An email arrives. It looks like it's from your boss. The name is right, the title is right, the tone is right — slightly impatient in the way of someone who has been in too many meetings. Wire money to a new account before noon. The deal is sensitive. Don't loop in anyone else yet.
You send the wire.
Three hours later, you find out your boss never wrote that email.
Business Email Compromise. The FBI calls it that. The bureau's crime-reporting centre tallied nearly three billion dollars in confirmed losses from this single type of fraud in 2023 alone, making it the second-costliest cybercrime category recorded in the United States that year — behind only cryptocurrency investment fraud, which overtook it the previous year. Not ransomware. Not data theft. Not any of the high-tech intrusions that get written up in security journals. An email. A message that looked completely legitimate, sent from an address that appeared to belong to someone you trusted.
What follows is how this works. Not who did it. How it was built, how it got worse, and whether any of it can still be done today.
It can.
"The bureau's crime-reporting centre tallied nearly three billion dollars in confirmed losses from this single type of fraud in 2023 alone."
THE FIRST TRICK: LOOKING LIKE SOMEONE ELSE
The original version of this scam was almost painfully simple. Somebody registers a domain name that looks like yours. If your company's email is at widgetcorp.com, the fraudster might register widgetc0rp.com — a zero where the O should be. Or widgercorp.com. Or widget-corp.com with a hyphen between the two words. These domains cost eight dollars and take five minutes to set up.
From that address, a scammer sends an email to your finance department impersonating the CEO. The message is short. Urgent. It arrives on a Friday afternoon, or before a long weekend, or during a stretch when the real executive is publicly known to be travelling. The scammer has done their homework. They know the names of key employees, the org chart, what the CEO sounds like in writing. Months of public statements, press releases, and LinkedIn posts have made that easy.
The finance employee wires the money. Overworked, behind on other things, given no training that would make this kind of request look unusual.
Done.
This technique is called domain spoofing. It requires no technical skill beyond the ability to register a website. It worked extraordinarily well starting in 2013 because companies didn't have systems in place to stop it.
Some still don't.
There is a technical standard called DMARC. The letters stand for Domain-based Message Authentication, Reporting, and Conformance. At its strictest setting, it allows email servers to check whether a message actually came from the domain it claims to be from, and to block spoofed emails before they reach anyone's inbox. The standard was developed collaboratively starting in 2012. The U.S. government ordered all federal agencies to deploy it at full enforcement in 2017. Private companies have been slower. Much slower. As of the mid-2020s, a significant portion of businesses still haven't properly deployed it. That eight-dollar domain trick still works on a meaningful fraction of the corporate world.
THE SECOND TRICK: GETTING INSIDE THE ACCOUNT
At some point, the fraudsters stopped pretending to be the CEO and started actually becoming whoever held the CEO's password.
This is called account compromise, and it begins with phishing. Not an obvious scam email from an unknown sender. Targeted phishing. An attacker spends weeks studying an organisation, identifies the specific employee with access to the payment approval system, and sends that person an email that looks like it came from Microsoft or Google or the company's own IT department, asking them to verify their login credentials.
The link goes to a page that looks exactly like the real sign-in screen. The employee types their password. The attacker has it now.
What happens next is patient and deliberate. The attacker logs in and reads emails for weeks. Sometimes months. Nothing is stolen yet. Every message is studied for what it reveals about the company's payment processes, its vendor relationships, which invoices are expected and when, what the CFO's writing style looks like. The goal is to become, for all practical purposes, an insider.
Then the attacker strikes, at a moment chosen based on everything they've read. A message goes out from the real account, sent from inside it, asking a vendor to update their banking information, or telling an employee to redirect a payment, or requesting an emergency wire transfer.
There is no spoofed domain now. The email is genuine. It passes every technical filter. The money moves. The account holder has no idea. The attacker, logged in from a second session, deletes any reply that might raise an alarm.
THE THIRD TRICK: DEFEATING THE THING THAT WAS SUPPOSED TO STOP THEM
By 2019 and into the early 2020s, companies started pushing back. The answer was multi-factor authentication, known as MFA. The six-digit code that gets sent to your phone. The push notification from an app. The prompt that fires when you try to log in from a new device. Even if an attacker had your password, they still couldn't get in without your phone.
This worked. For a while.
The workaround is called Adversary-in-the-Middle. AiTM. The attacker sets up a fake login page that functions as a real-time relay between the victim and the actual login server at Microsoft or Google. When the victim types their password and MFA code, those credentials are instantly forwarded to the real website. The session cookie gets captured in transit — the proof the server uses to confirm that authentication was completed. The attacker now has not just the password but this proof. The MFA prompt that was supposed to stop them was never asked of them directly.
Microsoft's security researchers documented campaigns using this technique against more than ten thousand organisations beginning in September 2021. The software kits used to run the relay weren't custom-built from scratch. They were sold, ready-made, on criminal markets. The barrier to entry was not technical genius. It was money, and not much of it.
