Business Email Compromise (BEC) — How to Stop the $50bn Wire-Fraud Pattern in 2026

A mid-market Dutch construction firm is closing on a €4.2M property purchase. Two weeks before completion, the AP clerk receives an email from the seller's solicitor — the actual solicitor's correct email address. The message says the firm's client account is being audited and asks for the funds to be wired to the solicitor's personal account 'in escrow'. The signature, footer, and prior correspondence references all match. The AP clerk forwards it to the partner for approval. The partner approves. €4.2M leaves. Forty-eight hours later the seller calls asking when the wire is arriving — the solicitor's mailbox had been compromised three months earlier through a forgotten OAuth grant. The funds had already moved through five mule accounts in Hong Kong and Turkey. Less than €110k was recovered. The fraud was reported to FBI IC3, the Dutch police, and the solicitor's PI insurer; the loss was uninsured under the construction firm's cyber policy because no malware crossed their network and no employee was 'phished' in the classical sense. The legitimate sender was the attack vector.

Modern BEC is not a single email — it is a campaign that often runs for weeks. The most common variants in 2026 are CEO/CFO impersonation, supplier impersonation (also called vendor email compromise or VEC), and M&A-deal-redirect. Each follows the same arc: the attacker gains read-only access to a relevant mailbox (often via OAuth consent phishing or credential stuffing), spends days mapping ongoing transactions, then steps in at the precise moment a wire instruction is exchanged. In VEC the attacker uses the legitimate supplier's mailbox to send a 'banking details have changed' notice timed exactly to a real invoice. In CEO fraud the attacker spoofs (or compromises) the CEO's account and asks an executive assistant to push through an unbudgeted payment 'for the deal I cannot talk about yet'. In M&A-redirect the attacker monitors counsel mailboxes and intervenes the week of closing. MITRE ATT&CK techniques: T1656 (Impersonation), T1114.002 (Email Collection: Remote Email Collection), T1078.004 (Valid Accounts: Cloud Accounts), T1539 (Steal Web Session Cookie). The technical defence is identity-and-mailbox hardening; the operational defence is process — specifically a two-person rule on payment-instruction changes that cannot be bypassed by any single email, regardless of how legitimate it appears.

• Any email instructing a change to banking details, IBAN, BIC, account name, or beneficiary — regardless of how trustworthy the sender appears
• Pressure to complete a payment before a specific time, often framed as compliance, audit, regulatory deadline, or executive travel
• A request to use a new contact method introduced inside the message ('please call me on this new number')
• Slight changes in the sender's email style — different greeting, removed signature block, different language formality
• Auto-forwarding or auto-reply rules you did not create appearing in your mailbox — a hallmark of attacker mailbox occupation
• Sudden 'I am stuck in airport, please handle this for me' messages from executives, especially when they are travelling
• An invoice with the right reference number but a payment instruction that contradicts the contract or the supplier's normal banking details
• A 'reply-all' that has been narrowed to just one recipient — attackers often peel a single victim away from the wider thread

1. Treat every payment-detail change as guilty until verified — every time, no exceptionsEven if it has 'happened before with this supplier'. Attackers wait for the moment you stop verifying.
2. Call the requester on a number from your verified contact records — not the messageUse the number from the contract, your CRM, or a prior verified email. Never use a number provided in the suspicious message.
3. Require a two-person authorisation on any payment-instruction change above your defined thresholdTwo real humans, on two channels. One person signing both sides defeats the control.
4. If the message is from an internal executive, verify in person or via Teams/Slack call on their known account — not just emailDeepfake voice is cheap in 2026. Video is harder to fake live; in-person is hardest.
5. If money has moved, call the bank within the first hour to attempt a recallMany wire frauds can be partially or fully recalled if the receiving bank is notified within the first day. Escalate simultaneously to finance leadership and security.
6. Report to FBI IC3 (US) / Politie / NCSC-NL / local fraud authorityAuthorities have international rails for clawback that you do not. Reporting is free and improves recovery odds.
7. Preserve all email headers, message IDs, attached files, and timestampsDo not delete and do not 'clean up'. Move the messages to a Quarantine folder and let your security team pull the full forensic record.

• FBI IC3 — Business Email Compromise Annual Report[primary]
• NCSC-NL — CEO-fraude en factuurfraude[primary]
• MITRE ATT&CK — T1656 Impersonation[primary]
• Europol — Business Email Compromise threat overview[primary]
• Krebs on Security — Long-form coverage of BEC kingpins and mule networks[secondary]
• Microsoft DART — Investigating BEC cases[secondary]

• Spear Phishing in 2026 — How Targeted Email Attacks Actually Work

  9 min read

• Deepfake Voice Phishing in 2026 — When the Voice on the Phone Is Synthetic

  8 min read