The $2.3M wire transfer email scam that targets only CEOs and CFOs

Q: Can DMARC alone stop BEC?

No. DMARC at enforcement stops attackers from spoofing your exact domain but does not stop look-alike domains the attacker registered and authenticated separately, nor attacks from a legitimately compromised internal mailbox. DMARC is necessary but not sufficient. Callback rule and segregation of duties cover the gap.

Q: Will cyber insurance cover a BEC loss?

Often yes but conditionally. Most BEC riders require documented segregation-of-duties policies, the callback rule, and executive-impersonation training. Carriers increasingly deny claims where the insured cannot show those controls were in place at time of loss. Read the policy and align written procedures.

Q: How do attackers know which deals are in progress at our company?

Public sources cover most: press releases, earnings calls, SEC filings, news, LinkedIn posts, supplier disclosures, industry publications. For private companies, attackers use vendor invoices captured from a phished supplier mailbox elsewhere in the supply chain. Information asymmetry is smaller than executives assume.

What whaling actually is

Whaling is spear phishing aimed at senior executives, most often the CFO, controller, VP of Finance, or treasury manager. The defining trait is target selection: attackers research the org chart on LinkedIn, identify who can authorize a wire without a second signature, and impersonate that person's manager (usually the CEO) or a supplier the company already pays. The goal is a single irreversible wire to an attacker-controlled account. Business Email Compromise (BEC) is the broader category containing whaling, vendor-invoice fraud, payroll diversion, and gift-card schemes. The FBI tracks BEC as its top financial-loss cybercrime in IC3 annual reports and the Verizon DBIR consistently flags BEC and pretexting as the dominant social-engineering pattern.

The 7-day pattern

Most successful BEC events run on a roughly week-long arc, composited from published FBI advisories, US Treasury OFAC BEC alerts, and IR writeups.

Day 1 - Reconnaissance. Attacker pulls the org chart from LinkedIn, finds out-of-office posts ("traveling to Berlin next week"), pulls earnings-call transcripts for speech patterns, and identifies a press release mentioning a pending deal that justifies a large wire.
Day 2-3 - Access setup. Path A: attacker phishes the CEO's mailbox and sets a hidden inbox rule that auto-deletes replies. Path B: attacker registers a look-alike domain (one character off) and configures SPF/DKIM/DMARC properly.
Day 4 - The ask. CFO receives an email from "the CEO" referencing the real deal. Tone matches. Body asks for a wire to a new beneficiary, marks it confidential, requests confirmation by email only.
Day 5 - Wire sent. Funds clear within hours via SWIFT or Fedwire. The mule network fragments the money across destination accounts within minutes.
Day 6-7 - Discovery. CEO returns and mentions the deal in a meeting; the discrepancy surfaces. Or the real supplier emails asking why their invoice was not paid. By this point funds are two to four hops downstream.

The FBI's Financial Fraud Kill Chain reports recovery near 50% if the bank is notified within 24 hours, dropping under 10% past 72 hours. That decay curve is the most important number a CFO can know.

Real cases with named amounts and outcomes

Mattel - $3M (March 2015)

A Mattel finance executive wired roughly $3M to a Bank of Wenzhou account after an email from the newly-appointed CEO requesting a vendor payment in China. Chinese New Year banking holidays froze the funds and most of the money was recovered - a rare positive outcome. Source: Mattel disclosure, AP reporting.

Pathe - approximately $21M (March 2018)

French cinema operator Pathe lost roughly $21M after Dutch subsidiary executives received emails appearing to be from the parent CEO requesting confidential acquisition transfers to Dubai accounts. The Dutch CEO and CFO were fired. Source: Dutch court filings, Reuters.

FACC AG - approximately $47M (January 2016)

Austrian aerospace supplier FACC AG (Boeing and Airbus parts) disclosed a roughly €50M loss to a CEO-impersonation BEC. The board fired CEO Walter Stephan. Only a small fraction was recovered. Source: FACC AG disclosure, Reuters, Wikipedia.

