A Message Arrives That Looks Like It’s From a Trusted Colleague. He Needs You to Approve an Urgent Wire Transfer Before the Bank Closes — Today. The Vendor Account Number Is Slightly Different Than Usual. “It’s Michael — I’ve Worked With Him for Three Years.” Is That Enough?

Quick Answer

When a request appears to come from a trusted colleague seeking urgent financial authorization, what should an employee do before approving it, and does a long-standing working relationship provide sufficient assurance?

No — a working relationship is not sufficient assurance for financial authorization, and urgency is a deliberate manipulation tactic rather than a genuine business reason to bypass verification. Business Email Compromise (BEC) is the highest-cost cybercrime category in the FBI’s annual Internet Crime Report. The average BEC incident costs organizations over $120,000. BEC works specifically because it exploits trust — the attacker researches organizational relationships, impersonates a known contact, and uses urgency to prevent the verification step that would expose the fraud. The correct response is to verify through a separate channel before approving any financial transfer, regardless of how well the employee knows the apparent sender.

Business Email Compromise — The Numbers

The FBI’s Internet Crime Complaint Center reported $2.9 billion in BEC losses in 2023 — making it the highest-loss cybercrime category for the sixth consecutive year. BEC doesn’t require malware, hacking, or sophisticated technical attacks. It requires knowing the organizational chart well enough to impersonate a trusted contact, and understanding that urgency and authority suppress the verification instinct. Most BEC attacks are identified as fraudulent only after the transfer is completed. The verification step that the employee skips is the only control point that exists between a request and a completed fraud.

The Situation

An accounts payable specialist receives an email at 3:47 PM from Michael Chen, the company’s Director of Procurement. She has worked with Michael directly for three years — he frequently requests vendor payments and she recognizes his name, his email style, and his tendency to process things at the last minute. The email reads: “Hey — I need you to process a vendor payment before 5 PM today or we lose the discount. I’m in back-to-back meetings and can’t talk. The vendor updated their banking details last week — please use the new account number below. Amount is $47,200. Thanks — Michael.”

The email address in the “From” field looks like Michael’s address at a glance — but the domain reads m-chen@companyname-corp.com instead of the company’s actual domain. The account number in the email doesn’t match the one in the vendor record. The payment amount is within the range she processes regularly.

She’s already behind on her processing queue. Michael is always in meetings. The 5 PM deadline is in 73 minutes.

Choice AProcess the payment. She knows Michael, the amount is routine, and the deadline is real. The account change is unusual but vendors update their banking details. She’s behind on her queue and doesn’t want to lose the company a discount over a procedural delay.

Choice BStop and verify through a separate channel before processing — call Michael directly on his known mobile or office number (not a number provided in the email), confirm he sent the request, confirm the account change, and confirm the deadline. Do not process until Michael provides verbal confirmation through a channel she initiated independently.

Choice CReply to the email asking Michael to confirm. If he replies confirming the payment, that’s sufficient verification. She’ll process it as soon as she hears back.

The Right Call

Choice B — Call Michael directly on a known number before processing anything.

Choice A processes the fraud. The urgency, the familiar name, the routine amount, and the account update framing are all deliberate elements of the attack — not coincidental features of a legitimate request. Choice C is the second most dangerous option: replying to the email to verify goes back to the attacker, who will confirm the payment immediately and enthusiastically. Email confirmation of a suspicious email request verifies nothing — the attacker controls both ends of that conversation. Choice B breaks the attacker’s control by verifying through an independent channel the attacker cannot intercept. One phone call to Michael’s known number takes 90 seconds and either confirms a legitimate request or stops a $47,200 fraud.

The attacker designed every element of this email to activate trust and suppress verification.

The familiar name activates relationship trust. “I’m in back-to-back meetings” removes the easy path to verbal verification. The discount deadline creates urgency that makes procedural caution feel costly. The routine payment amount sits below any unusual-flag threshold. These elements didn’t happen by accident — BEC attackers research targets specifically to identify the right name, the right amount, and the right framing before sending the email. The more convincing the email, the more likely it is that someone put effort into making it convincing.

Replying to the email to verify is not verification — it is asking the attacker to confirm their own fraud.

This is the training point most employees don’t initially understand. When the “From” address is compromised or spoofed, the reply goes back to the attacker. If the employee sends a reply asking, “Can you confirm this is legitimate?” the attacker replies, “Yes, please process urgently, thank you.” The email thread now contains what appears to be a confirmation — and the employee processes the payment with greater confidence than before. Email-based confirmation of a suspicious request actively increases the likelihood that the fraud will succeed.

The procedural delay feels like it costs something — the missed discount, the frustrated colleague, the queue backup. It doesn’t.

If the request is legitimate, Michael will answer the call, confirm the details, and the payment will go through — five minutes later than it would have otherwise. The discount is saved. If the request is fraudulent, the call reveals the fraud before any money moves. In either case, the 90-second verification call has zero downside. The urgency framing in the email is specifically designed to make that 90-second call feel like a high cost. It isn’t.

What is Business Email Compromise, and how does it differ from standard phishing?

Business Email Compromise (BEC) is a targeted social engineering attack that impersonates a trusted internal contact — typically a senior employee, finance officer, or known colleague — to fraudulently authorize financial transfers or sensitive data disclosures. Unlike mass phishing that relies on volume and generic lures, BEC attacks are researched and personalized: the attacker identifies the right target, the right impersonation, and the right amount before sending a single email. BEC is the highest-loss cybercrime category reported to the FBI, generating billions in losses annually with an average incident cost exceeding $120,000.

What is “out-of-band verification” and why is it the correct response to suspicious financial requests?

Out-of-band verification means confirming a request through a communication channel different from the one that delivered the request. For an email requesting a wire transfer, out-of-band verification means calling the requester on a phone number you already have — not one provided in the email — and verbally confirming the request details. This breaks the attacker’s control of the communication channel: even if they have compromised the email account, they cannot intercept an independent phone call to the real person’s known number.

What are the red flags that should trigger out-of-band verification for a financial request?

Any combination of: a request to change vendor banking details; urgency language that discourages verification (“I’m in meetings,” “need this today,” “can’t talk”); a sending email address that doesn’t exactly match the known contact’s address; a payment amount that is slightly below approval thresholds; requests to process outside normal channels or keep the transaction confidential; and any request where the requester’s unavailability is cited as a reason to skip normal process. Each element individually warrants attention. Multiple elements together require verification before any action is taken.

How to Use This Scenario in Training

Recommended for finance, accounts payable, accounts receivable, operations, and any employee who processes financial transactions or has the authority to approve payments. Also highly effective for executive assistants and office managers who frequently act on behalf of senior leaders. The scenario is most impactful when employees understand before training that BEC is the highest-cost cybercrime category — the financial stakes reframe the 90-second verification call as obviously worth making.

This scenario demonstrates the relationship trust override rationalization from the Decision Readiness Engine™ — “it’s Michael, I know him” is the trust that makes urgency-driven BEC effective. Decision-ready employees recognize that familiar names on financial requests trigger verification rather than suppress it — because attackers specifically choose the names that will be trusted most.

More Security Awareness Scenarios