- Business email compromise often doesn't require breaking into your account; the attacker registers a lookalike domain one character off and copies a real billing email word for word.
- The target is usually your client's inbox, not yours, so checking your Sent folder and seeing nothing proves very little because the fraudulent message was never sent from your mailbox.
- Layered technical defenses include enforcing SPF, DKIM, and DMARC, turning on external-sender banners, and enabling impersonation protection for lookalike senders and domains.
- The human control that breaks the scam every time is confirming any change to wiring instructions out of band by calling a known phone number before any money moves.
A couple weeks back, the owner of a small real estate law firm described a fraud that never touched his systems and still nearly cost a client a wire transfer. "It was the exact same email, letter for letter," he said, "but it wasn't in my Sent items."
That last detail is the whole lesson. The most common wire fraud going around doesn't require anyone to break into your email at all.
How the scam actually works
This pattern is called business email compromise, or BEC. Instead of hacking your account, the attacker:
- Registers a lookalike domain, one character off from yours or your client's.
- Copies a real billing email, word for word, sometimes after watching a thread.
- Slips in a message with "updated wiring instructions" at exactly the moment money is supposed to move.
The target is often your client's inbox, not yours. From their side it looks like it came from you. From your side, nothing happened, because nothing did. That's why checking your Sent folder and seeing nothing proves very little.
The dangerous instinct here is relief: "it's not in my Sent items, so we're fine." Spoofed and lookalike-domain attacks leave no trace in your mailbox, because the fraudulent message was never sent from it. Absence of evidence is not the all-clear.
The defenses that actually stop it
This is a layered problem, and Microsoft 365 already bundles most of the technical pieces by license tier. The work is turning them on and tuning them:
- Enforce SPF, DKIM, and DMARC, the three DNS records that let receiving systems verify mail really came from you and reject spoofs.
- Turn on external-sender banners so a message from outside the firm is visibly flagged.
- Enable impersonation protection in Microsoft's email security, which watches for lookalike senders and domains.
And then the control that catches what technology misses:
Write down a verification rule and make it non-negotiable: any change to wiring or banking instructions gets confirmed out of band, by calling a known phone number, before a dollar moves. Not by replying to the email. The phone call is what breaks the scam, every time.
The takeaway
Wire fraud aimed at transaction businesses, law firms, title companies, anyone who moves client money, usually isn't a hacking problem. It's an impersonation problem, and it's beaten with a mix of email authentication and a hard human rule about verifying payment changes.
If your firm moves money for clients and you've never had your email authentication and verification process checked, that's an hour well spent. We're glad to walk through it with you. Let's talk it through.