Business Email Compromise Payment Fraud, How Change of Payment Requests Lead to Wire Losses
Business Email Compromise payment fraud remains one of the most financially damaging cyber threats facing organizations today. While many companies understand the basics of Business Email Compromise (BEC), fewer recognize the exact moment when these attacks turn into real financial loss.
In most cases, that moment is a simple, routine request: a change of payment instruction.
If you are unfamiliar with how these attacks develop, it is worth reviewing the broader mechanics of Business Email Compromise.
The BEC Playbook, Quiet Access and Patient Monitoring
BEC attacks rarely begin with immediate fraud. Instead, attackers take a methodical approach.
They gain access through:
- Phishing emails
- Credential harvesting
- Password reuse or weak authentication
Once inside, they observe quietly.
Attackers monitor email conversations, vendor relationships, invoicing cycles, and internal approval processes. Their objective is precision, not disruption.
As outlined in our breakdown of BEC attack methods, many of the most successful schemes rely on long-term access and timing rather than technical sophistication.
Where Payment Fraud Happens, The Change of Payment Trap
The most critical moment in a BEC attack is when attackers initiate payment redirection.
This typically appears as a legitimate request, such as:
- “We’ve updated our banking details.”
- “Please send this invoice to our new account.”
- “Due to an audit, future payments must be routed here.”
Because these messages often originate from compromised email accounts or highly convincing spoofed domains, everything appears legitimate.
Attackers frequently:
- Copy existing email threads
- Replicate writing style and signatures
- Reference real invoices and purchase orders
- Time their request just before payment is due
This is known as change of payment fraud, one of the most effective forms of vendor payment fraud within BEC attacks.
Why Business Email Compromise Payment Fraud Continues to Grow
This type of fraud is not just technical, it is psychological and operational.
Accounts payable teams operate under tight deadlines, established vendor trust, and routine financial workflows
When a request aligns with expected timing and appears legitimate, it often bypasses scrutiny.
The Scale of the Problem, What the Latest IC3 Data Shows
The financial impact of Business Email Compromise payment fraud continues to accelerate.
According to the latest FBI Internet Crime Complaint Center report, cybercrime losses surpassed $20.8 billion in 2025, with Business Email Compromise remaining one of the top drivers of financial damage globally.
BEC alone accounted for over $3 billion in reported losses, placing it among the most costly cyber-enabled fraud categories.
What makes this even more concerning is how the money is actually lost. The IC3 data shows that the majority of BEC-related losses occur through wire transfers and ACH payments, reinforcing that payment redirection, not initial compromise, is where real financial damage happens.
In other words, the breach is just the setup.
The change of payment request is the payoff.
Stephen and Ronnie from Rexxfield also broke down these findings in more detail here on our “Rexxfield Investigates” Youtube channel:
https://www.youtube.com/watch?v=f7qEXh7TgYY
The key takeaway is simple:
BEC is not just a cybersecurity issue, it is a financial fraud problem, and organizations that focus only on email security while ignoring payment verification remain exposed.
The Most Effective Defense, Treat Payment Changes as High Risk
At Rexxfield, our investigations into BEC wire fraud cases consistently show that one control could prevent a large percentage of losses:
Treat every change of payment request as a high-risk event.
Organizations should implement layered verification:
1. Out-of-Band Confirmation
Verify payment changes using a known and trusted contact method. Never rely on details in the request itself.
2. Multi-Step Approval Workflows
Require multiple approvals before modifying vendor payment information.
3. Vendor Verification Protocols
Establish structured verification processes for high-risk vendors.
4. Vendor Master File Controls
Restrict and audit banking detail changes within financial systems.
For a broader prevention strategy, see our BEC prevention tips.
Warning Signs of BEC Payment Fraud
Common indicators include:
- Last-minute payment change requests
- Urgency or pressure to act quickly
- Slight domain misspellings or reply-to changes
- New banking details in a different country
- Requests that bypass normal vendor contacts
These are often the only signals before funds are transferred.
What to Do After Business Email Compromise Payment Fraud
If a fraudulent payment may have been sent, time is critical.
Immediate actions:
- Contact your bank to initiate a recall
- Preserve all communications and transaction details
- Notify internal teams
- Engage investigators immediately
If you are dealing with an active incident, our team supports rapid response and recovery:
Learn more about our investigations
Rapid response can significantly increase the likelihood of recovering funds.
The Critical Insight, Slow Down the “Routine”
Business Email Compromise payment fraud does not rely on complex exploits. It relies on predictable human behavior.
The change of payment request feels routine, but it is often the exact moment funds are lost.
By slowing down this one process and enforcing verification, organizations can significantly reduce exposure to BEC wire fraud.
Need Immediate Support for BEC or Wire Fraud?
Rexxfield supports organizations with:
- Rapid Business Email Compromise response
- Wire fraud recovery coordination with financial institutions
- Root-cause compromise investigations
- Vendor payment fraud prevention strategies
If you suspect Business Email Compromise payment fraud or want to strengthen your defenses, early action is critical.
Because in these cases, the difference between loss and recovery is often measured in minutes.
