Investigation Walkthrough: BEC Wire Fraud
A full walkthrough of a $430,000 BEC wire fraud from spoofed email through partial fund recovery
By Benjamin, Fraud Attacks · Updated
This walkthrough follows a single BEC wire fraud at "Meridian Manufacturing" from spoofed CFO email through partial recovery, with the controls that would have prevented each failure point. The pattern is the standard one in FBI IC3 reporting: three weeks of silent email compromise, a spoofed wire request to accounts payable, and dispersal through money mule accounts within hours.
A Routine Tuesday
Denise Yamamoto had processed over a thousand wire transfers in her three years at Meridian Manufacturing. She knew the rhythm: request comes in from procurement or finance, she verifies the approvals, checks the routing numbers, and sends it through. Routine.
The email arrived at 10:14 AM on a Tuesday. It came from Jeff Sorensen, Meridian's CFO, to Angela Park in accounts payable.
Angela - we're closing on the Hargrove acquisition today. Legal needs us to wire $430,000 to their escrow account ASAP. I've attached the wire instructions. Please process before noon. I'm in meetings all day so email me if you have questions. - Jeff
Angela forwarded the wire request to Denise with Jeff's email attached. The amount was large but not unusual for an acquisition closing. The instructions included a bank name, routing number, account number, and beneficiary name. Everything looked clean.
Denise checked the approvals. Jeff had authorized it via email. Angela had forwarded it per standard procedure. Two approvals. Threshold met.
She initiated the wire at 10:47 AM.
At 11:02 AM, the wire cleared.
At 2:30 PM, Jeff Sorensen walked past Angela's desk and asked about an unrelated invoice. Angela mentioned she'd processed his wire that morning. Jeff stopped walking.
"What wire?"
This story is fictional, but the patterns are real.
The Investigation Begins
Hour Zero: Confirming the Compromise
Denise's stomach dropped when Angela relayed Jeff's confusion. She pulled up the wire confirmation and showed it to Jeff. He'd never sent that email. There was no Hargrove acquisition.
The company's IT director, Paul Nakamura, was called in. He opened the email headers from the original message.
The "From" field showed jsorensen@meridianmfg.com. Jeff's actual address. But the headers told a different story. The email had originated from an IP address in Eastern Europe. The SPF check had failed. DKIM was absent. DMARC showed "none" for Meridian's domain, meaning failed emails were delivered anyway.
Someone had spoofed Jeff's address. The email looked exactly like it came from inside the company because Meridian had never configured its email authentication to reject unauthorized senders.
But Paul found something worse. When he checked Jeff's actual email account, he discovered a forwarding rule: every email Jeff received was being silently copied to an external address. Someone had been inside Jeff's email for at least three weeks. The attacker had watched Jeff's communications, learned how he wrote, understood the approval workflows, and waited for the right moment.
Hour One: Contacting the Bank
Denise called Meridian's bank immediately. The wire had been sent to a domestic bank account at a regional institution in Florida. The bank's wire fraud team initiated a recall request.
But wire recalls aren't recalls in the credit card sense. The sending bank can ask the receiving bank to return the funds. The receiving bank has no obligation to comply. And the receiving bank can only return funds that are still in the account.
The receiving bank responded within two hours: $187,000 remained in the account. The rest had already been transferred out to three other accounts at different banks.
Hour Four: Mapping the Money
Meridian filed a report with the FBI's Internet Crime Complaint Center (IC3). An agent from the local field office contacted them the next day.
The investigation revealed the money trail:
| Time | Amount | Destination | Status |
|---|---|---|---|
| 11:02 AM (Day 1) | $430,000 | Florida account (Account A) | Wire received |
| 11:48 AM (Day 1) | $120,000 | Account B (Georgia) | Transferred out |
| 12:15 PM (Day 1) | $85,000 | Account C (Texas) | Transferred out |
| 1:30 PM (Day 1) | $38,000 | Account D (California) | Transferred out |
| 2:30 PM (Day 1) | $187,000 | Remaining in Account A | Frozen by bank |
Account A was opened three weeks before the wire, using a stolen identity. Accounts B, C, and D were money mule accounts: real people who'd been recruited through "work from home" job scams to receive and forward funds, keeping a small percentage as their "salary."
