Your employee just wired $160,000 to a scammer. Here's how it happened.

How business fraud works

Business fraud targets processes, not just people. The most common attacks documented by Tutela Digitalis: CEO/CFO Impersonation — Attacker spoofs an executive's email and instructs an employee to make an urgent wire transfer. Often timed for when the executive is traveling or in meetings. Invoice Fraud — Fake invoices from "vendors" that look identical to legitimate ones, but with different banking details. Sometimes the attacker compromises a real vendor's email and changes the payment details on real invoices. Payroll Diversion — Attacker impersonates an employee and requests HR change their direct deposit information to a new account. Vendor Compromise — Attacker breaches a real vendor's email system and sends legitimate-looking invoices with fraudulent payment details. This is the hardest to detect because the email comes from a real, trusted address.

Building a human firewall

Technology alone can't stop business fraud. You need trained people and verified processes: 1. Dual authorization for all wire transfers over a set threshold — no single person should be able to authorize large payments. 2. Verbal verification for any change to payment details — call the vendor at a known number (not one from the suspicious email) before changing anything. 3. Regular phishing simulation training — employees who train regularly have 1.5% click rates vs. 34% without training. This is the single highest-ROI security investment. 4. Clear escalation procedures — employees must feel empowered to question unusual requests, even from the CEO. Create a culture where caution is rewarded. 5. Segregation of duties — no single person should control the entire payment process from approval to execution. 6. Email authentication — implement DMARC, SPF, and DKIM to prevent domain spoofing of your own domain. 7. Incident response plan — know exactly what to do when (not if) a fraud attempt occurs. Practice it.

What to do if your business has been hit

If you discover a fraudulent transaction: 1. Contact your bank immediately — request a wire recall. Speed is everything; recalls within 24 hours have the highest success rate. 2. Preserve all evidence — emails, invoices, transaction records, communication logs. Do not delete anything. 3. Report to FBI IC3 (ic3.gov) — file a detailed complaint with all available evidence. 4. Notify your insurance carrier — if you have cyber liability insurance, file a claim immediately. 5. Conduct an internal investigation — determine how the breach occurred and what systems were compromised. 6. Reset compromised credentials — change passwords, revoke access tokens, and rotate API keys for any affected systems. 7. Notify affected parties — if vendor or customer data was compromised, you may have legal notification obligations. 8. Review and strengthen procedures — every incident is an opportunity to close the gap that was exploited.