In This Article
- Why Email Is the #1 Attack Vector for Banking Fraud
- Wire Fraud at Banks: How Attacks Actually Work
- Business Email Compromise: How Attackers Target Financial Institutions
- SPF, DKIM, and DMARC: The Email Authentication Foundation
- Microsoft 365 Email Security Settings Every Bank Needs
- Wire Transfer Verification: Process Controls Beyond Technology
- Incident Response: When a Phishing Attack Gets Through
- Frequently Asked Questions
In 2024, the FBI's Internet Crime Complaint Center recorded $2.77 billion in losses from Business Email Compromise attacks across 21,442 reported incidents. Financial institutions accounted for a disproportionate share of those losses because they process the exact thing attackers want: high-value wire transfers under time pressure.
Community banks and credit unions sit at the intersection of two things attackers target most: large dollar transactions and operational urgency. A commercial wire, a vendor payment, or an ACH batch can move hundreds of thousands of dollars based on instructions received by email. One spoofed message with modified routing numbers can redirect those funds to an account controlled by the attacker within minutes.
This is not a hypothetical. FinCEN reported that wire transfer Suspicious Activity Reports grew 40% between 2022 and 2024, from 136,000 to 188,000 filings. Financial institutions now file one SAR for every 2,899 wire transfers, compared to one for every 8,636 in 2015. The frequency is accelerating.
This article covers the technical email security controls, Microsoft 365 configurations, and process safeguards that banks and credit unions need to stop wire fraud and BEC attacks before they reach the wire room.
Why Email Is the #1 Attack Vector for Banking Fraud
Banks and credit unions process wire transfers, ACH batches, and vendor payments through workflows that still depend heavily on email communication. Treasury management instructions, correspondent banking requests, and commercial loan disbursements often arrive as email messages or attachments. Every one of those emails is a potential attack surface.
Three factors make financial institution email traffic uniquely attractive to attackers:
High-value transactions on predictable timelines. Commercial wire transfers routinely exceed $100,000. ACH batch files can represent millions in payroll or vendor payments. Attackers know these transactions happen on regular schedules — payroll cycles, quarter-end settlements, loan funding dates — and they time their attacks accordingly.
Multiple parties with uneven security posture. A single commercial transaction can involve the bank, the customer, the customer's accountant, a title company, a law firm, and a correspondent bank. The attacker only needs one compromised mailbox in that chain. If a customer's accountant lacks DMARC enforcement, an attacker can send payment instructions that pass basic email authentication checks.
Time pressure that suppresses verification. When a commercial customer calls to say "we need the wire sent by 2 PM for a closing" or "payroll needs to fund today," nobody wants to slow things down. Attackers exploit this urgency deliberately. They time their fraudulent emails to arrive during the most pressured part of the business day.
The FinCEN data backs this up. Wire transfer SARs have posted three consecutive years of double-digit growth: 32%, 26%, and 24%. The average wire fraud loss at community financial institutions runs approximately $135,000 per incident — enough to materially impact a small bank's quarterly earnings.
Wire Fraud at Banks: How Attacks Actually Work
Wire fraud targeting financial institutions follows a consistent pattern. Understanding the attack chain is the first step to breaking it.
Step 1: Reconnaissance. The attacker identifies a target — often a commercial banking customer with regular wire activity. Public corporate filings, LinkedIn profiles of treasury staff, and vendor relationships visible on company websites all provide targeting data. Some attackers monitor compromised email accounts for weeks before acting, reading every message to learn the participants, approval workflows, and communication patterns.
Step 2: Email compromise. The attacker gains access to one party's email account, usually through credential phishing or password spraying. Small business customers and professional services firms (law offices, accounting firms, real estate companies) are the most common entry points because they handle multiple banking relationships and often lack enterprise-grade email security.
Step 3: Observation. Once inside the mailbox, the attacker sets up inbox rules to forward specific emails — anything containing "wire," "ACH," "payment," "transfer," or "funds" — to an external address. They study the communication patterns: who authorizes wires, what the standard request format looks like, how the sender signs off.
Step 4: The redirect. The attacker sends modified payment instructions. The email comes from the compromised account (or a spoofed lookalike domain), uses the correct formatting, references a real transaction or invoice, and changes only the routing and account numbers. The receiving account is typically at a domestic bank, chosen because domestic wires clear faster than international transfers.
Step 5: Extraction. Within minutes of the wire hitting the fraudulent account, the funds are moved again — often split across multiple accounts or converted to cryptocurrency. The FBI's Financial Fraud Kill Chain froze $469 million in domestic fraudulent transfers in 2024 with a 66% success rate, but that window is narrow. Once funds leave the initial receiving account, recovery drops sharply.
Real-World Attack Scenario: Vendor Payment Diversion
A community bank processes a $220,000 wire for a commercial customer's quarterly vendor payment. The request comes from the customer's CFO's email address, references the correct vendor name and invoice number, and matches the format of previous legitimate requests. The only difference: the routing and account numbers point to a bank account in Florida controlled by the attacker. The wire clears in under an hour. By the time the real vendor contacts the customer about the missing payment three days later, the funds have moved through four accounts. The customer's entire quarterly payment is gone — and the bank faces a liability dispute about its verification procedures.
Business Email Compromise: How Attackers Target Financial Institutions
BEC attacks targeting banks and credit unions go beyond simple spoofed emails. Modern BEC operations are structured campaigns that combine technical exploitation with social engineering.
Lookalike domain attacks. The attacker registers a domain visually similar to the target: "firstnationalbank.com" becomes "firstnati0nalbank.com" (the "o" replaced with "0"). They configure SPF and DKIM on the lookalike domain so the fraudulent email actually passes authentication checks. The recipient's email client shows a green checkmark. The only tell is the domain name itself.
