The story
Sarah Chen has been CFO at Meridian Consulting for six years. She knows the CEO's communication style better than her own. When she sees his email at 4:52 pm on a Friday, she doesn't hesitate.
The email is succinct — the CEO doesn't over-explain when he's in a rush. It references a specific vendor by name, mentions the board dinner (which she knew about), and uses the exact kind of compressed urgency he uses when traveling. There's nothing unusual about it except the timing.
She initiates the wire through the company's banking portal. The verification goes through. $178,000 leaves Meridian Consulting's account at 5:14 pm on a Friday. By Monday morning, it has passed through three international accounts and is functionally unrecoverable.
The CEO's email had been compromised in a credential stuffing attack two weeks earlier. The attacker had been silently monitoring communications since then, learning the organization's payment processes, the CEO's communication style, and the names and relationships of key people.
When the attack was executed, it was not a generic phishing attempt — it was a targeted, well-researched fraud that used real internal context to eliminate doubt. There was nothing Sarah could have detected without an out-of-band verification step.
The FBI IC3 documents this pattern consistently: the most successful BEC attacks are launched late Friday or before holidays, when the urgency of a time-sensitive request is most plausible and the normal approval chain is least available. The attacker's intelligence was accurate. The process was exploitable. The only missing defense was a five-second code exchange.
What happened
$178,000 transferred to a fraudulent account. Funds unrecoverable.
What stops it
A code request takes five seconds. The CEO can't produce one — because it isn't him.
What this scenario teaches us
Friday afternoon and pre-holiday windows are the highest-risk periods for wire fraud. Verification protocols should be enforced more strictly, not less, under time pressure.
Email address authentication (DMARC, SPF) does not protect against compromised legitimate accounts. The attacker was using the CEO's real address.
Urgency and authority are the two most reliable social engineering levers. Any request that combines both — regardless of the channel — should trigger mandatory out-of-band verification.
A five-second code exchange is operationally trivial. The friction of verification is almost always less than the friction of recovery.
Prevention checklist
Require Real Authenticator code verification for all wire transfers above a defined threshold
Establish a policy that urgency alone cannot bypass the verification requirement
Enroll CEO, CFO, and all finance-adjacent executives in Real Authenticator connections
Brief finance team: a real CEO will never object to a five-second code check
Frequently asked questions
Would DMARC have caught this?
No. The attacker was using the CEO's actual compromised email account, not a spoofed domain. DMARC protects against unauthorized use of your domain, not against attackers who have obtained legitimate credentials.
What about requiring dual authorization on wires?
Dual authorization helps — but both authorizers can be social-engineered separately. Real Authenticator ensures that each verification point confirms the actual identity of the person, not just their account.
Sources & citations
- 1.FBI IC3 Annual Report 2023— BEC statistics
- 2.FBI: Business Email Compromise PSA— The $50B BEC problem
Loss figures are based on documented cases or FBI IC3 reported averages. Individual scenario details are illustrative reconstructions based on documented attack patterns. Real Authenticator is not affiliated with any cited organization.