One Fake Email. $60 Million Gone.

It Looked Like a Normal Invoice

In August 2024, an employee at Orion S.A., a Luxembourg-based carbon black manufacturer, received an email that appeared to come from a senior executive. The email instructed the employee to process a wire transfer to a specific bank account for a pending business transaction.

The email looked legitimate. The language was professional. The request was plausible. There was no malware attached. No suspicious links. No misspelled words or broken formatting.

The employee processed the wire. Then another. Then another.

By the time anyone realized what had happened, $60 million had been wired to attacker-controlled bank accounts. Orion disclosed the loss in an SEC filing, noting that the fraud “involved multiple fraudulently induced outbound wire transfers to accounts controlled by unknown third parties.”

This is how business email compromise works. There’s no malware to detect. No firewall to trigger. No antivirus signature to match. BEC is pure social engineering — an attacker impersonating someone the victim trusts, asking them to do something that seems perfectly routine.

And it bypasses every technical security control you have.

Nobody Is Too Smart for This

If you’re thinking “our team would never fall for that,” consider the companies that did.

Google and Facebook — two of the most sophisticated technology companies on Earth — lost a combined $100 million to a single Lithuanian man named Evaldas Rimasauskas. Between 2013 and 2015, he sent fake invoices impersonating Quanta Computer, a real hardware vendor both companies used. The invoices were accompanied by forged contracts, letters, and bank account details. Finance teams at both companies paid them without question.

Toyota Boshoku, a subsidiary of Toyota, lost $37 million when attackers impersonated a business partner and convinced a finance executive to change wire transfer details for an upcoming payment. The attackers had done enough research to know the exact details of the business relationship, the timing of expected payments, and the communication style of the partner.

These aren’t careless companies staffed by inattentive employees. These are global enterprises with security budgets in the hundreds of millions. BEC works because it exploits trust, authority, and urgency — not technical vulnerabilities.

The Five Types of BEC Attacks

BEC isn’t a single tactic. It’s a category of attacks that all rely on impersonation and social engineering. The FBI identifies five primary variants:

1. CEO Fraud (Executive Impersonation)

The attacker poses as a C-suite executive — typically the CEO or CFO — and emails a finance employee with an urgent wire transfer request. The email creates pressure by referencing a confidential deal, an acquisition, or a time-sensitive payment. Employees are reluctant to question executives, especially when the request is marked “urgent” and “confidential.”

2. Invoice Fraud (Vendor Impersonation)

The attacker impersonates a legitimate vendor or supplier and sends an invoice with “updated” bank account details. Because the company already expects invoices from this vendor, the payment is processed without additional verification. This is how Google and Facebook lost $100 million.

3. Account Compromise (Email Takeover)

The attacker gains access to a real employee’s email account — through phishing, credential stuffing, or infostealers — and uses it to send fraudulent payment requests to vendors, clients, or other employees. Because the email comes from a legitimate account, it passes every authentication check.

4. Attorney Impersonation

The attacker poses as a lawyer or legal representative handling a confidential matter. They contact a finance employee and pressure them into wiring funds for an “escrow payment,” “settlement,” or “retainer.” The confidential nature of legal matters discourages the employee from verifying with others.

5. Data Theft (HR/Payroll Targeting)

Instead of requesting money, the attacker targets HR or payroll departments to steal employee W-2 forms, direct deposit details, or personally identifiable information. This data is used for tax fraud, identity theft, or sold on the dark web.

AI Made It Worse — Much Worse

BEC attacks have existed for over a decade. But generative AI has supercharged them in ways that fundamentally change the threat landscape.

40% of BEC phishing emails are now AI-generated, according to recent threat intelligence reports. And the quality is dramatically better than anything human attackers produced previously.

Before AI, BEC emails often contained telltale signs: awkward phrasing, unusual formatting, generic greetings, or grammatical errors that didn’t match how the impersonated executive actually wrote. Security awareness training taught employees to look for these red flags.

AI-generated BEC emails have none of these flaws. They feature:

• Perfect grammar and syntax in any language
• Writing style mimicry — AI can analyze an executive’s previous emails (obtained from breaches or reconnaissance) and replicate their tone, vocabulary, and sentence patterns
• Contextual awareness — references to real projects, real colleagues, real deadlines, and real business relationships
• Personalization at scale — each email is unique and tailored to the specific recipient, making template-based detection useless

The threat has also evolved beyond email. Attackers now use dual-channel attacks — combining email with follow-up phone calls, text messages, or voicemail using AI-generated deepfake audio of the impersonated executive. An employee who might hesitate at an email alone will comply when a “phone call from the CEO” confirms the request.

Vendor Email Compromise (VEC) — a variant where attackers compromise a vendor’s email system and use it to send fraudulent invoices to the vendor’s customers — has increased 66%. Because the emails come from the vendor’s real email domain, they pass SPF, DKIM, and DMARC authentication. They arrive in the inbox looking identical to every other email from that vendor.

Why Your Industry Is a Prime Target

BEC attackers don’t choose targets randomly. They research industries where high-value wire transfers are routine, where urgency is a normal part of business, and where verification processes are likely to be informal.

What You Should Do Right Now

1. Verify Payment Changes by Phone

Any request to change bank account details, wire transfer instructions, or payment methods must be verified by phone — using a known phone number, not the one provided in the email. This single control would have prevented every case study in this article.

2. Implement Dual-Authorization for Wire Transfers

No single employee should be able to authorize a wire transfer above a defined threshold. Require two-person approval for any wire transfer over $10,000, and enforce a mandatory delay between request and execution for transfers over $50,000.

3. Enable MFA on All Email Accounts

Account compromise is the most dangerous form of BEC because it comes from a real email address. Multi-factor authentication prevents attackers from accessing accounts even if they steal the password. Prioritize phishing-resistant MFA (hardware keys or passkeys) over SMS-based codes.

4. Train Employees on BEC Red Flags

Regular training should cover the five BEC attack types, with emphasis on urgency-based social engineering. Employees need to understand that any email requesting a payment or a change to payment instructions is potentially fraudulent, regardless of who it appears to come from.

5. Monitor Email for Suspicious Activity

Compromised accounts often set up email forwarding rules to intercept replies, create inbox rules to delete sent messages, or add delegate access. Regular auditing of email rules and configurations can detect account compromise before the attacker sends fraudulent payment requests.

6. Deploy Behavioral Detection / MDR

BEC doesn’t generate the same signals as malware. It requires monitoring for behavioral indicators: unusual login locations, impossible travel, new email forwarding rules, mass email downloads, and credential access patterns that deviate from the user’s baseline.

Why MDR Catches What Email Filters Miss

Email security filters are designed to block malicious content — malware attachments, known phishing URLs, and spoofed domains. BEC attacks don’t use any of these. They use clean text from legitimate or lookalike accounts.

MDR doesn’t just watch your email gateway. It monitors the entire identity and access layer — every login, every email rule change, every access pattern across your environment. When an attacker compromises an account and sets up forwarding rules to intercept replies, MDR catches it. When credentials are used from an impossible geographic location, MDR catches it. When an account that normally accesses email suddenly starts downloading the entire mailbox, MDR catches it.

The Orion S.A. $60 million loss, the Toyota $37 million loss, the Google/Facebook $100 million loss — in every case, the fraud required the attacker to communicate through email accounts and the victim to process wire transfers. Behavioral monitoring at the account level would have flagged the anomalies before the money moved.