The Wire That Vanished: How Business Email Fraud Hits Small Firms

An email arrives from your regular vendor — or your accountant, or your landlord. The address looks right. The invoice number is plausible. The message asks you to wire payment to a new account because the old one "had an issue." You process it before lunch.

The money is gone before you finish your afternoon.

This is business email compromise. It does not require malware, a network breach, or a sophisticated hacker. It requires a convincing email and a payment processor who did not verify. For a small firm where one person handles accounts payable, that combination is not hard to find.

The short answer: Business email compromise is a fraud scheme in which an attacker impersonates or hijacks a trusted email contact to trick someone into wiring money to an account the attacker controls. Small firms are frequent targets because payment decisions typically rest with one or two people and verification steps are informal. Proper email authentication, configured anti-impersonation policies in Microsoft 365, and a mandatory call-back rule on any banking change are the primary defenses.

How does this attack actually work?

Attackers need three things: enough context to sound credible, a convincing email address, and a built-in reason for urgency.

Context comes from your website, LinkedIn, public filings, or a prior breach of a vendor's system. A credible email address comes from one of two methods: they compromise a real account through a phished password, or they register a lookalike domain — yourvendor-invoices.com instead of yourvendor.com — and send from it. The display name in your inbox reads "Bob at Preferred Supply Co." The domain is slightly wrong only if you look at the full address, which most people do not.

Urgency is baked into the message. Please update our banking info before you process this payment. Wire today — our old account is being closed. Don't call, I'm traveling — just reply here.

Why does being small make you a target, not a protection?

In a small office, payment authority is concentrated. One office manager or owner reviews invoices, approves wires, and sends the transfer. There is rarely a second person who independently reviews a payment before it leaves. Attackers know this. A firm with ten employees and informal vendor relationships is a softer target than a corporation with a three-step wire approval workflow — and it is far less likely to have configured the email security tools that slow this down.

What do the warning signs actually look like?

Fraudulent invoices do not look obviously wrong. The pressure built into the fraud is precisely not to look too closely. Watch for these:

• The sender's full email address — not just the display name — uses a domain that differs from the real vendor's, even by one character
• A request to update banking details or route payment to a "temporary" new account
• Arrival timing that is unusual: late Friday, a holiday week, or immediately after a real transaction you would expect
• An explicit reason not to call and confirm: "I'm in a meeting," "our phones are down," "just reply here to confirm"
• An invoice that looks nearly identical to a legitimate one — because it was copied from one

What email security should I have configured in Microsoft 365 Business Premium?

Business Premium includes tools that address this directly. Most small firms have the licenses but have never fully configured the settings.

SPF, DKIM, and DMARC. These three DNS records tell receiving mail servers whether a message actually originated from your domain. SPF and DKIM are often configured at setup. DMARC is routinely left in monitor mode or skipped, which means spoofed versions of your own domain can reach inboxes with no warning. A DMARC policy set to quarantine or reject closes that gap for anyone trying to impersonate your firm outbound.

Anti-phishing policies in Defender for Office 365 Plan 1. Business Premium includes Defender for Office 365 Plan 1. Its anti-phishing policies can detect lookalike domains, flag impersonation of specific contacts you name, and apply mailbox intelligence to catch unusual patterns. The default policy provides a baseline. A configured policy that includes your key vendors and your own name does measurably more.

External sender warnings. A setting within Microsoft 365 that appends a visible notice to any email arriving from outside your organization. It costs nothing beyond your existing license and creates a moment of pause before someone acts on a message from an unfamiliar — or impersonated — address.

None of these settings configure themselves. A dedicated team that knows your environment can audit your Microsoft 365 tenant, identify what is left at default, and close those gaps in a single session.

What is the one process change that stops most of this?

A call-back rule. Any request to change banking information, add a new payee, or initiate a wire above a threshold you set gets confirmed by phone — using a number already in your records, not a number in the email. This does not require software or a vendor. It requires a decision that becomes a habit.

What do I do if a wire already went out?

Call your bank immediately and ask for a wire recall. Every hour matters. File a report with the FBI's Internet Crime Complaint Center at ic3.gov. Contact your cyber insurance carrier if you carry a policy. Recovery is not common, but speed is the only factor that meaningfully improves the odds.