Business fraud — including business email compromise (BEC) — targets a company's payment processes, using impersonated executives, fake invoices, or compromised email to redirect payments to criminals. The strongest defence is a verification step: confirm any change to payment details or any urgent transfer request through a second, known channel before acting.
How business fraud works
Business fraud targets processes, not just people. Most attacks begin with a convincing phishing email. The most common forms documented by Tutela Digitalis:
Attacker spoofs an executive's email and instructs an employee to make an urgent wire transfer. Often timed for when the executive is traveling or in meetings.
Fake invoices from "vendors" that look identical to legitimate ones, but with different banking details. Sometimes the attacker compromises a real vendor's email and changes the payment details on real invoices.
Attacker impersonates an employee and requests HR change their direct deposit information to a new account.
Attacker breaches a real vendor's email system and sends legitimate-looking invoices with fraudulent payment details. This is the hardest to detect because the email comes from a real, trusted address.
Building a human firewall
Technology alone can't stop business fraud. You need trained people and verified processes:
- 1.
Dual authorization for all wire transfers over a set threshold — no single person should be able to authorize large payments.
- 2.
Verbal verification for any change to payment details — call the vendor at a known number (not one from the suspicious email) before changing anything.
- 3.
Regular phishing simulation training — employees who train regularly have 1.5% click rates vs. 34% without training. This is the single highest-ROI security investment.
- 4.
Clear escalation procedures — employees must feel empowered to question unusual requests, even from the CEO. Create a culture where caution is rewarded.
- 5.
Segregation of duties — no single person should control the entire payment process from approval to execution.
- 6.
Email authentication — implement DMARC, SPF, and DKIM to prevent domain spoofing of your own domain.
- 7.
Incident response plan — know exactly what to do when (not if) a fraud attempt occurs. Practice it.
The most effective defense I've seen isn't technical — it's cultural. Companies where employees feel safe questioning unusual requests catch fraud attempts that technology misses. The $160,000 wire transfer happens when an employee is afraid to say 'this seems off' to their boss.
What to do if your business has been hit
If you discover a fraudulent transaction, act fast — the first hours decide whether the money is recoverable. For a personal-account version of this, see our scam recovery guide, and our reporting directory for exactly where to report business fraud in your country.
- 1.
Contact your bank immediately — request a wire recall. Speed is everything; recalls within 24 hours have the highest success rate.
- 2.
Preserve all evidence — emails, invoices, transaction records, communication logs. Do not delete anything.
- 3.
Report to FBI IC3 (ic3.gov) — file a detailed complaint with all available evidence.
- 4.
Notify your insurance carrier — if you have cyber liability insurance, file a claim immediately.
- 5.
Conduct an internal investigation — determine how the breach occurred and what systems were compromised.
- 6.
Reset compromised credentials — change passwords, revoke access tokens, and rotate API keys for any affected systems.
- 7.
Notify affected parties — if vendor or customer data was compromised, you may have legal notification obligations.
- 8.
Review and strengthen procedures — every incident is an opportunity to close the gap that was exploited.
Written from real-world experience. All statistics sourced from verified organizations.
Frequently Asked Questions
Sources & References
Every statistic in this guide is sourced from verified organizations. Click to verify any claim.
Want a business fraud audit?
Our Business Protection Audit identifies your specific vulnerabilities with a written report.
Book a Consultation →