The $50,000 Email That Changed Everything
It started like a normal business day. The CEO was traveling. The CFO got an email — looked exactly right, came from the right person, made a reasonable request. Wire $50,000. And just like that, it was gone.
By the time anyone realized the email was spoofed — that it never actually came from the CEO — the wire transfer had cleared. The bank's recovery window had passed. The money was irrecoverable.
This isn't a hypothetical. This happened to a real business. And in Episode 80 of UnHacked, hosts Justin Shelley (Phoenix IT Advisors), Mario Zaki (Mazteck IT), and Bryan Lachapelle (B4 Networks) break down exactly how it happened, why it keeps happening, and — most importantly — what you as a business owner can do right now to make sure it never happens to you.
What Is Business Email Compromise — and Why Should You Care?
Business Email Compromise, or BEC, is one of the fastest-growing and most financially damaging forms of cybercrime targeting businesses today. Unlike ransomware attacks that lock down your systems with dramatic fanfare, BEC attacks are quiet, surgical, and devastatingly effective. They don't need to break through your firewall. They don't need to install malware. All they need is for one person in your organization — or in the organization of someone you do business with — to be deceived.
In this episode, Justin, Mario, and Bryan explain the two primary attack methods:
Lookalike Domains
Attackers register a domain that looks nearly identical to a legitimate business — perhaps swapping a lowercase "L" for a capital "I," or replacing ".com" with ".co." They then send emails from this fake domain to your team, your clients, or your vendors. These emails sail past spam filters because there's nothing technically wrong with them. They simply come from the wrong place — and most people never look closely enough to notice.
Mario describes a pattern he sees constantly in the construction industry: a small electrical subcontractor gets compromised, and the hacker uses their account to send fraudulent payment instructions to the general contractor. The email looks completely legitimate — because it came from a real, trusted account. The money gets sent to the wrong place. Everyone loses.
Fully Compromised Email Accounts
This is the more sophisticated attack. Instead of faking an email address, hackers actually break into a real person's inbox — often by stealing credentials through a phishing attack — and operate from inside. They read emails, learn communication patterns, and wait. When the time is right, they send requests for wire transfers or sensitive information. When the real user's replies start coming in, custom-created inbox rules silently divert those emails to a hidden folder, so the legitimate account owner never sees the responses. The deception can go on for days or weeks.
With the power of AI, attackers can now download an entire mailbox's contents, analyze tone and context, and seamlessly pick up conversations that started weeks or months ago. By the time a suspicious domain gets flagged, the attacker may have already switched to a compromised legitimate account to continue the con.
Your Vendors Can Get You Hacked (Even If You're Doing Everything Right)
One of the most sobering points raised in this episode is that you can do everything right — two-factor authentication, strong passwords, excellent email filtering — and still lose money because of a compromise that happens somewhere else in your supply chain.
Brian shares a story of a client who received perfectly legitimate-looking payment instruction updates from a vendor. The vendor's email had been compromised. The attacker waited, studied the relationship, and struck at the right moment. By the time anyone caught on, wire transfers had already cleared.
The fix? A policy that seems almost laughably simple: never change payment information — especially wire transfer details — without a verbal confirmation call to a phone number already on file. Not the number provided in the suspicious email. The number you have saved from before. That one call could have saved tens of thousands of dollars. Most businesses don't have this written down anywhere.
New Employees Are a Target From Day One
Mario raises a threat that many business owners have never considered: the moment a new hire announces their job on LinkedIn, they become a target.
Attackers scan LinkedIn for new employees and immediately begin sending phishing emails impersonating the company's CEO or owner. The message is crafted for maximum psychological leverage: I'm on a business trip, I need a favor, keep this between us. The new employee — eager to impress, not yet familiar with how the company actually operates — complies. They buy gift cards. They send information. They wire money.
This isn't a niche attack. It is happening constantly, at scale, to companies of every size.
The defense isn't to stop hiring or to ban LinkedIn. The defense is onboarding that genuinely prepares new employees to understand how business is actually conducted at your company — including what requests will and will never come through email.
