Phishing & impersonation Active · 2024–2026 Wire fraud

The email looks like it's from your vendor. It isn't.

ScamChecker.online · Last verified June 2026 · Active - $2.77B in 2024 losses · 4 min read

In a nutshell

A scammer hacks or spoofs a trusted email address - your vendor, your boss, or your title company - and asks you to wire money or update payment details.
The email arrives from what looks like a real, known contact. The bank account number is the only thing that changed.
By the time the real vendor calls asking about the unpaid invoice, the money is already gone.
The FBI has documented $55 billion in cumulative losses from this pattern since 2013 - more than any other internet crime category.1

Our verdict

This is a scam. Any request to change payment details or make an urgent wire transfer - received by email - should be verified by calling the requester on a known phone number before any money moves. BEC is the single largest source of financial losses reported to the FBI's Internet Crime Complaint Center, exceeding cryptocurrency fraud, ransomware, and all other categories combined over the past decade.1

Does this sound familiar?

You receive an email from a supplier you've worked with for years. They've changed their banking details and ask you to update your records before the next invoice. The email looks right - the name, the domain, even the signature block. You update the details and pay the next invoice as usual. Three weeks later the supplier calls about the unpaid bill. The account you wired money to was not theirs.

Below are reconstructed examples showing the three main variants. (Illustrations, not real screenshots. Domains in bracket[.]notation are not real.)

Vendor impersonation

Updated banking details - please action before next payment

From: billing@acmesupplies[.]co

To: [email protected]

Thu 9:14 AM · acmesupplies[.]co is not acme-supplies[.]com - spot the difference

Dear Accounts Team,

We have recently changed our banking provider. Please update your records before the next payment cycle.

Bank:First National

Account:7842 9301 66

Routing:082100175

Please ensure all future payments are directed to this account. Do not use previous details.

Kind regards,
Sarah Mitchell
Accounts Receivable · ACME Supplies

The domain is one character off. The email content is otherwise indistinguishable from legitimate vendor correspondence. Verify by phone before changing any payment details.

CEO / executive fraud

Marked high priority by sender

Confidential - urgent transfer needed today

From: j.henderson@yourcompany-corp[.]com

To: [email protected]

Fri 8:02 AM · Note: not yourcompany.com

Hi,

I need you to process a transfer urgently for a time-sensitive acquisition we are closing this afternoon. The legal team has advised we keep this internal for now - please don't discuss with anyone until it's done.

Transfer $48,500 to the following account by 2 PM today.

Bank:Chase

Account:4491 0027 83

Ref:ACQN-2026-04

James Henderson
CEO · YourCompany Inc.

The secrecy instruction ("don't discuss with anyone") is deliberate - it removes the normal social check of asking a colleague. CEOs do not send urgent wire requests by email without a phone call.

Real estate wire fraud

Action required: Closing wire instructions for 14 Maple Street

From: closing@premier-titleco[.]net

To: [email protected] · Day before closing

Dear Buyer,

Your closing is scheduled for tomorrow at 10 AM. Please wire your closing funds no later than 9 AM to ensure same-day processing.

Wire to:Citibank N.A.

Account:5539 2281 07

Amount:$87,400.00

⚠ Do not call to verify - our phone lines are being upgraded until tomorrow.

Premier Title Co. · Closing Department

The "don't call" instruction is a scammer tactic to prevent the one action that would expose the fraud. Always call your title company using the number on their official website - never from the email.

How it works

Unlike a phishing email that asks you to click a link, BEC works by impersonating a trusted contact at exactly the right moment in a real business relationship. The attack is sometimes preceded by weeks of surveillance - the attacker reads your email thread to understand the transaction context before sending the fake payment instruction. (Screens shown below are illustrations.)

The email account is compromised or spoofed

The attack starts one of two ways. In a full compromise, the attacker gains access to the real email account - typically through a phishing attack or a credential breach - and reads existing conversations to understand the business relationship before sending a fraudulent payment instruction from within the real account. In a spoofing attack, the attacker creates a lookalike domain (e.g., acmesupplies[.]co instead of acme-supplies[.]com) and sends from it. Both methods can be equally convincing.4

Two entry paths

Path A: Real account hacked Credential phished → attacker reads your inbox for weeks → sends payment redirect from within the real account

Path B: Domain spoofed Registers lookalike domain → sends from convincing fake address → no account access needed

💡 Check the actual "From" domain carefully - not the display name, which can be anything.

