A con run through your own inbox
Business email compromise is not a virus. It is a patient, human con that travels through legitimate channels — usually your own email — and ends in a wire that cannot be recalled. For a wealthy family, the appeal to an attacker is simple: large, routine transfers to lawyers, escrow agents, contractors, and advisers, authorized by a small circle that moves on trust. This piece explains how the attack works from the family's side. The controls that stop it live in the wire-transfer controls checklist, and if money has already left, the small-business BEC recovery playbookcovers the first moves — this article is about understanding the mechanics, not recovering from them. It is general information, not legal advice, and not a substitute for retained counsel.
The kill chain, step by step
- Access or imitation.The attacker either compromises a real mailbox — typically through a phishing message — or registers a lookalike domain that differs by a single character. Phishing is the most common entry point in family-office incidents; Deloitte found it reported by 93% of those attacked.
- Quiet observation.Inside a real mailbox, the attacker reads. They learn the family's tone, who approves what, which deals are live, and when the principal travels. The best impersonations are simply well-rehearsed.
- Hidden forwarding rules. To stay invisible, attackers set inbox rules that auto-forward or auto-delete certain messages, so replies and warnings never reach the real owner. The mailbox looks normal while the conversation is being quietly steered.
- The bank-detail change. A trusted vendor or counterparty appears to write that their banking information has changed. It is the highest-yield move in the playbook, because one accepted change reroutes every future payment.
- The urgent wire.Finally, the instruction: a real-looking request, often timed to a moment of pressure or the principal's absence, urging a fast, confidential transfer. By the time anyone double-checks, the funds have moved.
The family-victim variations
The same machinery is pointed at the situations unique to private wealth: a property purchase where a fake escrow instruction diverts the deposit; a renovation where a contractor's invoice is intercepted and re-banked; a philanthropic grant rushed before a deadline. The constant is that the request looks ordinary and arrives through a channel the family already trusts.
Why the losses are so large
Business email compromise is among the costliest categories of online crime. The FBI logged 21,442 complaints in 2024 with adjusted losses of roughly US$2.77 billion, and puts cumulative exposed losses in the tens of billions of dollars over the past decade. The reason is structural: the payments are big, the instructions look real, and a completed wire is extraordinarily hard to claw back.
What understanding it changes
Seeing the kill chain makes the defense obvious. If the danger is a believable instruction in a trusted channel, the answer is to verify outside that channel before money moves — an out-of-band callback, a hold on any bank-detail change, and a rule that no wire goes out on email alone. Most family offices that have looked closely at how a single deception could travel through their process make a handful of quiet adjustments and close the gap. The fix is not dramatic; it is deliberate.
Sources
- Federal Bureau of Investigation, Internet Crime Complaint Center (IC3), 2024 Internet Crime Report. https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf
- Federal Bureau of Investigation, Internet Crime Complaint Center (IC3), Business Email Compromise: The $55 Billion Scam (Public Service Announcement I-091124-PSA). https://www.ic3.gov/PSA/2024/PSA240911
- Deloitte Private, The Family Office Cybersecurity Report 2024. https://www.deloitte.com/global/en/services/deloitte-private/research/family-office-cybersecurity-report.html
