Dude Diligence Issue #2: Reply All to Disaster

REPLY ALL TO DISASTER

Business Email Compromise: When the Biggest Hack is Just a Really Good Lie

Dude Diligence at his desk, coffee in hand

DUDE Monday. Of course it's Monday.

PING! PING! PING!

DUKE (inner monologue) Three BEC attempts before I've finished my first cup of coffee. Impressive commitment to crime.

PAGE 1 OF 8

PAGE 2: WHAT IS BEC?

DUDE BREAKS THE FOURTH WALL...

DUDE (to reader) Alright, let's talk about BEC — Business Email Compromise. It's not a hack. It's a con. The oldest trick in the book, just with better fonts.

$2.7B

Annual losses to BEC (FBI IC3)

NO MALWARE.

NO EXPLOITS.

JUST LIES.

DUDE (to reader) No one breaks into your network. No malware gets installed. Someone just sends an email pretending to be your boss, your vendor, or your lawyer — and asks for money, data, or credentials. And because humans are wired to obey authority and respond to urgency, it works. A lot.

THE 5 TYPES OF BEC

👑

1. CEO FRAUD

Attacker impersonates the CEO or executive, requests urgent wire transfer. "I need this handled quietly and immediately." Sure you do, pal.

💰

2. PAYROLL DIVERSION

Attacker impersonates an employee, asks HR to change direct deposit info. Your coworker's paycheck goes to a stranger's account.

📄

3. VENDOR INVOICE FRAUD

Fake or compromised vendor sends invoice with "updated" banking details. One changed digit, six figures gone.

⚖️

4. ATTORNEY IMPERSONATION

Attacker pretends to be outside counsel handling a "confidential matter." Uses legal urgency to bypass normal approvals.

📂

5. DATA THEFT

Targets HR and finance for W-2s, employee PII, or customer records. No wire transfer — they're after the data itself.

DUDE (to reader) Notice the common thread? None of these require technical sophistication. Just a Gmail account, LinkedIn research, and the audacity of a man who double-parks in a fire lane.

PAGE 2 OF 8

PAGE 3: THE ATTACK CHAIN

HOW A BEC ATTACK UNFOLDS...

1

RECONNAISSANCE

The attacker studies your org chart. LinkedIn, website bios, press releases, social media. They learn who reports to whom, who handles money, who's traveling.

2

SETUP

They register a lookalike domain (yourcompamy.com), spoof the display name, or compromise a real email account. The stage is set.

3

THE ASK

The email arrives: urgent, confidential, and it bypasses every normal process you have. "Don't loop anyone else in on this."

4

THE PRESSURE

Time pressure. Authority pressure. Secrecy. "This needs to happen before end of day. I'm counting on you." Classic manipulation playbook.

5

THE EXTRACTION

Wire transfer sent. Gift cards purchased. Payroll redirected. Data exported. By the time anyone notices, the money is in a different hemisphere.

DUDE (to reader) Notice there's no malware. No exploit. No zero-day. Just someone betting you won't slow down long enough to think. The entire attack chain is: research, impersonate, create urgency, extract value. It's social engineering with a business casual dress code.

SPOOF!

Fake domain:
john@acme-corp.com
vs real:
john@acmecorp.com

FORGE!

Display name says:
"CEO Name"
Actual address:
randomguy@gmail.com

HIJACK!

Compromised account:
Real email, real name
Just not the real person typing

PAGE 3 OF 8

PAGE 4: THREE HITS, ONE MONDAY

9:03 AM. THREE BEC ATTEMPTS HIT THE OFFICE SIMULTANEOUSLY.

FINANCE DEPARTMENT — JANET'S DESK

DING!

From: David Chen <dchen@companv-inc.com>

To: janet.murphy@company-inc.com

Subject: URGENT: Wire Transfer Needed Today — Confidential

Janet,

I need you to process a wire transfer of $147,000 to a new vendor today. This is related to a confidential acquisition and I need this handled before end of business. Please don't discuss this with anyone else on the team yet.

I'm in meetings all day so just reply here with confirmation once it's sent.

Thanks,
David Chen
CEO

JANET Oh gosh, the CEO needs this right away! I should get on this...

HR DEPARTMENT — MARCUS'S DESK

DING!

From: Sarah Kim <s.kim.personal@gmail.com>

To: marcus.johnson@company-inc.com

Subject: Direct Deposit Update Request

Hi Marcus,

I switched banks recently and need to update my direct deposit information. Could you change it to:

Bank: First National
Routing: 044000037
Account: 8827391045

Can this be done before the next pay cycle? Thanks!

Sarah Kim
Marketing Department

MARCUS Sure, Sarah, let me just update that in the system...wait. Is this really from Sarah?

ACCOUNTS PAYABLE — PRIYA'S DESK

DING!