The payment redirection arrives at the right moment

The email arrives when a real transaction is in progress. The attacker times it: just before an invoice is due, right as a real estate closing approaches, or during a payroll cycle. The fraudulent request fits naturally into an expected workflow. The only change is a bank account number. Everything else - the greeting, the tone, the signature, the history of the email thread - is consistent with months or years of genuine correspondence. FinCEN and the FBI both note that attackers frequently monitor a compromised inbox for weeks before striking.3

RE: Invoice #8842 - updated payment details

From: [email protected] (real address - account compromised)

Thu 4:42 PM - invoice was due Friday

Hi - quick note before Friday. We've updated our bank. New details attached. Old account closes end of week so please use the new one for this payment.

The email thread looks real. The account is real. Only the bank number changed.

Timing the attack to match a real payment cycle makes recipients less likely to question it.

The payment is made to the scammer's account

The recipient - an accounts payable employee, a home buyer, a freelancer paying a contractor - follows the new instructions and initiates the wire transfer. Wire transfers are treated as authorised by the sender's bank and clear within hours. The funds land in a scammer-controlled account, which is typically a mule account - a real domestic bank account used temporarily to receive and rapidly forward the funds overseas. Within hours or days, the money leaves the US banking system entirely. The FBI IC3 recorded $2.77 billion in BEC losses in 2024 alone.2

Wire transfer path

Victim initiates wire to "new bank account"

Clears to scammer's mule account (hours)

Rapidly forwarded out of the country

Recovery window closes - often same day

Most successful recoveries happen within 24 hours of the transfer. After that, the money is typically gone.

The real vendor calls about the unpaid invoice

Days or weeks later, the legitimate vendor, title company, or executive follows up about a payment that hasn't arrived. The victim realises what happened. By this point the wire has long since cleared and the money has moved multiple times. The mule account is often held by an unwitting third party who was themselves recruited under a fake job offer. Recovering funds at this stage is possible in a small minority of cases through the FBI's Financial Fraud Kill Chain, but is not something victims should count on.1

📞

Incoming call - ACME Supplies

17 days after you wired the payment

"Hi - our records show invoice #8842 is still unpaid. Can you check your records?"

You: "We paid it - we got your email about new banking details."

Them: "We never sent that email. We haven't changed our bank."

The window for wire recall was already closed before this call happened.

The one rule that stops BEC

Any request to change bank details or make an urgent wire transfer must be verified by phone - using a number you already have, not one in the email.

Never verify a bank account change by replying to the same email. That email may be controlled by the scammer.

Check the actual sending domain, not just the display name. acme-supplies.com and acmesupplies.co are different companies.

Enable multi-factor authentication on all business email accounts. If your email is never compromised, attackers cannot monitor your payment conversations.

Red flags to catch it early

Bank account details changed by email without a prior phone call

Legitimate vendors and employers establish new bank details through established processes - usually with a formal letter, a documented process, and a follow-up call. A one-off email requesting a bank change, especially one that creates urgency, should always trigger a call to a known number before any action.

Urgency, secrecy, or a "don't call" instruction

Instructions to keep the transfer confidential, act before end of day, or avoid calling because "phone lines are being upgraded" are designed to prevent the one action that would catch the scam. Legitimate organisations with urgent payment needs still welcome a callback to verify.

"Legal has advised we keep this quiet until the deal closes - please don't mention it."

The sending domain is almost-but-not-quite right

Look at the full email address in the "From" field, not the display name. Common tricks include adding a hyphen (acme-supplies.co), swapping a letter (acmesuppIies.com with a capital I), changing the TLD (.co vs .com), or prepending the brand name to a different domain (acmesupplies.billing[.]io).

The request bypasses normal approval procedures

CEO fraud emails often instruct the employee to handle the transfer personally, without involving the normal payment process. The request to bypass existing controls is itself the red flag.

"Handle this yourself - don't run it through the normal PO process, we need speed."