By the time law enforcement contacted the banks holding Accounts B, C, and D:
- Account B had been emptied via ATM withdrawals and a cashier's check
- Account C still held $62,000, which was frozen
- Account D had been drained and the account closed
Total recovered: $249,000 out of $430,000. Meridian lost $181,000.
Where Things Went Wrong
Failure 1: No Email Authentication
Meridian's domain had DMARC set to p=none, which means "monitor but don't block." Every failed authentication check was logged but no emails were rejected. The spoofed email sailed right through.
If Meridian had configured DMARC to p=reject, the spoofed email would have been blocked by Angela's email server before it reached her inbox. This single configuration change would have prevented the entire attack. The same control gap is at the heart of the broader phishing campaign walkthrough.
Failure 2: Email Compromise Went Undetected
The attacker had access to Jeff's email for three weeks. During that time, they set up a forwarding rule, studied communication patterns, learned about ongoing deals, and identified the right pretext. None of this triggered any alerts.
Meridian had no monitoring for email forwarding rule changes. No alerts for logins from unusual locations. No review of email audit logs. The attacker operated freely inside the CFO's mailbox. This is the same account takeover pattern that precedes most high-value BEC cases.
Failure 3: Single-Channel Verification
Angela received a wire request via email and verified it via the same email thread. The attacker controlled the email channel, so verification within that channel was meaningless.
Out-of-band verification (calling Jeff on his known phone number, walking to his office, sending a text) would have immediately revealed the fraud. But Meridian's wire approval process only required email authorization.
Failure 4: No Cooling-Off Period for New Payees
The wire was sent to a beneficiary Meridian had never paid before. A policy requiring a 24-hour delay for first-time wire recipients would have given Jeff time to return from his meetings and notice the request he never made.
Failure 5: Slow Response
The gap between the wire being sent (11:02 AM) and the fraud being discovered (2:30 PM) was three and a half hours. During that time, $243,000 was moved out of the receiving account. Every minute of delay cost money.
The Recovery Effort
What Worked
Immediate bank contact. Denise called the bank within minutes of discovering the fraud. This speed preserved $187,000 that was still in the initial receiving account.
IC3 filing. The FBI's Recovery Asset Team (RAT) was able to coordinate with the bank holding Account C and freeze the remaining $62,000 before it was withdrawn.
Wire recall request. While not guaranteed to succeed, the formal recall process created a paper trail and legal basis for the freezes.
What Didn't Work
Accounts B and D were emptied before law enforcement could act. Money mule accounts are designed to be drained quickly. The mules were instructed to withdraw funds within hours, typically converting to cryptocurrency through exchanges or kiosks, purchasing cashier's checks, or making in-person cash withdrawals at ATMs.
The attacker was never identified. The IP addresses traced to a VPN service. The stolen identity used to open Account A led nowhere. The email forwarding rule was the only forensic artifact, and it pointed to a disposable email address.
The mules were identified but provided little intelligence. Two of the three money mules were recruited through fake job ads on social media. They believed they were working for a "payment processing company." They'd been given instructions to receive transfers, withdraw cash, and forward it via cryptocurrency exchanges. They kept 8% as their "salary." They didn't know who they were working for. This kind of disposable mule layer is how the broader wire and ACH fraud machine cashes out, and it's why the first investigation walkthrough emphasizes the first 24 hours.
Timeline Summary
| Day | Event |
|---|---|
| Day -21 | Attacker compromises Jeff's email (likely via phishing or credential stuffing) |
| Day -21 to -1 | Attacker monitors Jeff's email, studies communication patterns, sets up forwarding rule |
| Day -3 | Attacker opens Account A using stolen identity |
| Day 0, 10:14 AM | Spoofed email sent to Angela requesting $430,000 wire |
| Day 0, 10:47 AM | Denise initiates the wire |
| Day 0, 11:02 AM | Wire clears |
| Day 0, 11:48 AM - 1:30 PM | $243,000 moved from Account A to mule accounts |
| Day 0, 2:30 PM | Jeff discovers the fraudulent wire |
| Day 0, 2:45 PM | Denise contacts the bank for recall |
| Day 0, 4:30 PM | $187,000 frozen in Account A |
| Day 1 | IC3 report filed, FBI Recovery Asset Team engaged |
| Day 2 | $62,000 frozen in Account C |
| Day 5 | Accounts B and D confirmed empty |
| Day 30 | $249,000 returned to Meridian. $181,000 loss finalized |
Lessons Learned
The Meridian case is a textbook BEC wire fraud. Every failure point was preventable, and the attack exploited structural weaknesses that exist in thousands of companies.
