Skip to main content
Beancount.io LogoBeancount.io

Business Email Compromise: The Accounts Payable Controls That Stop Wire Fraud

8 min readMike ThriftMike Thrift
Business Email Compromise: The Accounts Payable Controls That Stop Wire Fraud

The email looks exactly like it should. It's from your CEO's real address, in a thread that references an actual ongoing deal, asking your controller to wire $47,000 to a vendor by end of day because a deadline is tight and "I'm in back-to-back meetings, please just get it done." Nothing about it reads as suspicious. The tone matches. The urgency matches. The typos are gone — the era of comically bad phishing English is over.

Twenty minutes later, the money is gone, and the CEO never sent that email.

This is business email compromise, or BEC, and it is now the single most expensive category of cybercrime reported to the FBI — bigger than ransomware, bigger than data breaches. In 2025 alone, the FBI's Internet Crime Complaint Center logged nearly 25,000 BEC complaints totaling just over $3 billion in reported losses, up from $2.77 billion the year before. Over the past decade, cumulative reported BEC losses have climbed past $17 billion, a more than tenfold increase since 2015. And unlike a stolen credit card, a fraudulent wire transfer is often gone for good the moment it clears — roughly 86% of BEC losses move through wire transfer or ACH, both of which settle fast and are brutally hard to claw back once the funds land in the fraudster's account and get moved again.

2026-07-03-business-email-compromise-accounts-payable-controls-stop-wire-fraud-guide

Small and mid-sized businesses are disproportionately exposed. They handle real money through accounts payable every week, but they rarely have the layered verification controls a large enterprise treasury department takes for granted. That gap — real cash flow, thin controls — is exactly what BEC scammers are built to exploit.

How the scam actually works

BEC isn't really a hacking problem. It's a trust problem, and that's what makes it so effective against well-meaning, busy people. The mechanics usually fall into one of a few patterns:

Executive impersonation. A message that appears to come from a founder, CEO, or CFO — sometimes from a real but compromised account, sometimes from a spoofed or lookalike domain (yourcompany-inc.com instead of yourcompany.com) — instructs someone in finance to make an urgent, confidential wire transfer. The urgency and confidentiality framing are doing the work: they discourage the recipient from checking with anyone else before acting.

Vendor or supplier impersonation. An email that looks like it's from a real, existing vendor informs your accounts payable team that "our bank has changed" and provides new wiring instructions for the next invoice payment. This variant is particularly dangerous because the invoice itself is often completely legitimate — real amount, real work performed — with only the destination account swapped out. Your team pays a bill they genuinely owe, just to the wrong place.

Compromised account takeover. Rather than spoofing an email address, the attacker gains actual access to a real mailbox — a vendor's, a partner's, sometimes an employee's — through a prior phishing attack or credential leak. From inside a legitimate, previously-trusted thread, they insert a payment request or redirect an in-progress invoice conversation. Because the email genuinely originates from the real account, technical email-authentication checks won't catch it; only a human process will.

Payroll diversion. A message impersonating an employee asks HR or payroll to update direct-deposit details before the next pay run, quietly redirecting a paycheck (or several) to an account the employee doesn't control.

What ties all of these together is that none of them require breaking into your systems. They require finding one person, on one busy day, who trusts an email enough to skip a verification step they'd otherwise take.

The controls that actually stop it

The good news: BEC is defeated almost entirely by process, not technology. A small business doesn't need a security operations center — it needs a short list of rules that are followed every single time, with no exceptions carved out for "but this one seemed urgent and legitimate."

1. Callback verification for any payment detail change

This is the single highest-value control you can put in place, and it costs nothing but discipline. Any request to change a vendor's bank account, wiring instructions, or payment contact — no matter how it arrives, no matter who it appears to be from — must be verified by phone before it's acted on. Critically, that callback goes to a phone number already on file in your vendor records, never a number provided in the email or text making the request. If the only way to "confirm" the change is by replying to the same email thread or calling the number in the signature, you haven't verified anything — you've just asked the fraudster to confirm themselves.

2. Dual approval on outgoing payments above a threshold

No single person — regardless of title — should be able to unilaterally originate and approve a wire transfer above a set dollar amount. A second, independent set of eyes on payment details before release catches the fraud pattern almost every time, because the second reviewer isn't operating under the same manufactured urgency as the person who received the original request. Set the threshold low enough to matter for your business size; a $47,000 wire is exactly the kind of mid-size, plausible-looking amount BEC scammers favor because it clears easily without triggering extra bank-side scrutiny.

3. Treat urgency and confidentiality as red flags, not instructions

"Handle this quietly," "don't loop in anyone else," "I need this done before my flight" — these phrases exist in legitimate business communication too, which is exactly why scammers lean on them. Train your team to treat pressure to bypass the normal process as a reason to slow down and verify, not a reason to move faster. A legitimate executive who's genuinely in a rush will not be upset that you confirmed a wire transfer by phone before sending it.

4. Lock down vendor master file changes

Changes to your vendor payment records — new bank account, new remittance address, new primary contact — deserve the same scrutiny as the payments themselves. Require a second approver on any vendor master file edit, and consider a short cooling-off period between when a change is entered and when it takes effect for the next payment run, giving a second reviewer time to catch something wrong.

5. Watch the domain, not just the name

Train your team to check the actual sending domain on anything involving money, not just the display name (which is trivial to fake). A message from "John Smith, CEO" is worth a second look if the underlying address is john.smith@yourcompany-corp.com instead of john.smith@yourcompany.com. On the technical side, make sure your own domain has SPF, DKIM, and DMARC configured — this doesn't stop someone from spoofing you, but it stops attackers from successfully spoofing your domain to defraud your own vendors and customers.

6. Build a "if it moves money, it gets verified" culture — and make it easy

The controls above only work if people actually follow them under pressure, which means the verification step needs to be fast and normalized, not an annoying detour. Keep an up-to-date, easily accessible vendor contact list with verified phone numbers. Make the callback step a normal, expected part of the payment workflow rather than something that feels like accusing a colleague of being scammed. The businesses that get hit hardest are usually the ones where the process technically existed on paper but nobody actually followed it the one time it mattered.

What to do if it's already happened

If a fraudulent transfer does go out, speed is the only lever you have left. Contact your bank's fraud department immediately and request a recall or hold on the transfer — banks can sometimes intercept funds that haven't fully settled or cleared through the receiving institution, but only in a narrow window. File a complaint with the FBI's Internet Crime Complaint Center (IC3.gov) as soon as possible; the IC3's Recovery Asset Team has, in some cases, helped freeze and recover funds when notified quickly. Every hour matters — the earlier the report, the better the odds of intercepting the money before it moves again.

Make your ledger a control, not just a record

Every one of these controls depends on being able to answer basic questions fast: who approved this payment, what were the vendor's bank details before the "change," and does this transaction match a pattern we've paid before. That's much harder when your books are a mix of bank exports, spreadsheets, and half-remembered approvals — and much easier when every transaction lives in one auditable, version-controlled place.

Beancount.io keeps your full payment history in a plain-text ledger with a complete change history, so verifying a vendor's real payment record — instead of trusting whatever email just arrived — takes seconds, not a scramble through old statements. Get started for free and give your accounts payable process the paper trail that makes BEC fraud easy to catch and hard to hide.