Ubiquiti Networks - $46.7M (June 2015)

Ubiquiti disclosed in an SEC filing that it lost $46.7M after attackers impersonated employees and directed wires from a Hong Kong subsidiary overseas. Ubiquiti recovered approximately $8.1M. Source: Ubiquiti SEC 10-Q August 2015.

Crelan Bank - approximately $75M (January 2016)

Belgian Crelan Bank disclosed roughly €70M (about $75M) lost to CEO-fraud BEC discovered during internal audit. The bank stated it could absorb the loss without affecting deposits. One of the largest single-incident BEC losses publicly disclosed by a bank. Source: Crelan press statement.

Why the email passes every technical check

BEC emails routinely sail through Microsoft Defender for Office 365, Proofpoint, and Mimecast. Three reasons.

Compromised real mailbox. If the attacker took over the actual CEO's mailbox via a prior credential phish, the email is genuinely from the CEO's account. SPF, DKIM, and DMARC all pass. There is no header anomaly to detect.
Look-alike domain with character swap. Attacker registers a domain that differs by one character - companyy.com for company.com, rn for m as in rnicrosoft.com, Cyrillic а for Latin a - then configures SPF/DKIM/DMARC properly. Auth passes for the look-alike. The CFO's eye does not catch it because the display name reads "John Smith, CEO" and most mail clients hide the actual sender domain.
CEO speech patterns matched from public sources. Earnings-call transcripts, podcast appearances, and LinkedIn posts give attackers a corpus of how the CEO actually writes. Generative models trained on a few thousand words of the target's own writing produce messages with the same sentence length, same closing ("Thx, J"), same internal shorthand. The Verizon DBIR has flagged stylometric mimicry as a growing BEC factor.

The 4 signals a real CFO/CEO email shows that a fake one cannot

Payment timing context. A real CEO request references the specific deal, contract number, purchase order, or board resolution that authorizes the spend. A BEC email vaguely references "the deal we discussed." If it cannot point to a paper trail in the ERP, it is suspect.
Internal references the attacker does not know. Private project codenames used only in internal Slack, the name of the executive assistant who books the CEO's travel. A short reply asking "Can you confirm via the Slack channel for Project Voyager?" exposes the fake immediately.
Response on independent channels. Real urgent executive communication crosses email, Slack or Teams, phone. A request that exists only in email and pushes back against a phone call is a strong BEC signal. Real executives welcome verification on a wire.
Alignment with existing vendor relationships. A new vendor bank account for an existing supplier should match the supplier's known business address, registered entity, and historical wire patterns. A request to wire to a personal-name account, a country the supplier does not operate in, or a freshly-opened account is an immediate hold signal regardless of who appears to be requesting it.

The callback rule

The single highest-ROI policy a finance team can adopt is a hard segregation-of-duties rule on wires. Any wire above a threshold (most controllers set this at $10K-$25K) requires verbal verification with the requester on a phone number from the company directory, not a number in the email. The attacker controls the email; they do not control your existing phone records. If the CEO's request to wire $200K to Hong Kong cannot be confirmed by calling the number you already have for the CEO, the wire does not go. No exceptions for "the CEO is in a meeting." An unusual pushback against verification is itself the strongest BEC signal.

Many controllers extend this with a two-person rule above a higher threshold: wires over $100K require sign-off from two named approvers via independent channels. Cyber insurers increasingly require this as a BEC-coverage condition.

FBI Financial Fraud Kill Chain - the 72-hour recovery window

If a fraudulent wire has left the building, the next 72 hours decide recovery. The FBI Financial Fraud Kill Chain (FFKC) partners with U.S. banks to attempt recall on wires over $50K to suspect foreign accounts.

Within the first 60 minutes. Call your bank's wire-fraud line. State: "I am reporting a fraudulent wire under the Financial Fraud Kill Chain." Provide the wire reference, beneficiary bank, account, amount, and time. Request immediate recall and a SWIFT MT199 to the receiving bank.
Within 24 hours. File an IC3 complaint at ic3.gov. Contact your local FBI field office for losses under $50K; the federal FFKC desk handles larger foreign-destination cases. Notify your cyber insurance carrier within the policy window.
Within 72 hours. Engage incident response to determine whether the CEO mailbox was compromised versus a look-alike domain attack, and contain the access. Force password resets and 2FA re-enrollment on finance and executive accounts. Review mailbox rules for hidden auto-forward or auto-delete rules.

FBI public data shows FFKC recovery near 50% inside 24 hours and below 10% past 72 hours, after which funds have typically been split, withdrawn as cash, or converted to crypto.

Hardening your org against whaling

DMARC at enforcement. Move your domain's DMARC policy from p=none to p=quarantine or p=reject. Stops attackers from spoofing your exact domain. Forces them to register a look-alike, which leaves a registration trail.
Executive impersonation training. Annual phishing simulations must include CEO-fraud variants aimed at finance staff specifically, with realistic look-alike sender domains and real internal-project references. Generic training does not cover this surface.
Segregation-of-duties policies. Written, signed, and audited. The callback rule, the two-person rule above threshold, and a documented vendor-change workflow. Increasingly required as cyber-insurance policy conditions.
Supplier change verification. Any change to a supplier's bank details must be verified with the supplier on a phone number from your records, not from the change-request email. This vendor-invoice variant is the most common BEC pattern after CEO fraud.
External-sender banners. Tag every external email with a visible banner. Combined with a "look-alike domain" alert when the sender domain is one character off from an internal domain, catches a meaningful share of attacks before the CFO reads the body.
Browser-layer defense for the landing page. Whaling emails often link to a credential-phishing page (fake Microsoft 365 or DocuSign login) used to capture the executive's password as a precursor to mailbox takeover. A browser-layer scanner blocks the page before the executive types. SafeBrowz Business catches the look-alike domain landing page when an executive clicks, and CSV-exportable threat reports let IT teams monitor org-wide impersonation attempts across every employee browser, not just gateway-filtered email.

Frequently asked questions

What is the difference between whaling and regular phishing?

Phishing is bulk and untargeted. Whaling is research-driven and aimed specifically at named executives with authority to move money, typically CFOs, controllers, and CEOs. Whaling messages reference real internal projects, real supplier relationships, and real deals because the attacker spent days researching. The technical email is often indistinguishable from legitimate; the giveaway is in the request pattern, not the headers.

Can DMARC alone stop BEC?

No. DMARC at enforcement (p=quarantine or p=reject) stops attackers from spoofing your exact domain. It does not stop look-alike domains that the attacker registered separately and configured properly, and it does not stop attacks from a legitimately compromised internal mailbox. DMARC is necessary but not sufficient. The callback rule and segregation of duties cover the gap.

If we already wired the money, how long do we have to recover it?

The FBI Financial Fraud Kill Chain reports roughly 50% recovery if the bank is notified within 24 hours, dropping below 10% past 72 hours. Call your bank's wire-fraud line within the first hour, file an IC3 complaint within 24 hours, and engage your FBI field office for losses over $50K. Speed compounds.

Will cyber insurance cover a BEC loss?

Often yes, but coverage is conditional. Most BEC riders require documented segregation-of-duties policies, the callback rule, and recent executive-impersonation training. Carriers increasingly deny claims where the insured cannot show those controls were in place at time of loss. Read your policy carefully and align your written procedures to its requirements.

Our CEO is in a different time zone and emails are how we communicate. How do we apply the callback rule?

The callback rule does not require a real-time voice call. It requires verification on a channel the attacker does not control. A Slack DM to the CEO's known handle, a Teams message, or a text to the CEO's known cell phone all qualify if the channel was established before the email arrived. The principle is independence, not specifically a phone call.

How do attackers know which deals are in progress at our company?

Public sources cover most of it: press releases, earnings calls, SEC filings, news articles, LinkedIn employee posts ("excited to announce our partnership with X"), supplier disclosures, and industry publications. For private companies, attackers also use vendor invoices captured from a single phished supplier mailbox elsewhere in the supply chain. The information asymmetry is smaller than most executives assume.