The Setup

It looks like a perfectly normal email

You get an email from a vendor you’ve worked with for three years. They’re updating their banking info — could you please send this month’s payment to the new account? You reply with a couple of questions. You get believable answers. You wire the money.

A week later, your real vendor calls asking where their payment is.

Welcome to Business Email Compromise — and in 2025, it cost American businesses over $3 billion.

By The Numbers — FBI 2025 Internet Crime Report

$3.05B
Total BEC losses in 2025

86%
Sent via wire or ACH (often unrecoverable)

#2
Cybercrime by total dollars lost

~$123K
Average loss per incident

What’s Actually Happening

BEC isn’t a virus. It’s a con.

There’s no malware to scan for. The attacker has either compromised a real email account — yours, your vendor’s, your client’s — or spoofed one well enough to fool a busy human being. Then they sit quietly, watch the inbox, learn the language, study the invoice patterns, and strike at exactly the right moment.

The most common variants we see in Acadiana:

THE FAKE VENDOR

A “vendor” emails updated wire instructions for the next invoice payment.

THE FAKE BOSS

The “owner” asks the bookkeeper for an urgent wire while traveling.

THE FAKE CLIENT

A “client” requests a change to where their refund or commission is deposited.

THE FAKE ATTORNEY

An “attorney” pushes a closing deadline that requires immediate funding.

Why It’s Aimed At You

Small businesses are the bullseye

Big companies have fraud teams, dual-approval workflows, and dedicated payment platforms. A four-attorney law firm in Lafayette doesn’t. The bookkeeper at a CPA firm is processing thirty things at once during tax season. The owner of an oilfield services shop is in a truck somewhere between Broussard and Houma.

Attackers know all of that. And they’re now using AI to write more polished, more personalized, more convincing emails than ever before — including, in some cases, voice-cloned phone calls that “confirm” the request.

This Week’s Tip

Verify on a different channel

You don’t need expensive software to stop most BEC attacks. You need one habit:

The 30-Second Habit That Stops BEC

Any time bank account information changes — or any wire/ACH request looks unusual — verify it on a different channel. Don’t reply to the email. Pick up the phone.

Here’s how that habit looks in practice:

  1. Pick up the phone. Call your vendor or client at the number you already have on file — not the number in the email signature. Attackers swap that number out routinely.
  2. Set a dual-approval threshold. Pick a dollar amount — $5,000, $10,000, whatever fits your size — above which two people must sign off before any money moves.
  3. Inspect the “From” address closely. Attackers register lookalike domains (megabyte-itsolutions.com instead of megabyteitsolutions.com). Hover, don’t click.
  4. Turn on multi-factor authentication everywhere — especially Microsoft 365 and Google Workspace. Use an authenticator app, not SMS codes. Modern phishing kits can intercept text messages.
  5. Loop your IT or MSP in. A suspicious email forwarded to your provider can become an alert that protects every other business in our stack.

How We Handle It For Clients

The layered defense behind your inbox

For Megabyte IT clients, we layer the technical pieces — inline anti-phishing through Advanced Email Protection, DNS-level blocking, conditional access policies that flag impossible logins, and alerts on any external email forwarding rule (a classic sign your inbox has already been compromised).

But the human verification step is the one that closes the gap no software can fully cover.