Wire transfer is requested rather than a normal payment method

If you have always paid a vendor by ACH or check, a sudden request to switch to wire transfer should prompt a call. Wire transfers are preferred by scammers because they are fast, final, and hard to reverse. Real changes in payment method are typically discussed proactively with prior notice.

Already wired the money?

For full steps by payment type and situation, see what to do if you've been scammed.

Wire transfer recovery is time-sensitive

Act within hours, not days

The FBI's Financial Fraud Kill Chain can stop some international wire transfers - but only if the report is made fast enough. Most successful recalls happen in the first 24 hours.

Call your bank's wire transfer fraud team immediately Tell them the wire was sent as a result of fraud and you need them to attempt a recall or hold. Use the bank's official number - not one from any email. Ask specifically about a SWIFT recall for international wires.

Report to IC3.gov as soon as possible The FBI's IC3 runs a Financial Fraud Kill Chain specifically for BEC victims that can sometimes intercept international transfers before they clear. Time is the critical variable. File at ic3.gov with all available details: sending bank, receiving bank account number, the fraudulent email, and the transfer amount.

Secure your email account If the attack started with a compromised inbox, change your email password and enable multi-factor authentication immediately. Check for forwarding rules or filters the attacker may have added to intercept future correspondence. Remove any connected apps you don't recognise.

Notify the impersonated party Contact the real vendor, executive, or title company using contact details you held before the incident. Let them know their identity was used in a fraud - their own email may still be compromised, and other customers may be at risk.

File a police report Your bank, insurance provider, or legal counsel may require a crime reference number. Report to local law enforcement and keep a copy of the report number.

Be sceptical of any "recovery specialist" who reaches out BEC victims are frequently targeted by a follow-on money recovery scam - someone claiming to be a law firm, private investigator, or recovery service that can retrieve your funds for an upfront fee. They cannot. Official recovery assistance is free and runs through the FBI and your bank.

Where to report it

For the full country guide - agencies, phone numbers, and what happens after you report - see how to report a scam by country.

Start here - and immediately

FBI - IC3.gov

The FBI Internet Crime Complaint Center runs the Financial Fraud Kill Chain for BEC. Report as fast as possible after discovery - speed determines whether the transfer can be intercepted. IC3 has tracked $55B+ in BEC losses since 2013.

ic3.gov

Also file here

FTC - ReportFraud.ftc.gov

Federal Trade Commission. Covers business impersonation, email fraud, and wire fraud patterns. Feeds investigator databases used in enforcement actions.

reportfraud.ftc.gov

If a financial institution is involved

FinCEN (Financial Crimes Enforcement Network)

FinCEN has issued specific advisories on BEC for financial institutions. If your bank or a payment provider was involved in the fraud, a SAR (Suspicious Activity Report) may be relevant.

fincen.gov

Start here

Action Fraud

UK national fraud and cybercrime reporting. 0300 123 2040. BEC falls under business email compromise or authorised push payment fraud.

actionfraud.police.uk

If a business email account was compromised

NCSC - National Cyber Security Centre

ncsc.gov.uk

The UK's APP (Authorised Push Payment) fraud reimbursement rules may apply. Contact your bank's fraud team immediately alongside filing the Action Fraud report.

Start here

Scamwatch (ACCC)

scamwatch.gov.au/report-a-scam

If a business email account was compromised

Australian Cyber Security Centre

cyber.gov.au/report-and-recover/report

Start here

Europol - Report Cybercrime

Links to national reporting services for every EU member state. BEC is classified as cybercrime and business fraud in EU jurisdictions.

europol.europa.eu/report-a-crime

If you lost money

Policia SR - trestne oznamenie

Criminal complaint at any police station, electronically via slovensko.sk (needs eID), or call 158. BEC falls under podvod (fraud) and often kyberneticka kriminalita (cybercrime).

slovensko.sk

If a business email account was hacked

SK-CERT (NBU)

sk-cert.sk

Canada

Canadian Anti-Fraud Centre

antifraudcentre-centreantifraude.ca

Anywhere - especially if US banks or companies involved

FBI IC3 (accepts international reports)

ic3.gov

Scale and sourcing

BEC is not a niche commercial fraud. It is the single largest cybercrime category by financial loss in the FBI's annual reporting - outpacing ransomware, cryptocurrency fraud, and all other categories. The cumulative scale is staggering precisely because the attack requires no malware, no technical exploit on the victim's end, and no unusual behaviour from the victim's bank. It exploits trust in email, which remains the dominant communication channel for financial transactions.

