FBI Reports $55 Billion in BEC Losses: A Wire Fraud Prevention Guide

The FBI’s Internet Crime Complaint Center (IC3) now attributes 73% of all reported cyber incidents to business email compromise, with cumulative losses exceeding $55 billion over the past decade. In 2025 alone, BEC accounted for $2.9 billion in reported losses. The average loss per successful attack is $137,000, which is enough to eliminate a quarter’s profit at a 100-person company.

BEC doesn’t trigger antivirus alerts or encrypt your files. An employee wires money to what they believe is a legitimate vendor or executive. By the time anyone notices, the funds are in an overseas account. The fix isn’t better spam filters. It’s stronger financial controls.

What BEC Actually Looks Like Inside Your Company

BEC attacks follow predictable patterns. Understanding the three most common scenarios helps your finance team recognize them before money moves.

Fake invoice redirects. Your accounts payable team receives an email from a vendor you’ve worked with for years. The email explains that the vendor has changed banks and provides new wire instructions. The invoice looks identical to previous ones, uses the correct PO numbers, and references real deliverables. The only thing that changed is the bank account, which now belongs to the attacker. These attacks often originate from a compromised vendor email account, which means the sender address is real.

CEO or executive impersonation. Your controller receives an urgent email from the CEO requesting a wire transfer for a “confidential acquisition” or “time-sensitive vendor payment.” The email warns against discussing it with others because the deal is under NDA. The attacker has studied your org chart on LinkedIn, knows the CEO’s communication style from public interviews or social media, and times the request for when the CEO is traveling or unavailable. The urgency and confidentiality create pressure to skip verification steps.

Compromised vendor email chains. This is the hardest variant to detect. An attacker gains access to a vendor’s actual email account and monitors ongoing conversations for weeks. When they spot a large payment approaching, they insert themselves into the email thread with updated payment instructions. Because the thread history is real and the email address is legitimate, even cautious employees often comply.

All three scenarios share one trait: there is no malware to detect. The email itself is the weapon. Traditional email security tools designed to catch malicious links and infected attachments don’t flag these messages because there is nothing technically malicious in them.

Why Traditional Email Security Misses BEC

Spam filters, antivirus engines, and sandboxing tools look for malicious payloads: executable attachments, phishing URLs, known malware signatures. BEC emails contain none of that. They are plain text messages asking someone to do something they’re authorized to do, like process a payment or update vendor records.

Even advanced email security platforms struggle with BEC when the attacker is sending from a genuinely compromised account. The email passes SPF, DKIM, and DMARC checks because it really is coming from the sender’s domain. The IP reputation is clean because it really is the vendor’s mail server. Header analysis shows nothing suspicious because the infrastructure is legitimate.

This is why BEC is a financial controls problem, not just a cybersecurity problem. You cannot filter your way out of it. The defense has to happen at the point where a human decides to move money.

The Orion $60 Million Warning

In 2024, Orion S.A., a Luxembourg-based chemical company with operations worldwide, lost $60 million to a single BEC attack. Attackers compromised email accounts involved in legitimate transactions, then redirected multiple wire transfers over a period of weeks. Orion disclosed the loss in an SEC filing, noting that the funds were unlikely to be recovered.

Orion is not a small company with an understaffed accounting department. They are a publicly traded corporation with compliance obligations, internal audit functions, and a professional finance team. The attackers succeeded because the emails came from real accounts, referenced real transactions, and exploited trust that had been built over months of legitimate business communication.

If a company with Orion’s resources can lose $60 million, a 75-person firm in Dallas processing vendor payments through a three-person accounting team is at significantly higher risk. The difference between Orion’s outcome and a better one comes down to whether verification controls existed and were followed.

A Verification Protocol That Actually Works

The most effective defense against BEC costs nothing to implement. It’s a set of mandatory verification steps for any payment request that changes how or where money is sent. We’ve covered BEC defenses broadly before, but here’s the specific payment verification protocol your finance team should adopt.

Out-of-band confirmation for every payment change. Any request to update bank account details, redirect a payment, or process a new wire must be confirmed through a communication channel separate from the one the request arrived on. If the request came by email, verify it by phone. If it came by phone, verify it by email to a known address. The critical rule: use contact information you already have on file, never the contact details included in the request itself.