From: Billing Dept <billing@acme-corp.com>

To: priya.patel@company-inc.com

Subject: Invoice #4892 — Updated Payment Details

Dear Priya,

Please note our banking information has been updated. All future payments for Acme Corp should be directed to:

Bank: Pacific Trust
Routing: 021000089
Account: 5519284730

Attached is Invoice #4892 for $89,400. Please process at your earliest convenience.

Regards,
Acme Corp Billing

DUDE'S COMPLIANCE-SENSE ACTIVATES.

COMPLIANCE-SENSE... TINGLING.

DUDE Three BEC attempts before 9:15 AM. Someone's running a coordinated campaign against us. Time to make my rounds.

DUDE (Mr. Rogers mode) Hey Janet. I know this looks urgent, and I can see why you'd want to act on it right away. But can we take 30 seconds together? I just want to make sure you're protected here. You're doing a great job — let's just slow down and look at this together.

PAGE 4 OF 8

PAGE 5: YOU MAKE THE CALL

DUDE (to reader) Alright, your turn. I'm going to show you four scenarios. You tell me — is it a BEC attack, or is it legitimate? Click your answer and I'll tell you how you did. No judgment either way. That's how we learn.

SCENARIO 1: THE GIFT CARD GAMBIT 👑

From: David Chen <ceo@company.com>

Subject: URGENT & CONFIDENTIAL: Client Appreciation Gift Cards

I need you to purchase 10 Amazon gift cards at $200 each for a client appreciation event. Please buy them today, scratch off the backs, and email me photos of the codes. Keep this between us — it's a surprise.

Is this a BEC attack?

DUDE

SCENARIO 2: THE PAYROLL REDIRECT 💰

From: Tom Bradley <t.bradley@company-inc.com>

Subject: Direct Deposit Change

Hey, I recently changed banks. Can you update my direct deposit to the new account below before this Friday's payroll?

Routing: 061000052
Account: 4421987653

Thanks!

Is this a BEC attack?

DUDE (Mr. Rogers mode)

SCENARIO 3: THE VENDOR SWITCHEROO 📄

From: Billing <accounts@acme-corp.com>

Subject: Invoice #7721 — Updated Banking Information

Please note that our banking information has changed. All future payments should be directed to the account below. Attached is invoice #7721 for $62,500.

New Bank: Western Pacific Trust
Routing: 021000089
Account: 8832019456

Note: Your real vendor's domain is acmecorp.com (no hyphen).

Is this a BEC attack?

DUDE

SCENARIO 4: THE CONFERENCE INVITE 🎫

From: CyberSec Summit <registration@cybersec-summit.org>

Subject: Early Bird Registration — CyberSec Summit 2026

Registration is now open for CyberSec Summit 2026. Early bird pricing of $599 is available through April 30th.

Visit cybersec-summit.org/register to secure your spot.

We look forward to seeing you there.

Is this a BEC attack?

DUDE

PAGE 5 OF 8

PAGE 6: THE DEFENSE PLAYBOOK

THE SACRED RULES OF BEC DEFENSE

DUDE (to reader) Listen. I've been doing this for a long time. Compliance audits, incident response, the whole beautiful catastrophe. These five rules have saved more money than every firewall combined. Tape them to your monitor.

#1

Any email asking for money, credentials, or sensitive data gets verified by phone. Not by replying to the email. By picking up the actual phone and calling a number you already have on file. The phone. That rectangular thing you use for everything except making calls.

#2

Urgency + secrecy + money = scam. Every time. I don't care if the email says it's from the Pope. If someone needs money fast, quietly, and outside normal channels, that's not business — that's a heist movie plot.

#3

Check the email address. Not the display name. THE ACTUAL ADDRESS. Every single time. Display names are like name tags at a party — anyone can write anything on them. The email address is where truth lives (or at least tries to).

#4

New banking details from a vendor? Call the vendor at a number you already have. Not the number in the email. Not the number on the new invoice. The number in your system, on their real website, from before this email existed.

#5

When in doubt, slow down. The real CEO will understand. The real vendor will wait. The real lawyer won't mind you verifying. You know who gets mad when you verify? Criminals. That tells you everything you need to know.

DUDE (Mr. Rogers mode) And hey — if you ever feel weird about questioning an email from someone senior? That's exactly what you should be doing. You're not being difficult. You're being diligent. I'm proud of anyone who slows down long enough to ask, "Wait... is this real?" That's the whole ballgame right there.

PAGE 6 OF 8

PAGE 8: CERTIFICATION

DUDE (Mr. Rogers mode) You made it through Issue #2. You know what? I'm genuinely proud of you. Most people don't take the time to learn this stuff until it's too late. You did it before it mattered. That's real diligence right there.

DUDE DILIGENCE

ISSUE #2: REPLY ALL TO DISASTER

🔐

This certifies that

has successfully completed
Business Email Compromise (BEC) Awareness Training
and has demonstrated the ability to identify CEO fraud,
payroll diversion, and vendor invoice fraud attempts.

"When in doubt, slow down. The real CEO will understand."

PAGE 8 OF 8