In the newsletter I told you about a 72-year-old in Austin who almost fed 5,000 dollars into a Bitcoin machine. Here is the part I did not have room for: the exact same con runs against businesses for six and seven figures, and I am going to show you precisely how the money vanishes and how to stop it.
See Where Your Business Stands →
A plain A-to-F grade on your Windows PCs. No card needed to see it.
The problem: A wire transfer scam does not hack your computer. It hacks your process, walks your own money out the front door, and leaves your bank shrugging. And the version aimed at your business is not a lucky guess, it is a patient, researched ambush.
The straight answer: You cannot train your way to zero, and you cannot personally watch every inbox. What actually stops this is a verification habit your team is allowed to use, plus someone watching your systems who catches the break-in before the wire ever goes out. I will show you both, and exactly what we do about it.
Hey folks! Here is the thing almost every article about this scam gets wrong. They make it sound like one clever email showed up out of the blue and somebody dumb clicked it. That is not how the expensive version works, and understanding the real version is the difference between defending against it and getting robbed by it.
Here is what actually happens to a business. Weeks before any money moves, a crook gets into a real email account, yours, your bookkeeper’s, or your vendor’s. Sometimes they buy the password off the dark web, sometimes they phished it. Then they do the patient thing: they sit. They read. For days or weeks they watch the conversations, learn who pays whom, learn the tone, learn that you always pay that supplier on the 15th. They are not guessing. They are studying.
Then they set up hidden rules inside that mailbox, so replies from the real vendor get auto-deleted or shoved into a folder nobody checks. Now the crook and your bookkeeper are having two separate conversations, and neither of the honest people can see the other. When the real invoice comes due, the crook strikes at the perfect moment with perfect context: “Hi, quick note, we’ve switched banks, here are the new wire details for this month’s payment.” It matches the amount. It matches the timing. It matches the relationship. That is why your sharp, careful bookkeeper sends it. It was an ambush, and she walked into a spot the crook picked weeks ago.
That is business email compromise, and it is the same play that got the woman in Austin, just dressed for the office. Same three moves every time: wear a mask you trust, manufacture a reason it has to happen now, and steer the money onto a rail that only runs one way.
When people hear “the bank couldn’t get it back,” they assume the bank was lazy. It was not. Let me walk you through what happens in the hours after that wire leaves, because once you see it, you understand why prevention is the only real protection.
1. You authorized it. In the bank’s eyes, you told them to send that wire. It is not fraud on your account, it is a payment you approved. That single fact is why there is almost never a chargeback.
2. It lands in a mule account. The money hits a “money mule,” often a regular person who was themselves recruited by a scam. Within hours it is pulled out or split across several accounts.
3. It becomes crypto, then vapor. The pieces get converted to cryptocurrency and run through mixers that blur the trail across borders. By the time you notice, days later, it has been laundered through three countries.
4. The clock already ran out. You get maybe 24 to 72 hours to have a prayer of a recall, and only if you catch it immediately. Most businesses find out on day three, when the real vendor asks where their money is.
And here is the gut-punch a lot of owners find out too late: your insurance may not cover it. This flavor of loss, often called “social engineering fraud,” is regularly excluded or sharply sub-limited unless you bought that coverage on purpose and can prove you had verification controls in place. Roughly one in seven insured firms that filed a cyber claim last year had it denied for not meeting the controls they promised. So “we’re insured” is a comfort that evaporates in the exact moment you need it. The money is gone, and the safety net had a hole in it.
Now let me give you the opinion I have earned in more than 35 years of this, the one the security industry does not want to say out loud. Most businesses spend their entire security budget guarding the wrong door. They buy firewalls and antivirus to protect the computer, while the actual money walks out through a human and a wire. The spend does not match the threat.
Think about it. No malware fired. No alarm went off. Your antivirus did its job perfectly and your business still lost forty grand, because the attack was never against the machine. It was against your process, your trust, and your culture. You cannot patch a bookkeeper who was told to be helpful and fast.
And here is the uncomfortable second half: they are coming for you because you are small. A big company has two-person approval on wires and a controller who verifies every bank change. You have a trusting employee and no second signature. The crooks industrialized hitting soft targets, and to them a 30-person company is a soft target with a real bank balance. That is not an insult. It is the reason you need a plan a big company would have, without hiring a big company’s IT department.
It gets sharper from here, too. The old advice, “call the vendor to verify,” is already under attack, because the hosers can now clone a voice from a few seconds of audio. Call back the number on the email and you may reach the crook, using the boss’s cloned voice. That is why verification has to be done your way, on a number you already had, with a question only the real person can answer.
You do not need to wait for anybody. Three moves, no cost, and they shut down the most expensive version of the wire transfer scam.
1. Make one rule absolute: bank changes and wires get verified out loud.
Any wire, and any change to a vendor’s bank details, gets confirmed by a call to a number you already had on file, never the one in the email, and using a code word or a question only the real person knows. Voice cloning has killed “it sounded like him.” A shared secret still works. Put it in writing, and make it plain that verifying is doing the job right, not being difficult.
2. Turn on multi-factor on every email account, today.
The whole ambush starts with a crook getting into a mailbox. Multi-factor authentication, a second code beyond the password, is the single cheapest thing that shuts that front door. If email is the crime scene, lock the email first.
3. See what’s already open, before they use it.
These cons ride in on a crook already poking at your systems. Run a Reveal scan on your Windows computers and get a plain grade, A to F, on each one, plus the exposed spots a criminal would use as a foothold. It turns “I think we’re fine” into a real answer in a few minutes. It is the same first step most of the businesses I now manage took before they ever became clients.
My father fell for a phishing email. I have spent my whole career in this, and it still got him. Scammers got remote access to his computer and started hunting for his financial papers. My step-mother noticed something was off, called me, and I jumped in remotely and stopped them before they reached his bank credentials. We were lucky. We caught it in time. That was one man, one computer, and I was a phone call away. Most business owners do not get that phone call.
I have spent more than 35 years at this, since 1991. FBI InfraGard. Not one client I manage has ever been hit by ransomware, and not one has wired money to a crook on our watch, because we are watching the exact places these cons come through. That is not a brag. It is the whole point of having a guide instead of a product.
No, and I want you to hear it plainly. Your spam filter hunts for junk and known-bad senders. A clean note from inside a real, hijacked mailbox sails right through. Your bank sees a wire you approved, so to them it is legitimate. And your insurance, as we covered, may exclude social-engineering fraud or deny the claim if you cannot prove you had verification controls.
Every safety net you are counting on sits after the money moves. The only reliable catch happens before, on your side, with a verification habit and someone actually watching the systems these cons come through.
No hand-waving. Here is exactly what you get:
Book a Fit Call →
A straight conversation about where you stand and whether we can help. That is it.
Want this kind of plain-English security news every week? Sign up for Craig’s Insider Notes at CraigPeterson.com.
#WireTransferScam #BusinessEmailCompromise #SmallBusinessSecurity #CyberSafety #ForwardToSafety
Join thousands of security professionals who receive Craig Peterson's Insider Show Notes and cybersecurity updates.
Tagged with: