Vendor Email Compromise: How a 25-Person Company Loses a Wire Transfer It Never Saw Coming

Vendor email compromise does not announce itself. It arrives looking like a routine invoice from a supplier your accounts payable team has paid a dozen times before. By the time anyone realizes what happened, the wire has cleared, the attacker has vanished, and your 25-person company is staring at a loss that most commercial insurance policies fight hard not to cover. This post reconstructs how a vendor email compromise attack works – from first contact to final wire transfer – identifies every point where it could have been stopped, and explains why small and mid-sized businesses absorb these losses far more often than large ones.

1. What Is Vendor Email Compromise and How It Differs from Classic BEC
2. The Threat Landscape: What the Numbers Actually Say
3. Who It Affects: Why a 25-Person Company Is a Perfect Target
4. The Anatomy of the Attack: Stage by Stage
5. Real Examples: When Vendor Impersonation Made Headlines
6. Where It Could Have Been Stopped: A Process Audit
7. Defense Posture: What a Hardened AP Environment Looks Like
8. What to Ask Your IT Firm

What Is Vendor Email Compromise and How It Differs from Classic BEC

Business email compromise (BEC) is the broad category. The FBI’s 2023 Internet Crime Report recorded $2.9 billion in adjusted losses from BEC complaints in that year alone – the single costliest cybercrime category the IC3 tracks. Most people picture the CEO-fraud variant: an attacker spoofs the chief executive’s email and pressures a finance employee to wire money fast. That attack is real and it still works.

Vendor email compromise is a more sophisticated variant. Instead of impersonating an internal executive, the attacker impersonates an external vendor your company already has an established payment relationship with. That distinction matters psychologically and procedurally. An invoice from a known vendor does not trigger the same alarm as a frantic message from a CEO you can walk down the hall to verify with. The attacker is counting on normalcy to do the work.

The mechanics are different too. Classic BEC often relies on spoofed display names or lookalike domains. Vendor email compromise frequently involves an actual account takeover – either of your vendor’s email system or your own. When the attacker sends a fraudulent invoice from the vendor’s real email address, every technical filter you have passes it through as legitimate mail.

The Threat Landscape: What the Numbers Actually Say

The FBI IC3’s 2023 annual report identified BEC as the top cybercrime category by financial loss for the fifth consecutive year. The Cybersecurity and Infrastructure Security Agency (CISA) notes that BEC attacks have hit organizations in all 50 states and more than 177 countries. Vendor email compromise is the fastest-growing variant precisely because it weaponizes trust in existing payment relationships rather than manufacturing new ones.

Losses per incident are rising. The average wire transfer loss in a BEC attack climbed to approximately $137,000 in 2023 according to FBI data, but vendor impersonation schemes targeting mid-market companies routinely cross six figures before a single red flag surfaces. Recovery rates are poor. The FBI’s financial fraud recovery program – which coordinates with banks to attempt clawbacks – succeeded in only a fraction of reported cases. For a 25-person company, a single successful attack is not a bad quarter. It can be an existential event.

Who It Affects: Why a 25-Person Company Is a Perfect Target

Enterprise organizations get targeted too, but they tend to have segregation of duties, formal vendor-change approval workflows, and dedicated treasury staff who have seen fraud attempts before. A 25-person company is a fundamentally different environment.

At that size, the person who opens invoices is often the same person who approves them and initiates the wire. There is no second set of eyes built into the process. The CFO title may belong to the founder, who is also handling three other roles. Vendor management is informal. Payment details get updated based on a single email because nobody has written a policy that says otherwise.

Attackers know this. They conduct reconnaissance before approaching. They study your website, your LinkedIn company page, your SEC filings if applicable, and any press releases that mention your vendors or partners. By the time the fraudulent invoice arrives in AP, the attacker already knows who your bookkeeper is, which accounting software you use, your payment cadence, and approximately how large your typical invoices are.

The Anatomy of the Attack: Stage by Stage

Stage 1 – Reconnaissance (Days 1 through 14)

The attacker begins with open-source intelligence gathering. Your company website lists your leadership team. LinkedIn identifies the bookkeeper or office manager who handles AP. Job postings for finance roles reveal which accounting platform you use. Press releases or vendor testimonials on your vendors’ websites confirm the business relationship. None of this requires technical skill. It is research, done from a browser.

