According to an FBI report, people have lost over $2.77 billion to Business Email Compromise scams in the US alone.

If you run a business or work for one that pays invoices by email, then you're automatically at risk.

And if it happens, you can report the theft to law enforcement, but what are the odds they'll be able to recover the money you have lost?

So, it's better to understand how these cyber attacks work and prevent them from happening to you.

Now, to better understand the BEC attack, I'll give you a real, step-by-step example.

A man named Onwuchekwa Kalu, living in Nigeria, stole $1.25 million from an investment firm in Boston, Massachusetts.

This firm is referred to as Company A in the court document.

For over a decade, Company A had been investing in health-tech firms across North America, Europe, and Israel... businesses that develop treatments for heart-related diseases.

We also have Company B – a financial services company in London - which processed fund transfers for a bank account held by Company A at Bank of NY Mellon.

How the Scam Worked

Kalu and his accomplices first hacked into the email account of an employee at Company A.

They installed malware that automatically forwarded any message containing the words “invoice,” “fund,” “pay,” or “wire” to an external Gmail address they controlled: [email protected]

By reading those forwarded emails, the scammers learned exactly who was in charge of payments —> the team at Company B.

Some companies have their own finance department, while others hire outside firms to manage payments.

Before launching an attack, a social engineer can gather information from public sources such as company websites, LinkedIn, and press releases to identify who handles the money and which firms they work with.

That can help them figure out the best ways to attack.

Then, they bought a domain name that was just one letter different from the Company’s actual website… something like CommpanyA.com

They used the domain name to make a fake email account, [email protected]

They emailed an employee at Company B (which handles the payments), pretending to be the director.

The Fake Transaction

"The director" said they were buying medical equipment from a Heart Monitor Company for $625,000, and asked Company B to transfer the funds to HMC's bank account in Mexico.

Of course, this bank account was different from HMC's. Keep in mind, they had worked with this company before.

So the finance employee noticed that the previous bank details of HMC did not correspond with the new ones (provided by the scammers).

But "the director" told him that they had updated their banking details.

That small reassurance was enough to convince him to proceed.

A week later, the scammers requested another $625,000 transfer.

This time to a different account in Mexico.

So a total of $1.25 million was gone in less than two weeks. Investigators later traced and arrested Onwuchekwa Kalu, who was extradited to the United States for trial.

This shows that even an experienced finance employee can fall for such scams.

To protect yourself, make sure that the domain name is accurate, but don’t stop there because there are ways for a scammer to send you an email that comes from the actual email address ([email protected])

The safest step is to verify through multiple channels before sending a large payment.

If you think this is excessive, keep reading...

In Hong Kong, a financial officer received an email requesting a massive transfer.

He suspected it was a scam, so he joined a video call with his Chief Financial Officer and several colleagues in the UK. You know, people he recognized and trusted.

So he sent $25.6 million.

But the people on that call weren’t real; they were all AI-generated deepfakes.