Technology Is Not Enough: The Human Risk Factor
This episode is part of a 12-part series on Security Basics, and one of its most important contributions to that series is the forceful argument that human behavior — not technology — is where most security battles are won or lost.
Justin quotes from the book Future Crimes by Marc Goodman: "If you think technology is the problem, you don't understand the problem." People are where attackers focus their energy, because people are easier to manipulate than well-configured systems.
That means the security of your business ultimately comes down to your company's culture.
Here's what that looks like in practice:
Written policies that cover exactly what to do when payment information changes, when an unusual request comes in via email, or when an employee suspects a phishing attempt.
Training that doesn't stop. Annual training is the bare minimum required by most compliance frameworks — but one-time training is forgotten. Weekly micro-training, regular simulated phishing campaigns, and ongoing awareness efforts build the kind of muscle memory that actually protects businesses.
A reporting culture. Employees who catch and report suspicious emails are your first line of defense. They deserve to be rewarded, not ignored. Businesses that punish employees for clicking a phishing test link or for raising security concerns are actively training their teams to stay silent when it matters most — and the consequences can be catastrophic.
Brian tells the story of a client program where employees who correctly identified and reported simulated phishing emails were entered into a draw for a $100 gift card. The results were outstanding. Simple. Affordable. Effective.
Justin goes further, telling the story of a major city's IT department where two employees separately identified that the organization was severely out of compliance with security standards. They brought documented, actionable findings to leadership. Leadership told them to be quiet — because fixing it would require budget conversations no one wanted to have. The breach happened anyway. Half a million dollars was lost. Lawsuits followed. Careers ended.
The lesson isn't just "don't silence your IT team." It's that security has to be a leadership value, not just an IT function. If the CEO doesn't champion it, no one else will.
What You Can Do Right Now
The hosts close with a set of practical, immediately actionable recommendations for business owners:
- Implement MFA (Multi-Factor Authentication) on all email accounts. This is non-negotiable.
- Deploy email security tools that flag newly registered domains, detect suspicious mailbox rules, and automatically lock compromised accounts. These tools cost a few dollars per mailbox per month. They are not optional.
- Write it down. Create written policies for payment changes, wire transfers, and unusual executive requests. Make verbal confirmation a mandatory step.
- Train, and train again. Don't treat security awareness as a one-time checkbox. Make it part of your culture.
- Reward vigilance. Create a system — formal or informal — that recognizes and rewards employees who flag suspicious activity.
- Report lookalike domains. If you discover a domain that mimics your company's name, you can report it to the domain registrar and to law enforcement. It takes work, but it can get the domain taken down. Search for the FBI's Internet Crime Complaint Center (IC3) and the FTC's reporting portal.
- Assume zero trust. If an email request feels unusual, treat it as suspicious until you've verified it through a separate, trusted channel.
- Why This Episode Matters for Your Business
- Cybercrime is not a technology problem. It is a business problem. A $50,000 wire transfer that disappears. A vendor relationship that gets weaponized against you. A new employee who gets manipulated on their first week. These aren't edge cases. They are happening every day, to businesses exactly like yours.
The good news: the defenses are not complicated. They require intention, consistency, and leadership. They require the kind of culture that takes security seriously — not as a burden, but as a fundamental part of protecting the business everyone has worked so hard to build.
That's what UnHacked is about. And that's what this episode delivers.
🎧 Listen to Episode 80 Now
Visit unhackmybusiness.com to stream this episode and access resources, downloads, and all previous episodes in the Security Basics series.
🔐 Is Your Business Actually Protected?
You've just read about the mistakes that cost businesses tens — and sometimes hundreds — of thousands of dollars. The question is: do you know where your vulnerabilities are?
The team at Phoenix IT Advisors offers a free cybersecurity risk assessment designed specifically for business owners. No jargon. No sales pressure. Just an honest look at where you stand and what, if anything, needs to change.
Visit phoenixitadvisors.com and mention UnHacked to get started.
Because the best time to find a vulnerability is before someone else does.
Schedule Your Free Security Assessment - because discovering your backups don't work during an emergency is a mistake you can't afford to make.