"Never send wire transfer instructions via email."
Banks and financial institutions have been giving this advice for years. Yet every day, thousands of organizations continue to share sensitive financial information through email. This disconnect between what we know we should do and what we actually do has created a perfect opportunity for cybercriminals—one they're exploiting through Business Email Compromise (BEC) attacks.
The Contradiction at the Heart of Financial Transactions
Email remains the default communication tool for nearly every high-value transaction, from municipal bond issuances to real estate closings to vendor payments. We use it for everything: contract negotiations, payment approvals, and yes, wire transfer instructions.
Why? Because it's convenient, familiar, and universal. Everyone has email. Not everyone has specialized secure communication platforms.
But this convenience comes at a tremendous cost. The FBI reports that BEC attacks have cost organizations over $43 billion globally since 2016, with the number of incidents growing each year. For municipalities and financial institutions handling public funds, the stakes are particularly high—not just financially, but in terms of public trust.
What Exactly Is Business Email Compromise?
BEC is a form of targeted email fraud where attackers impersonate trusted figures to trick recipients into taking actions that benefit the criminals—usually transferring money or sharing sensitive information.
Unlike mass phishing campaigns that cast a wide net hoping to catch a few victims, BEC attacks are precision strikes. Attackers research their targets, learning about organizational structures, ongoing projects, payment processes, and communication styles. They then craft highly customized, convincing messages that exploit established trust relationships.
Common BEC tactics include:
Executive Impersonation
An email appears to come from a high-ranking official (like a mayor or finance director) requesting an urgent, confidential wire transfer. The sender creates pressure by emphasizing the sensitive nature of the transaction and the need for immediate action.
Vendor/Supplier Manipulation
Attackers pose as established vendors and send emails requesting updates to payment information. These often coincide with actual payment cycles, making them seem legitimately timed.
Legal Representative Spoofing
Criminals impersonate attorneys or legal advisors, especially during transactions like closings or settlements, providing fraudulent wire instructions at critical moments.
Account Compromise
Rather than spoofing an email address, attackers gain direct access to legitimate email accounts through phishing or credential theft. They then send authentic-looking messages from these compromised accounts.
Why BEC Succeeds Where Other Attacks Fail
Business Email Compromise attacks are particularly effective because they exploit fundamental aspects of how organizations operate:
Trust in Established Relationships
When you've been working with a vendor or colleague for years, you naturally trust communications from them. BEC attacks leverage this trust.
The Authority Effect
Requests from senior officials carry implicit authority. Most employees are conditioned to respond quickly to executive requests, especially those marked as urgent.
Transaction Complexity
Major financial transactions often involve multiple parties, tight deadlines, and last-minute changes—creating the perfect environment for fraudsters to insert themselves without raising suspicion.
Email's Inherent Weakness
Email was designed for communication, not security. Even with modern security measures, it lacks robust identity verification capabilities.
Real-World Examples: When Municipalities Become Targets
BEC attackers don't just target corporations—they're increasingly focusing on municipalities and government agencies, which often combine substantial financial resources with less sophisticated security measures.
The Diverted Infrastructure Payment
A county government managing a highway expansion project received what appeared to be an email from their primary contractor. The message informed them of "banking changes due to a corporate restructuring" and provided new wire instructions. The county transferred $1.7 million to what turned out to be a fraudulent account. By the time they discovered the error, the funds had been moved through multiple offshore accounts and couldn't be recovered.
The School Construction Fraud
A school district fell victim when attackers impersonated a construction company working on a new elementary school. The criminals timed their attack perfectly—sending fraudulent wire instructions just as a major milestone payment was due. The district lost over $600,000, delaying the project and requiring emergency budget adjustments.
The Bond Closing BEC
During a municipal bond issuance, criminals compromised an underwriter's email account and monitored communications for weeks. On the closing date, they sent altered wire instructions from the legitimate email account. The municipality transferred millions to the fraudulent account, discovering the theft only when the funds didn't reach their intended destination.
These examples highlight a sobering reality: municipalities and financial organizations handling public funds are prime targets for BEC attacks, with potentially devastating consequences.
Traditional Prevention Strategies (And Why They Fall Short)
Organizations typically rely on several approaches to combat BEC:
Employee Training
Training staff to recognize suspicious emails is essential, but even the most vigilant employees can be fooled by sophisticated BEC attacks, especially when they come from compromised legitimate accounts.
Multi-Factor Authentication (MFA)
MFA adds an additional layer of security to email accounts, making them harder to compromise. However, it doesn't prevent email spoofing or protect against social engineering tactics.
Email Security Tools
Anti-phishing software and email filters can catch many suspicious messages, but sophisticated BEC attacks often bypass these defenses by using legitimate-looking domains or compromised accounts.
Verification Protocols
Many organizations implement callback procedures for verifying wire instructions. While effective in theory, these protocols are often bypassed due to time constraints or complacency.
While these measures help, they share a common flaw: they try to patch the vulnerabilities in email-based transactions rather than addressing the fundamental problem—that email was never designed for secure financial transactions.
Moving Beyond Email: A New Approach to Transaction Security
The most effective way to prevent BEC isn't to make email more secure—it's to stop using email for sensitive financial transactions altogether.
Basefund's Secure Transactions platform takes this approach, providing a purpose-built environment for handling high-value transactions without relying on vulnerable email systems.
How Secure Transactions Works:
Identity Verification
Every participant must complete robust identity verification before accessing transaction details, eliminating the impersonation risk that drives most BEC attacks.
Secure Communication Channel
All communications happen within the platform, not through email, preventing the insertion of fraudulent instructions at critical moments.
Account Ownership Verification
Receiving accounts undergo verification to confirm ownership before funds are transferred, adding a critical layer of protection.
Shared Visibility
Unlike the one-to-one nature of email, the platform provides appropriate visibility to all verified participants, making it impossible for attackers to target individuals without others noticing.
Complete Audit Trail
Every action within the platform is recorded in an unalterable audit trail, creating accountability that email simply cannot provide.
The Path Forward: Securing Transactions in a Digital World
Business Email Compromise will continue to evolve and threaten organizations as long as we rely on email for financial transactions. The fundamental vulnerabilities in email—its lack of robust identity verification and its susceptibility to compromise—cannot be fully resolved through traditional security measures.
For municipalities and financial institutions handling sensitive transactions, the solution isn't to make email more secure—it's to adopt purpose-built platforms designed specifically for high-value financial transactions.
By moving sensitive communications and payment instructions out of email and into secure environments like Basefund's Secure Transactions platform, organizations can effectively eliminate the threat of BEC while also streamlining their transaction processes.
The organizations that thrive in today's threat landscape will be those that recognize when existing tools are being pushed beyond their design limitations and adopt purpose-built solutions for their most sensitive operations.
Are you ready to move beyond email and secure your critical financial transactions? Request a demo of Basefund's Secure Transactions platform and discover how to protect your organization from the growing threat of Business Email Compromise.
