process and payment technology ecosystem.  

How to Stop Bank Wire Transfer Fraud and BEC Attacks

Companies require a solution and strategy that covers the full business payment landscape across communication channels and technologies, including ERP systems, to detect suspicious account changes or duplicate invoices tied to a vendor—clues that are often overlooked by email-focused detection alone.

We know bad actors evolve their malicious activities quickly, often outpacing technology. From wire fraud to BEC and internal threats, your payments are at risk—but they don’t have to be. TrustMi’s CEO and former CISO at one of Israel’s top banks, Shai Gabay, worked to develop a solution designed to support finance and security organizations that gives them the tools needed to stop these threats across the full payment landscape, including email. Contact Shai here today to learn how to protect your business.