The four controls that would have prevented this:
- DMARC enforcement (p=reject) would have blocked the spoofed email before delivery
- Email compromise detection (alerts on forwarding rules, unusual logins) would have caught the attacker weeks earlier
- Out-of-band verification (phone call for any wire over $10,000) would have revealed the fraud before money moved
- New payee cooling-off period (24-hour hold for first-time recipients) would have given time for the fraud to surface
The most painful lesson: $181,000 in losses could have been avoided with a single phone call. Angela could have walked thirty feet to Jeff's office. Instead, she followed a process that treated email as a trustworthy verification channel.
BEC attacks succeed not because the technology is sophisticated, but because the processes are weak. The attack exploits the gap between how quickly money moves and how slowly humans verify.
Key Takeaways
- BEC is a process failure, not a technology failure. The attacker used basic email spoofing combined with account compromise. The technology to stop it existed. The policies didn't.
- Speed determines recovery. The three-and-a-half-hour gap between the wire and discovery cost Meridian $181,000. Organizations that detect BEC within the first hour recover significantly more.
- Wire transfers are irreversible by design. Unlike card payments, there's no chargeback mechanism. Once funds leave the account, recovery depends entirely on speed and cooperation from receiving banks.
- Money mules are the cash-out layer. The stolen funds were dispersed to multiple mule accounts within hours. Each hop makes recovery harder and less likely.
- Email authentication is table stakes. DMARC at
p=rejectis a free, effective control against domain spoofing. Every organization should implement it.
What's next: Review Wire Transfer & ACH Fraud for a deeper look at how wire fraud and ACH fraud patterns differ, and the controls that financial institutions use to detect them.
Key Terms
| Term | Definition |
|---|---|
| Business Email Compromise (BEC) | A fraud scheme where an attacker impersonates a company executive or trusted contact via email to trick employees into sending wire transfers or sensitive information |
| Email spoofing | Forging the sender address on an email to make it appear to come from a trusted source |
| DMARC (Domain-based Message Authentication, Reporting, and Conformance) | An email authentication policy that tells receiving servers whether to reject emails that fail SPF and DKIM checks |
| Wire recall | A request from the sending bank to the receiving bank to return wired funds; not guaranteed to succeed and depends on funds still being available |
| Money mule | A person who receives stolen funds and forwards them to other accounts, often recruited through fake employment schemes |
| IC3 (Internet Crime Complaint Center) | The FBI's online portal for reporting internet-related crimes, including wire fraud and BEC |
| Out-of-band verification | Confirming a request through a different communication channel than the one it arrived on, such as calling to verify an email wire request |
Continue learning
- Money Movement & Transaction FraudPayment Systems 101: How Money Really MovesEssential foundation for understanding how ACH, wire transfers, card payments, and digital payments actually work - and why criminals target them
- Money Movement & Transaction FraudWire Transfer & ACH FraudHow criminals exploit wire transfers, ACH payments, and real-time payment systems through BEC attacks and social engineering
- Money Movement & Transaction FraudE-commerce & Card FraudCard-not-present fraud, friendly fraud, chargeback schemes, and digital marketplace fraud investigation
- More from Fraud BasicsFraud 101: What Is Fraud?Absolute basics for someone who has never looked at fraud: what is fraud, how is it different from other crimes, and why does it matter
- More from Account TakeoverATO FundamentalsEssential foundation every fraud professional needs to know about account takeover attacks
- More from Social EngineeringSocial Engineering FundamentalsThe psychology of manipulation and how attackers exploit human trust