This case study examines a Business Email Compromise attack based on documented FBI complaint patterns. It illustrates how BEC fraud works in practice and how a simple verification step would have prevented total loss.
The Business
A 12-person architecture firm in the Midwest. The owner, David, handles all wire transfers personally. The firm regularly pays contractors and consultants ranging from $5,000 to $80,000.
The Attack
A criminal monitored the firm's email domain and social media to identify the key contractor relationships. They sent an email that appeared to come from a regular contractor the firm had worked with for three years.
The email was sent from contractor-firm.invoicing@gmail.com — but displayed as "Accounts Receivable - Contractor Name" in the email client. The real contractor's domain was contractor-firm.com.
The Message
"Hi David — hope you're well. Our bank is switching providers this month and we're updating payment information for all clients. Please direct future payments to our new account: [new bank details]. This applies immediately to the outstanding invoice from last month. Thanks."
The Transfer
David was expecting the invoice from this contractor. He updated the bank details in QuickBooks and processed the wire transfer of $47,000. The fraud wasn't discovered until the real contractor called about the overdue payment two weeks later.
Recovery Attempt
David's bank filed a recall request through SWIFT. The funds had been transferred through three intermediary accounts and converted to cryptocurrency within hours. Only $3,200 was recovered.
Prevention: The One Step That Would Have Stopped This
A phone call to the contractor — using the saved phone number from his existing contacts, not from the suspicious email — would have immediately revealed the fraud.
Policy: Any request to change bank or payment details must be verified by phone on a previously confirmed number before processing. No exceptions.