LEGALAUDIT
Cyber Coach

Financial fraud

Fake invoices and BEC: the diverted transfer

Emails that change the IBAN on an expected invoice. Average EU loss per incident exceeds 50,000 EUR.

9 min readIntermediate

Red flags to recognize

  • IBAN change communicated by email shortly before payment
  • Sender domain almost identical (supplier.com vs suppli3r.com)
  • Urgency tone: 'pay today, the recipient is on hold'
  • Request not to call 'to avoid fiscal checks'
  • Invoice PDF graphically identical with modified IBAN
  • Unexpected partial-payment or upfront request
  • Email arriving shortly after a legitimate thread, as a reply on a real conversation
  • Suspicious forwarding rule on the finance mailbox (account-takeover signal)

What to do now

  • Corporate policy: any IBAN change is verified by phone to the number already in your address book
  • Mandatory dual signature on transfers above a threshold
  • Verify sender SPF/DKIM/DMARC
  • Audit mailbox forwarding rules: compromised accounts often hide forwards
  • Use lookalike-domain detection tools for visual/phonetic comparison
  • If the transfer is already out: call the bank immediately for a SWIFT recall

Real case

BEC on a textile SME, Prato 2025

A textile SME is waiting for a 92,000 EUR payment from a French client. Days before the deadline, the client's accounts receivable receives what looks like an email from the Italian CEO with an updated invoice PDF and new IBAN 'due to a bank change'.

The payment goes to a UK IBAN owned by a money mule recruited online. The criminals had compromised commerciale@<company>.it a month earlier, read the threads with the client and picked the right moment. They used a lookalike domain with 'i' instead of 'l'.

Mythos analyzed the fraudulent email header: SPF fail, domain registered 11 days earlier, sending IP on an Asian VPS. PDF analysis showed it was generated from the same template as the real PDF but with modified Adobe metadata. The dossier enabled partial SWIFT recall and blocking 38% of the funds.

What Mythos can do on this case

  • Email header analysis with SPF/DKIM/DMARC and Received chain
  • Phonetic/visual lookalike-domain detection
  • PDF metadata extraction (author, software, timestamp, internal structure)
  • IBAN verification: matching BIC, bank, country, account age when available
  • Dossier for SWIFT recall and criminal complaint

Next steps

Analyze invoice and email with MythosDiscuss the case with Mythos