Once inside an account using a stolen session, the attacker creates inbox rules. Automated instructions that tell the email program what to do with specific messages. Any email containing the word "invoice" gets forwarded to an external address. Anything from certain senders gets deleted. Messages about wire transfers are marked as read before the account holder ever sees them. These rules often synchronise inconsistently between the web-based email interface and the desktop client, meaning a rule visible in one view can be invisible in the other. The FBI specifically warned organisations about this synchronisation gap in 2020.
The account owner logs in every morning. The inbox looks normal.
"The software kits used to run the relay weren't custom-built from scratch. They were sold, ready-made, on criminal markets."
THE FOURTH TRICK: HIDING WHERE THEY ARE
Any competent fraud-detection system looks for logins from unusual locations. If you always log in from Winnipeg, someone authenticating from a server in Eastern Europe should trigger an alert.
The attackers solved this with residential proxies. Ordinary home broadband connections, quietly enrolled in networks the attacker controls, typically through malware the homeowner knows nothing about. When an attacker logs into a compromised account, the traffic passes through a real home internet connection in the victim's city or country. The login appears to originate from a local ISP. Geographic anomaly detection fires on nothing. The attacker looks like a person working from home on a normal afternoon.
Cybersecurity researchers have documented BEC operators maintaining networks of hundreds of compromised residential connections for exactly this purpose.
WHERE THE MONEY GOES AND HOW MUCH COMES BACK
The FBI established a Recovery Asset Team in February 2018. Its job is to intercept fraudulent wire transfers before they clear the financial system. In 2023, the team handled more than three thousand cases involving nearly $758 million at risk. It froze $538 million of that. A seventy-one per cent success rate.
That sounds good. It isn't.
That twenty-nine per cent that couldn't be frozen — more than two hundred million dollars in a single year — was gone. The success rate has been falling. It dropped to sixty-six per cent in 2024. Attackers now route stolen funds to cryptocurrency exchanges or through rapid chains of bank accounts across multiple countries. Once money reaches a cryptocurrency wallet, recovery is effectively impossible.
The funds that do get stopped are stopped because the victim called the FBI fast. Very fast. Within hours. The wire transfer system has a window, narrow and getting narrower, during which a transfer can be flagged and recalled. By the following morning, that window is usually closed.
The IC3 represents only crimes that get reported to it. Cybercrime researchers widely agree the true losses are substantially higher than anything in the official tallies.
CAN IT STILL BE DONE TODAY?
Yes. Obviously yes.
The spoofed-domain version still works on organisations that haven't deployed DMARC at full enforcement, and many haven't. The credential-theft version still works because people still click on phishing links, and no training programme has reduced that number to zero. The AiTM session-cookie theft version works against every form of MFA except two: hardware security keys and certificate-based authentication. Those are the only defences that have been technically confirmed to stop the relay attack. But hardware security keys are expensive, require user training, and are not yet standard practice at most organisations.
The inbox-rule persistence trick still works because most organisations don't monitor for suspicious rule creation inside their own email systems. The residential-proxy technique still works because separating legitimate home-office logins from proxy-routed attacker logins requires a level of behavioural analysis most companies don't have.
The FBI now recovers a larger portion of stolen funds than it did in 2018. Billions of dollars still go missing every year. And the speed at which funds move after the transfer has gotten worse. Attackers have adapted to the recovery window. They've gotten faster.
The email authentication standard that could stop the most basic version of this attack has been available since 2012. It is free to implement. The U.S. government mandated it for federal agencies in 2017. Many of the world's private companies still haven't deployed it at the enforcement level that actually blocks spoofed emails.
THE LAST THING TO KNOW
Business Email Compromise doesn't target only large corporations. The FBI's data makes this clear. Small businesses, law firms, real estate agents, healthcare providers, charities, and private individuals have all been victimised. The attackers don't discriminate by size. They discriminate by whether money moves through email instructions — and money moves through email instructions everywhere.
The attack evolved from an eight-dollar domain registration into a sophisticated chain involving session-cookie theft, inbox rule manipulation, and residential proxy networks. But its core hasn't changed since 2013. Someone receives an email that appears to be from a person they trust. They act on it. The money is gone before anyone knows what happened.
You get one window. Maybe an hour. Maybe less.
The FBI's Internet Crime Complaint Centre is at ic3.gov. If something feels wrong, that's where you go. Now. Not tomorrow.
Sources: FBI IC3 Annual Reports 2019–2024; FBI IC3 PSA I-091124-PSA ("The $55 Billion Scam," September 2024); Microsoft Security Blog (July 2022, June 2023); CISA Binding Operational Directive 18-01 (2017); FBI Recovery Asset Team reporting; FinCEN Advisories FIN-2016-A003 and FIN-2019-A005.
© 2026 The Media Glen Publishing / Synexmedia.com. All rights reserved.