The Fraud Hiding in Your Inbox
Why Business Email Compromise is the most expensive cybercrime most firms still aren’t taking seriously enough
A finance director at a professional services firm received an email from a long-standing supplier. The branding was correct. The sender name was correct. The email address looked right at a glance. The message explained that the supplier’s banking details had changed, and asked for the update to be applied before the next payment run.
The payment was processed. The money was gone. The supplier had never sent the email.
This is Business Email Compromise – and it is not a sophisticated attack. It requires no malware, no technical intrusion, no inside access. It requires only a convincing email and a process that relies on email to verify financial instructions.
The FBI’s Internet Crime Complaint Center reported over $2.9 billion in BEC losses in a single year in the US alone. Globally, the figure is substantially higher – and that only accounts for reported cases. The actual number is significantly larger.
The uncomfortable truth is that most of this fraud is not a failure of technology. It is a failure of process — specifically, the process of relying on email to manage financial relationships.
Why Email Is the Wrong Tool for Financial Interactions
Email was designed for communication. It was never designed to verify identity, protect financial instructions, or keep documents and the conversations around them in any kind of trusted relationship. Yet for most businesses, it is all three.
The fundamental problem is that email is easily spoofed, easily intercepted, and impossible to lock down once a message is sent. A fraudster does not need to hack your system. They need to register a domain that looks like your supplier’s, craft a convincing message, and wait. Your finance team does the rest.
Even where email security tools are in place – spam filters, DMARC policies, phishing detection – they are fighting an arms race they cannot win. Over 3 billion phishing emails are sent every day. Attackers iterate faster than defences adapt. And it only takes one.
The deeper issue is structural. Email separates documents from the conversations around them – and that gap is where fraud happens. A PDF arrives as an attachment. The instruction to action it arrives in a message thread. The integrity of the document tells you nothing about the integrity of the conversation. An attacker doesn’t need to tamper with the file. They just need to tamper with the message telling you what to do with it.
How BEC Actually Works – and Why It’s So Effective
Business Email Compromise takes several forms, but the most financially damaging follow a predictable pattern.
The fake supplier update
An attacker monitors email traffic between your business and a supplier – either by compromising an inbox, or simply by researching the relationship. At the right moment, they send a message appearing to be from the supplier, advising that banking details have changed. Payments are redirected. The fraud is often not discovered until the legitimate supplier chases an overdue invoice.
The CEO instruction
A message appears to come from a senior executive requesting an urgent transfer, often with a reason that discourages verification – a confidential acquisition, a regulatory deadline, a sensitive matter that can’t be discussed internally. The recipient, not wanting to question a senior figure, complies.
The man-in-the-middle
An attacker inserts themselves into an ongoing email thread – often after compromising one party’s inbox – and begins subtly redirecting the conversation. By the time a payment instruction is issued, both parties believe they are communicating with each other. Neither is.
What makes all three variants so effective is their simplicity. They exploit trust, urgency, and the absence of any reliable way to verify identity through email. The attack surface is the inbox itself.
Who Is Most at Risk
BEC affects businesses of every size and sector, but law firms, accountancy practices, real estate teams, financial advisors, and family offices face disproportionate exposure. Each regularly handles large financial transactions, works with multiple external parties, coordinates under time pressure, and manages almost all of it over email. The combination of high transaction values and email-based coordination creates near-ideal conditions for fraud. The attack surface is not exotic. It is the inbox every member of staff opens each morning.
The Process Problem
Most organisations respond to BEC risk with training. Staff are taught to spot phishing emails, to verify unusual requests by phone, to check sender addresses carefully. These measures help. But they treat the symptom rather than the cause.
The cause is a process that places email at the centre of financial relationships – as the channel through which banking details are shared, payment instructions issued, and approvals confirmed. As long as that process remains in place, the risk remains. You cannot train your way out of a structural vulnerability.
The phone verification workaround – call the supplier to confirm the bank change – is better than nothing, but it is not a solution. Call numbers can be spoofed. Verification calls can be intercepted. And in practice, under time pressure, with a long-standing supplier, the call often doesn’t happen.
What is needed is not a better workaround. It is a different process entirely.
What a Secure Financial Communication Channel Looks Like
The principle is straightforward: remove email from the interactions where identity, integrity, and accountability matter most – and replace it with a channel where all three are guaranteed by design. That channel needs to keep documents and the conversations about them together, in the same verified environment, so that neither can be separated, spoofed, or tampered with independently. A secure file share solves half the problem. A secure channel with integrated, authenticated messaging solves it properly – because the instruction and the document it refers to are inseparable, both protected, both traceable back to a verified identity.
Document integrity, not document trust
Most approaches to secure document sharing focus on the file itself. But in a real financial interaction, the document is rarely the whole story. Banking details arrive in an attachment, but the instruction to action them comes in the message thread. A payment request is a PDF, but the approval happens in the reply chain.
When documents and messages travel separately, through different systems with different security postures, the integrity of one tells you nothing about the integrity of the other. A fraudster doesn’t need to tamper with the PDF. They just need to tamper with the message telling you what to do with it.
A secure channel that keeps documents and conversations together – in the same verified, encrypted environment – closes that gap. Both parties can see not just what was sent, but what was said about it, who said it, and when. The document and its context are inseparable. Neither can be altered without detection. That is a fundamentally different proposition to a secure file share. It is the difference between protecting a document and protecting a relationship.
A permanent, closed connection
Unlike email, which is open by design, a secure B2B channel is closed. Both businesses connect directly – peer to peer – through a verified, authenticated environment. Financial instructions, banking detail changes, and invoice submissions flow through this channel rather than email. The right people on both sides have access. The wrong people never do. When a contact leaves, access is revoked. There is no notification email to spoof, no link to intercept, and no anonymous access point for an attacker to exploit. The channel becomes the trusted infrastructure for the financial relationship – stable, verified, and permanent. An attacker who cannot insert themselves into a channel that does not use email has nowhere to go.
Enforced approval workflows
High-value financial actions – changes to banking details, payment authorisations, new supplier registrations — should require multiple verified sign-offs before they can proceed. An enforced approval workflow, with an identity-verified audit trail, makes it structurally impossible for a single fraudulent instruction to move money without challenge. The control is built into the process, not bolted on as a reminder.
The audit trail that protects you after the fact
Even with the best controls in place, the question of what happened – and when, and who authorised it – will eventually arise. In a fraud investigation, an insurance claim, or a regulatory inquiry, the ability to produce a clear, immutable record of every communication, document access, and approval in a financial relationship is not just useful. It is often decisive.
A purpose-built secure channel maintains a complete log: who sent which message, who accessed which document, what was approved, and by whom. Conversations and documents are part of the same record – not separate systems that have to be manually reconciled. When you need to demonstrate what happened, it is all there, in sequence, tied to verified identities.
Moving Forward
The firms that will reduce their exposure to BEC are not the ones with the best spam filters or the most rigorous staff training programmes. They are the ones that change the process – that move the financial interactions that matter most out of the inbox and into a channel where identity is verified, integrity is guaranteed, and accountability is built in by design.
Every payment instruction that travels through email is a risk. Every banking detail shared in an attachment is an exposure. Every conversation about a financial decision happening across open inboxes is a vulnerability waiting to be exploited. The document and the conversation around it are equally dangerous when they are unprotected – and equally valuable to an attacker who can manipulate either one.
The best defence against email fraud is a process that doesn’t depend on email.



