Lesson 4.3

Processes That Actually Stop BEC

12 minutes

The FBI’s Recovery Asset Team (RAT) was established to streamline communications with financial institutions to freeze fraudulent wire transfers. Their track record tells a clear story:

Year Amount frozen Success rate
2020 $380 million 82%
2021 $329 million 74%
2022 $433 million 73%
2023 $538 million 71%

The pattern is encouraging: when organizations report quickly, there’s a strong chance of recovery. But speed is everything. The first 60 minutes after a fraudulent wire transfer — the “golden hour” — is the most critical window for recovery. After 24 hours, recovery rates drop dramatically as funds are moved through intermediary accounts, converted to cryptocurrency, or withdrawn as cash.

The lesson: process isn’t just about prevention. It’s about buying time. Every verification step that delays a fraudulent transfer increases the chance of catching it before the money is gone.

Process 1: Banking and payment detail changes

This is the single most important process in BEC defense. The majority of BEC losses come from redirected payments — someone changes where the money goes, and nobody verifies it.

Call the vendor or recipient at a phone number from your existing records — contract, CRM, past invoices, their real website. NOT a number from the email requesting the change.

Ask directly: “We received a request to change your payment details. Can you confirm this is legitimate?”

Require written confirmation through your official vendor management process.

Two-person verification: A second person independently confirms the change through their own separate contact.

Why this works: Even if the attacker controls the vendor’s email account, they don’t control the phone line at the company’s real number. A 30-second call to the number on your contract — not the number in the suspicious email — catches the fraud every time.

Process 2: Wire transfers and large payments

Two-person approval for any wire above a set threshold (your organization defines the threshold — even a low one like $5,000 adds significant protection).

Verbal confirmation for any urgent or unusual request, regardless of who it appears to come from. The more senior the requester, the more important this step becomes.

Mandatory waiting period — even 1 hour — for “urgent” requests. If a transfer truly cannot wait 60 minutes, that level of urgency is itself suspicious. Almost no legitimate business transaction is measured in minutes.

No same-day wire for new payees. First-time recipients always require at least one business day for verification. This single rule would have prevented many of the largest BEC losses on record.

Why this works: Two-person approval means a single compromised employee cannot execute a transfer. The waiting period defeats time-pressure attacks — which is exactly why attackers push urgency so hard. And the new-payee delay creates a cooling-off period that catches fraudulent account details before money moves.

Process 3: Payroll and direct deposit changes

Require changes through the HR portal (Workday, ADP, BambooHR) with identity verification — not via email.

Call the employee at their phone number on file to confirm the change request.

Send confirmation of the change to the employee’s known email AND phone number — both channels.

Hold the change for one pay cycle so the employee has time to notice and report if the change was fraudulent.

Why this works: Multi-channel confirmation means the real employee will see the change notification even if their email is compromised. The one-cycle hold provides a safety net — if an attacker initiated the change, the real employee will notice their paycheck didn’t arrive and can alert HR before a second misdirected payment goes out.

Process 4: Channel-change requests

Decline. “Let’s keep this in email so we have a record.”

If they insist, verify the request through an entirely different channel before proceeding. Call them at a known number. Walk to their office. Message through a different app.

Why this works: Keeping conversations on corporate channels maintains the audit trail and allows security teams to detect and intervene if something is wrong. Moving to a personal channel — text, WhatsApp, personal email — eliminates all corporate visibility. That’s exactly why attackers request it.

Getting buy-in: the friction argument

These processes add friction. They slow things down. They create inconvenience. A VP who says “just do it now” doesn’t want to hear “let me call to verify first.” An impatient vendor doesn’t want to wait a business day for their first payment.

But that friction IS the defense. BEC works specifically by convincing people to skip the process. Every single dollar lost to BEC went to someone who was told “we’ll deal with the paperwork later” or “this is too urgent for your normal procedure.”

Frame it positively when you need buy-in:

  • “This two-minute verification call is the single most effective defense against attacks that cost organizations millions.”
  • “Our verification process isn’t about distrust — it’s about protecting everyone, including the person making the request.”
  • “If the request is legitimate, the call takes 30 seconds and everyone moves on. If it’s not, we just saved six figures.”

The FBI’s Recovery Asset Team data proves the point: organizations that have processes — and that follow them consistently — catch BEC attempts regularly. Many report catching multiple attempts per year. The process doesn’t just prevent losses. It builds institutional resilience.

What to do if you think you’ve been hit

If you suspect a fraudulent transfer has already been made:

  1. Contact your bank immediately — request a wire recall. Speed is critical.
  2. Report to the FBI’s IC3 at ic3.gov — this connects you to the Recovery Asset Team.
  3. Report to your local FBI field office for amounts over $100,000.
  4. Preserve all evidence — emails, invoices, wire confirmations, phone records.
  5. Do not tip off the attacker — if the compromised account is still active, don’t alert the attacker that you’ve discovered the fraud.

Remember the golden hour: the first 60 minutes matter most. The recovery rates speak for themselves — 71-82% success when organizations act fast.

The Rule: Any change to where money goes requires a phone call to confirm. No exceptions.