Dual authorization for wire transfers. No single person should be able to initiate and approve a wire transfer. Require two authorized individuals to sign off on any outgoing wire, with the second approver independently verifying the recipient’s bank details. Set a dollar threshold appropriate for your business. Many companies use $5,000 or $10,000 as the trigger for mandatory dual approval, but any payment change request should require it regardless of amount.

Callback to known numbers only. When verifying a request by phone, call the number stored in your vendor master file or CRM. Do not call a number provided in the email, voicemail, or text message that contained the original request. Attackers routinely include callback numbers that route to accomplices who will confirm the fraudulent request.

Written policy with no exceptions. Document this protocol and distribute it to everyone involved in payment processing: controllers, AP clerks, office managers, and executives who authorize spending. The policy should explicitly state that urgency, seniority, and confidentiality are not valid reasons to skip verification. These are exactly the levers attackers use.

Print it. Post it next to the desk of every person who processes payments. Make it part of new-hire onboarding for finance roles.

How Microsoft 365 Defender Detects BEC Patterns

While verification controls are your primary defense, your email platform can provide an early warning layer. Microsoft 365 Defender includes several BEC-specific detection capabilities that many SMBs have licensed but never configured.

Impersonation protection flags emails where the sender’s display name closely matches an internal executive or trusted partner but the domain doesn’t match. You configure a list of protected users (typically C-suite and finance team members) and protected domains (key vendors and partners). When Defender detects a lookalike, it can quarantine the message or add a safety tip warning the recipient.

Mailbox intelligence analyzes each user’s communication history and flags messages that deviate from established patterns. If your controller regularly emails three specific vendors and suddenly receives a payment request from an unfamiliar address claiming to represent one of them, Defender raises a flag.

Anti-phishing policies with BEC-specific thresholds allow you to set aggressive filtering for messages that exhibit BEC characteristics: financial language, urgency cues, display name spoofing, and first-time sender patterns.

These features work best when configured with your organization’s specific context, not left at default settings. Your IT team or managed security provider should review these policies quarterly and update the protected user and domain lists as your vendor relationships change.

What to Do in the First 24 Hours If Money Was Already Sent

Speed determines whether you recover the funds. FBI data shows that organizations that contact their bank and file an IC3 report within 24 hours recover a significant portion of stolen funds. After 72 hours, recovery rates drop sharply because the money has typically been moved through multiple accounts.

Hour 1: Contact your bank. Call your bank’s wire fraud department and request an immediate recall or hold on the outgoing transfer. Provide the wire reference number, amount, recipient bank, and account number. Banks have established processes for this, but they need to act before the funds clear on the receiving end. Every minute matters.

Hours 1-4: File an FBI IC3 complaint. Submit a report at ic3.gov. The IC3’s Recovery Asset Team (RAT) works directly with financial institutions to freeze fraudulent transfers. For transfers over $50,000, they have a strong track record when notified within 24 hours. Include every detail you have: the fraudulent email, wire transfer records, timeline, and any communication with the impersonated party.

Hours 4-8: Secure your environment. If the BEC attack originated from a compromised internal account, your IT team needs to reset the password, revoke all active sessions, check for mailbox forwarding rules the attacker may have created, and review sign-in logs for unauthorized access. If a vendor account was compromised, notify the vendor immediately so they can secure their own systems.

Hours 8-24: Notify stakeholders. Contact your cyber insurance carrier, as most policies have BEC-specific coverage with notification deadlines. Inform your attorney about potential regulatory reporting obligations. Brief your executive team and finance staff so they can be alert for follow-up attacks, since BEC operators frequently target the same organization multiple times.

Document everything. Preserve the fraudulent email with full headers, screenshot all relevant communications, record the timeline of events, and note every call you made and to whom. This documentation supports insurance claims, law enforcement investigations, and internal process improvements.

Build the Controls Before You Need Them

BEC is not a technology problem you can solve by buying another security product. It’s a process gap that attackers exploit because verification steps either don’t exist or get skipped under pressure. The $55 billion in losses reported by the FBI represents thousands of organizations that had the same financial controls your business probably has right now: informal, trust-based, and vulnerable to a well-crafted email.

Start with the verification protocol. It takes an afternoon to write, a week to train your team, and zero dollars to implement. Layer in Microsoft 365 Defender configuration and security awareness training to catch attacks earlier. Print the 24-hour response checklist and make sure your finance team, IT team, and executive leadership all know where it is.

The organizations that avoid becoming part of next year’s FBI statistics are the ones that treat payment verification as seriously as they treat financial auditing. Both protect the same thing: your money.