Article · 5 min · For Owners

Why every business is now in scope

If you receive invoices, you're a target. Construction, professional services, retail, nonprofits — anyone who moves money to vendors that change occasionally is in the dataset attackers buy. Public records, LinkedIn pages, and procurement notices give them what they need to write a convincing email.

The one rule that prevents almost every attempt

Any change to a vendor's payment details — bank account, routing number, address, ACH method — requires a phone call to a phone number you already had. Not the one in the email. Not the one on the new invoice. The one in your records from before today. That single rule defeats the overwhelming majority of attacks we see.

Make the rule a checkbox, not a habit

Don't leave it to memory. The verification process should be a one-page form your AP team signs off on for every change — name of caller, number called, date, signed. Audited quarterly. Documented in writing once, used every time.

Insurance is not a substitute

Cyber-fraud coverage will sometimes pay out, but the deductibles are climbing and the carriers are getting strict about prior controls. The cheapest fraud insurance you'll buy is the playbook above — and a 30-minute training session for everyone who touches AP.

Frequently asked questions

What's a typical wire-fraud loss for a small business?
The FBI's annual Internet Crime Report has consistently ranked Business Email Compromise (BEC) as the highest-dollar cybercrime category. Median individual loss for a small business is in the tens of thousands; mean is well into the six figures because tail events skew it. The losses cluster around real-estate closings, vendor payment changes, and CFO/CEO impersonation.
Can a wire transfer be recovered if we catch it within hours?
Sometimes — the FBI's Financial Fraud Kill Chain can claw funds back if reported within roughly 72 hours, more reliably within 24. Call the sending bank's fraud line immediately, file an IC3.gov report, and notify the FBI field office. Speed matters more than thoroughness in the first hour.
What's the single most effective control to prevent wire fraud?
Out-of-band verification of bank-change requests: call the requester at a known number (not the one in the email) before processing any change to payment instructions. One phone call defeats almost every BEC scheme. Pair it with DMARC/DKIM/SPF on your domain to block lookalike-domain spoofing.
How is BEC different from ransomware?
Ransomware encrypts your data and demands payment to decrypt. BEC tricks your staff into willingly sending money to an attacker's account. Ransomware is loud and visible; BEC is quiet and often discovered weeks later when the legitimate vendor calls asking where their payment is. Both need separate controls.

Related reading