The Justice Department announced on June 11, 2026 that a federal jury convicted two defendants connected to a $25 million wire fraud and money-laundering scheme built around business email compromise. DOJ said foreign entities accessed business email accounts, watched for large transactions, sent false payment instructions, and diverted real estate transactions, vendor payments, loan disbursements, and an inheritance transfer into accounts controlled by the fraud ring.
For business owners, the point is not only that another fraud case reached court. The practical issue is that email remains close to the money. If a business accepts payment changes, wire instructions, invoice updates, or urgent transfer requests through email without a separate verification process, a compromised mailbox can become a payment-approval problem.
The FBI describes business email compromise as one of the most financially damaging online crimes because it exploits normal reliance on email for business. Its guidance tells victims to contact their financial institution immediately after a fraudulent transfer and says payment or purchase requests should be verified through a trusted secondary channel.
The Business Decision
The decision for owners is whether payment verification is a real control or an informal habit. A finance employee may know to be careful, but that is not the same as a written rule, a named approver, a callback procedure, and a record showing who verified the change.
This matters for organizations that handle vendor invoices, real estate closings, client retainers, construction draws, school or nonprofit payments, equipment purchases, insurance payments, payroll changes, and loan disbursements. Those workflows often involve trusted relationships and recurring email threads. That trust is exactly what BEC schemes try to exploit.
A responsible process should answer a simple question before money moves: Who verifies that the request is real when the payment instructions change?
The answer should not depend on memory or urgency. It should be documented in a way an owner, office manager, controller, or outside accountant can enforce.
What Owners Should Ask
If your business relies on an internal finance team, bookkeeper, accountant, MSP, bank, title company, vendor, or office manager, ask for plain answers to these questions:
- Which payment changes require independent verification? Include new bank accounts, changed wiring instructions, changed mailing addresses, urgent invoice revisions, and requests to split payments.
- Who is allowed to approve a change? Name the business role, not just a person who happens to be available that day.
- What counts as verification? A reply to the same email thread should not be enough. Use a known phone number, established vendor portal, in-person confirmation, or another trusted channel already on file.
- What dollar amount triggers owner approval? Set thresholds for wires, ACH payments, checks, purchase cards, and recurring vendor changes.
- How are exceptions recorded? If someone approves an urgent payment, the reason and verifier should be documented.
- What happens if a payment is misdirected? The business should know who contacts the bank, who contacts counsel or insurance, who files an IC3 complaint, and who preserves email and system logs.
Do Not Make This Only an IT Problem
Strong email security helps, but BEC prevention is not only a firewall, spam filter, or MFA conversation. The DOJ case described fraudsters watching normal business communications and using that knowledge to redirect payments. That makes the issue both technical and operational.
Your IT provider can help reduce mailbox compromise risk with MFA, conditional access, phishing controls, mailbox forwarding reviews, and sign-in monitoring. But the business still needs a finance rule for what staff must do when money instructions change. Technology can lower the chance of compromise. It cannot replace a payment-control policy.
That distinction is important when reviewing vendor claims. If a provider says email security is handled, ask what controls exist outside the mailbox. If an accountant says staff know to call, ask whether the callback number is taken from a trusted record or from the suspicious email. If a bank offers fraud tools, ask who inside the business is responsible for using them.
What To Do Next
Start with a short payment-change review. List who can create vendors, edit bank details, approve wires, release ACH batches, and authorize large checks. Then identify which steps currently rely on email alone.
For each risky step, add a specific control: a callback to a known number, two-person approval, owner sign-off above a threshold, a vendor-change form, or a hold period before new bank details are used. Keep the rule simple enough that staff will follow it during a busy day.
Finally, write down the recovery path. If a suspicious transfer is discovered, time matters. The business should know which bank contact to call, what information to provide, who preserves evidence, and who reports the incident. Waiting until after money is gone is a poor time to decide who owns the response.
The practical takeaway from the DOJ case is direct: payment verification needs ownership before the next urgent request arrives. A business does not need a complicated policy to reduce risk. It needs a clear rule for changed payment instructions, a trusted verification channel, and someone accountable for enforcing both.
Sources and further reading
