The Foresight Lab
Issue 06Business email compromise (BEC)

The invoice with new banking details

One spoofed email changes a vendor's bank account — and your customer's accounts-payable team wires six figures straight to a fraudster.

Jul 20, 2026 3 min read

What we're seeing

Business email compromise is among the costliest fraud categories by dollar loss. The classic play: an attacker spoofs or compromises a vendor's (or an executive's) email and sends an urgent note — 'we've updated our banking details, please use this account for the next payment.'

The accounts-payable team, seeing a familiar sender and a real outstanding invoice, updates the payee and pays. Nothing was hacked on the bank's side; the deception happened entirely inside the customer's inbox.

Why your current stack misses it

  • The payment is fully authorized by a legitimate business customer using valid credentials — from the bank's view it's an ordinary commercial wire to a new beneficiary.
  • The fraud happened upstream, in the customer's email, where transaction rules can't see it.

The signal pattern

  • A recurring vendor payment suddenly redirected to a brand-new beneficiary account.
  • The beneficiary bank or account just changed — often to a different bank or region than prior payments to that payee.
  • Urgency timed to a real invoice due date.
  • A young beneficiary account, or one receiving redirected payments from multiple unrelated business payers.

What you'd do Monday morning

  • For commercial wires, flag changes to an established payee's banking details and confirm by callback to a known number — not the one printed on the new invoice.
  • Compare the new beneficiary against the payee's historical settlement account.
  • Coach AP-heavy business customers on a verbal, dual-channel verification policy.
Now you try

Spot the Fraud

Read the case. Make the call. See how you score against The PreCogs.

Spot the Fraud
FL-06

A long-standing business customer wires a six-figure vendor payment — but to a beneficiary account that differs from every prior payment to that same vendor. Clear it, or hold it?

Customerestablished business, 8-yr relationship
Payment$214,000 commercial wire to 'Meridian Supply Co.'
Payee history11 prior payments to Meridian, all to a different account/bank
Changebeneficiary bank and account updated 1 day ago via emailed invoice
Timinginvoice due tomorrow, marked 'urgent — updated remittance'
Beneficiary acctopened 6 weeks ago, different state
Authorizationvalid AP user, correct credentials, normal device
Othersame new account receiving wires from 2 unrelated companies this week
Your call?
No noise. One sharp briefing a week.

Get the Foresight Lab in your inbox.

One fraud pattern, decoded, every week — plus the Spot the Fraud challenge. Built for fraud, BSA, and risk teams. Unsubscribe any time; we read every reply.

One email a week. No spam. Or email us at info@digsfact.com.