Stage 2 – Initial Access (Days 15 through 21)

There are two paths here, and sophisticated actors often pursue both. The first is a phishing campaign targeting an employee at your vendor’s company. A convincing email leads someone on their AP or sales team to enter credentials on a fake login page. The attacker now has legitimate access to that vendor’s email environment – and can read real invoice threads, understand your payment relationship, and time the attack precisely.

The second path targets your own company. Your bookkeeper receives a phishing email that captures their Microsoft 365 or Google Workspace credentials. The attacker reads inbound vendor correspondence for weeks without sending a single message, building a complete picture of your payment cadences and open invoices.

Stage 3 – Insertion and Manipulation (Days 22 through 30)

Now the attacker acts. If they compromised your vendor’s account, they reply to an active invoice thread from the real address, noting that the vendor has changed banks and requesting that future payments go to the new account. If they compromised your bookkeeper’s account, they forward vendor invoices internally – subtly altering the PDF to swap routing and account numbers before it reaches the approver.

The manipulated invoice often looks perfect. It has the right logo, the right formatting, the correct invoice number for that billing period, and the correct amount. The only thing that changed is the nine digits in the payment instructions.

Stage 4 – Urgency and Social Engineering (Days 30 through 32)

Forty-eight hours before the typical payment window closes, the attacker sends a courteous reminder. The language mirrors your vendor’s normal tone because the attacker has been reading that vendor’s emails for weeks. Sometimes light urgency is introduced – a note that the old account is being closed, or that a late fee applies. Nothing dramatic. The goal is to move things along without triggering alarm.

Stage 5 – Wire Transfer and Exit (Days 33 through 34)

Your AP employee initiates the wire. The funds land in an intermediary account – typically at a small domestic bank or a crypto exchange – and are moved within hours. Domestic-to-international transfers are common. Attempts to reverse the payment after the fact run into an unpleasant reality: wire transfers are not credit card charges. Once the money moves, clawback depends entirely on timing, bank cooperation, and law enforcement speed.

Stage 6 – Discovery (Days 34 through 60)

Discovery usually happens when the real vendor follows up on a genuinely past-due invoice. That conversation is the first moment either company realizes what occurred. By then, the window for financial recovery through the banking system has almost certainly closed.

Real Examples: When Vendor Impersonation Made Headlines

The most cited large-scale case remains the Facebook and Google fraud from 2013 through 2015, in which a Lithuanian national impersonated a Taiwanese hardware manufacturer and induced both companies to wire more than $100 million through fraudulent invoices. The attacker was eventually caught, but that case established the blueprint that mid-market attackers now execute at smaller scale with far less scrutiny.

More relevant to smaller organizations is the pattern documented in FBI IC3 complaints from 2022 and 2023, where construction companies, professional services firms, and healthcare practices in the $5 million to $50 million revenue range were targeted through contractor and supplier impersonation. The common thread across every case: no callback verification to a known phone number, no multi-person approval for bank detail changes, and no email authentication controls that would have flagged domain manipulation where it existed.

Justice Department enforcement actions in 2023 against business email compromise networks operating out of West Africa and Eastern Europe confirmed that these groups function as organized businesses – with dedicated roles for reconnaissance, phishing, money mule management, and fund movement. This is not opportunistic crime. It is a production process aimed at companies exactly the size of yours.

Where a Vendor Email Compromise Attack Could Have Been Stopped: A Process Audit

Looking back at the six stages above, there are at least eight distinct points where a different control would have broken the attack chain.

