The email comes from a trusted source — the CEO, a regular vendor, the company attorney or accountant. It’s part of an ongoing conversation, the format and language is identical to previous emails of the same type.
There might even be phone calls. It’s no surprise that in this situation an employee would send a wire transfer to a new payee or a sensitive business document to someone who turns out to be a fraudster.
According to ZapFraud, these kinds of spear phishing attacks, known as business email compromise (BEC), now account for 4 percent of the total volume of scams, up from from less than 1 percent in 2011.