$55B

Cumulative losses from BEC documented by FBI IC3 from October 2013 through December 2023 - the largest category by value in the IC3's ten-year history1

$2.77B

BEC losses reported in 2024 alone, across all variants including vendor impersonation, CEO fraud, and real estate wire fraud2

21,489

BEC complaints received by IC3 in 2023 - each complaint representing a separate reported incident, not an individual victim2

140+

Countries to which fraudulent wire transfers have been traced in BEC cases, demonstrating the global reach of the criminal networks involved1

While BEC is often framed as a corporate threat, it directly affects freelancers, self-employed people, small business owners, landlords, and anyone making a significant payment based on emailed instructions. The real estate variant - where buyers wire closing funds to a scammer-controlled account the day before they collect the keys to their new home - is among the most financially and emotionally devastating. Unlike the fake invoice renewal scam, which uses entirely fabricated invoices sent cold, BEC inserts itself into an existing, legitimate relationship - which is why it is so much harder to detect.

Frequently asked questions

How do I know if an email changing bank account details is legitimate?: Call the sender directly using a phone number you already have on file - not one included in the email. A genuine vendor or title company will confirm any bank account change over the phone. Never verify a bank change by replying to the same email that requested it. That email may be controlled by the scammer, who will simply confirm the fake account.
My company already wired the money to the wrong account. What do we do?: Call your bank immediately and ask them to initiate a SWIFT recall or domestic wire recall. Speed is critical - most successful recoveries happen within 24 hours. Also contact the FBI IC3 at ic3.gov and report to the FTC. The FBI runs a Financial Fraud Kill Chain that can help halt international wire transfers in some cases if the report is made quickly enough. File a police report as well, as your bank and insurer may require it.
What is real estate wire fraud and how does it happen?: Real estate wire fraud is when a scammer intercepts or spoofs emails from a title company, escrow officer, or real estate attorney and sends the buyer fake wire instructions for their closing payment. The buyer wires their down payment - often tens of thousands of dollars - to a scammer-controlled account. The FBI considers this one of the most damaging BEC variants because the losses are large and the money moves quickly. Always call your title company using a number from their official website to verify wire instructions before sending.
Does BEC only affect large companies?: No. BEC affects sole traders, freelancers, small businesses, nonprofit organizations, and individuals involved in property transactions. Any person or organization that makes wire transfers or pays invoices can be targeted. Small businesses are often more vulnerable because they have less formal payment verification procedures than large corporations. The FBI's cumulative figures cover targets of all sizes.
How can I protect my business from BEC?: Establish a callback verification rule: any request to change bank account details must be confirmed by calling the requester on a number from your existing records - never from the email. Enable multi-factor authentication on all business email accounts so that even if a password is stolen, the account cannot be taken over. For large wire transfers, require two-person approval. Train anyone who handles payments to treat bank account change requests as high-risk, regardless of how the email looks.

Sources

FBI / IC3, Public Service Announcement: Business Email Compromise - The $55 Billion Scam, September 2024. Source of cumulative $55B figure (Oct 2013 - Dec 2023), 177-country figure, and definition of BEC variants including email account compromise.
FBI / IC3, 2024 Internet Crime Report and 2023 Internet Crime Report. Source of annual loss figures: $2.77B (2024), $2.9B (2023); and 21,489 complaint count (2023).
FinCEN, Advisory on Email Compromise Fraud Schemes Targeting Financial Institutions, July 2019. FinCEN advisory to financial institutions covering BEC indicators, including attacker monitoring of compromised inboxes prior to sending fraudulent payment instructions.
Federal Trade Commission, Business Email Imposters (business guidance). FTC guidance on domain spoofing and look-alike email addresses used in BEC, targeting small businesses and self-employed individuals.

Researched and maintained by ScamChecker.online

We document recurring online scam patterns using primary sources - government agencies, law enforcement, and security researchers. We do not accuse named businesses, and ads on this page do not influence our reporting. Read about how we research or who we are.

Last verified: June 2026 · Reviewed against current FBI IC3, FTC, and FinCEN guidance