• Phishing that captured credentials (Stage 2): Multi-factor authentication on every email account. A credential entered on a fake login page is useless if a one-time code is required to complete access.
• Attacker reading live email threads undetected (Stage 2): Conditional access policies and login anomaly alerts surface a login from an unfamiliar country or device within minutes.
• Fraudulent reply from the vendor’s real address (Stage 3): A written policy requiring a voice call to a verified phone number before any payment instruction change takes effect costs nothing and stops this vector completely.
• Altered PDF forwarded internally (Stage 3): Secure document workflows that enforce PDF integrity checking – or a rule that invoice PDFs must originate from a vendor portal rather than email – close this door entirely.
• No second approval on wire initiations (Stage 5): Dual control on wire transfers above a defined threshold – one person initiates, a different person approves – is a banking best practice that many small businesses skip because it feels like friction. It is not friction. It is a firewall.
• Bank account change accepted via email alone (Stage 3): A vendor master file policy requiring written approval plus verbal confirmation before any payment detail is modified is the single highest-return control on this list.
• No email authentication on inbound mail (Stage 3): SPF, DKIM, and DMARC records on your domain and your vendors’ domains reduce lookalike-domain attacks substantially. They do not stop account takeover attacks, but they eliminate the low-effort spoofing that runs alongside them.
• No anomaly detection on outbound wire traffic (Stage 5): A bank that supports real-time transaction monitoring alerts – or an internal rule that flags first-time payees above a threshold – would catch a payment to an account that has never received money from your company before.

Defense Posture: What a Hardened AP Environment Looks Like

A hardened accounts payable environment at a 25-person company does not require a large security team. It requires well-enforced technical controls and a small number of process rules that never get skipped regardless of deadline pressure.

On the technical side, the foundation is identity security. Every email account – yours and ideally your key vendors’ – should require multi-factor authentication. Conditional access policies should block logins from unexpected geographies or devices. Email authentication records should be configured and monitored. Endpoint protection should cover every device that touches financial systems, including the personal laptop your bookkeeper uses at home.

On the process side, the most powerful single control against vendor email compromise is the callback rule: any change to a vendor’s payment details triggers a mandatory phone call to a number already stored in your vendor master file before the change takes effect. Not a reply email. A phone call to a number you already have on file. This one rule, consistently enforced, neutralizes the most common insertion technique used in vendor email compromise attacks – because it requires out-of-band verification that an attacker controlling the email channel cannot intercept.

Layered on top of that: dual control on all outbound wires above a threshold your company sets based on typical invoice sizes. A first-time-payee alert from your bank. Quarterly review of your vendor master file to confirm no payment details were changed without documentation. Annual security awareness training that includes specific invoice fraud scenarios – not just phishing awareness in the abstract.

A well-managed IT environment also means someone is watching your email platform for anomalies. Silent access by an attacker who has compromised credentials but has not yet acted is detectable. Login geography, device fingerprinting, and forwarding rule audits are all capabilities built into Microsoft 365 and Google Workspace that most small businesses never configure. They sit dormant until someone activates and monitors them. You can read more about how proactive monitoring and policy enforcement address these gaps on our cybersecurity services page.

What to Ask Your IT Firm About Vendor Email Compromise

If you currently work with an IT provider – or are evaluating one – the following questions will tell you quickly whether vendor email compromise and invoice fraud are within their operational scope or outside it.

• Have you audited our email authentication records – SPF, DKIM, and DMARC – and are you monitoring them for changes?
• Are conditional access policies active on our Microsoft 365 or Google Workspace environment, and do we receive alerts on anomalous logins?
• Do you review our email platform’s forwarding rules and delegate access settings on a regular schedule? If so, how often?
• Can you show me the last time you confirmed that every device touching our financial systems is covered by endpoint protection?
• Have you worked with clients on security awareness training that specifically covers invoice fraud and vendor impersonation?
• If an attacker gained access to our bookkeeper’s email today and was reading messages silently, how quickly would you detect it – and what would trigger the alert?

An IT firm that cannot answer these questions specifically and confidently is not operating at the level vendor email compromise demands. The attack described in this post is not exotic. It is repeatable, it is scalable, and it is being executed right now against companies your size. The firms that avoid it are not lucky – they have built environments where the attack chain has nowhere to go.

Vendor email compromise works because it exploits the gap between how trustworthy a business relationship feels and how little technical or procedural friction sits between a fraudulent invoice and a cleared wire. Closing that gap is not a large investment. It is a set of decisions: enforce multi-factor authentication, write a callback policy, enable the monitoring your email platform already supports, and make sure your IT provider is actually watching. The companies that get hit are almost always the ones where at least one of those decisions was deferred.

If you want a direct conversation about where your environment stands, Book a Free Cybersecurity Strategy Call. We will tell you exactly what we see – no pressure, no obligation.

For a broader look at how proactive monitoring and policy enforcement protect businesses from payment fraud and related threats, explore our managed IT services page.