Compromised vendor chains. Rather than targeting the bank directly, attackers compromise a customer or vendor in the payment chain. Accounting firms, law offices, and small businesses are frequent entry points because they often have smaller IT teams and weaker email controls. Once inside, the attacker can send legitimate-looking wire requests referencing real invoices and transactions.
Thread hijacking. The attacker gains access to a real email thread about a real transaction and replies within that thread with modified payment instructions. Because the message appears in an existing conversation, the recipient has no reason to question its authenticity.
AI-generated pretexts. In 2024 and 2025, attackers began using generative AI to produce more convincing phishing emails. The awkward grammar and formatting errors that used to be red flags are disappearing. AI-generated emails match the tone and vocabulary of the person being impersonated.
SPF, DKIM, and DMARC: The Email Authentication Foundation
Email authentication is the technical foundation that prevents attackers from sending emails that impersonate your domain. Three protocols work together: SPF verifies the sending server, DKIM verifies the message has not been altered, and DMARC tells receiving servers what to do when emails fail those checks.
SPF (Sender Policy Framework) publishes a DNS record listing every IP address and server authorized to send email on behalf of your domain. When a receiving server gets an email claiming to be from yourbank.com, it checks the SPF record. If the sending server is not listed, SPF fails. For banks using Microsoft 365, the SPF record needs to include Microsoft's sending infrastructure plus any third-party services that send email on your behalf — online banking notifications, core system alerts, marketing platforms.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The sending server signs the message with a private key, and the receiving server verifies it against a public key published in your DNS. If an attacker intercepts and modifies the message — changing wire instructions, for example — the DKIM signature breaks. DKIM has a 96.6% validity rate among properly configured domains, but only 22.7% of domains globally have DKIM implemented.
DMARC (Domain-based Message Authentication, Reporting & Conformance) is the enforcement layer. It tells receiving email servers what to do when an email fails SPF and DKIM checks: monitor it (p=none), quarantine it (p=quarantine), or reject it outright (p=reject). DMARC also generates reports showing who is sending email using your domain.
The problem: adoption is dangerously low. Only 43% of banking and financial services organizations have achieved DMARC enforcement, according to Valimail's Banking DMARC Enforcement Report. If your bank does not have DMARC at p=reject, an attacker can send emails that appear to come from your domain, and the recipient's email server has no instruction to block them.
PCI DSS v4.0.1, effective March 31, 2025, now requires anti-spoofing controls including DMARC, SPF, and DKIM for organizations that process payment card data. FFIEC and NCUA examiners increasingly expect demonstrable email authentication controls as part of information security program reviews.
Email Security Quick Check: 5 Critical Settings to Verify Today
- SPF record published and valid: Check your DNS for a TXT record starting with "v=spf1" that includes all authorized senders (Microsoft 365, core banking alerts, online banking notifications). Use mxtoolbox.com/spf.aspx to validate.
- DKIM enabled and signing: In Microsoft 365 Defender, verify DKIM is enabled for your domain under Email Authentication Settings. Both CNAME records must be published in DNS.
- DMARC at enforcement (p=quarantine or p=reject): Check your DNS for a TXT record starting with "v=DMARC1". If the policy is "p=none," you are monitoring but not blocking. Move to p=quarantine, then p=reject.
- Anti-phishing policies configured: In Microsoft 365 Defender, verify anti-phishing policies include impersonation protection for your executives, treasury staff, and key commercial customer domains.
- External email warning banner enabled: Configure a mail flow rule that prepends a visible warning to every email received from outside your organization: "CAUTION: This email originated from outside your organization. Verify the sender before acting on wire or payment instructions."
Microsoft 365 Email Security Settings Every Bank Needs
Most community banks and credit unions run their email on Microsoft 365. The platform includes email security features that can stop BEC and phishing attacks, but many of them are turned off by default or require specific configuration.
1. Enable Safe Links for real-time URL scanning. Safe Links rewrites URLs in incoming emails and checks them at the time of click, not just at delivery. This catches time-delayed attacks where the attacker sends a clean URL that redirects to a phishing site hours later. In the Microsoft 365 Defender portal, create a Safe Links policy that covers all users and enable "Wait for URL scanning to complete before delivering the message."
2. Enable Safe Attachments with Dynamic Delivery. Safe Attachments opens email attachments in a sandboxed environment before delivering them. Dynamic Delivery lets the email body through immediately while the attachment is being scanned. Enable this for all mailboxes, especially wire operations and treasury management staff.
3. Configure anti-phishing impersonation protection. Microsoft 365 Defender's anti-phishing policies can detect when someone is impersonating specific users or domains. Add your CEO, CFO, BSA officer, wire room supervisor, and key commercial customer domains to the protected senders and domains list. Set the action to quarantine messages that trigger impersonation detection.
4. Block legacy authentication protocols. Legacy protocols (POP3, IMAP with basic auth, SMTP AUTH) do not support multi-factor authentication, making them easy targets for credential stuffing. Create a Conditional Access policy in Entra ID that blocks legacy authentication for all users. This is one of the highest-impact security changes you can make, and it costs nothing.
5. Enable Security Defaults or Conditional Access MFA. Every user who handles wire transfer requests or payment instructions must have MFA enabled. Security Defaults is the baseline. For banks, Conditional Access policies offer more control: require MFA for all sign-ins from unmanaged devices, block sign-ins from countries where you do not do business, and require compliant devices for access to Exchange Online.
6. Configure Mailbox Audit Logging. Verify that mailbox auditing is enabled. Audit logs capture when someone creates inbox rules, accesses mailbox contents, or sends email as another user. These logs are how you detect an attacker who has compromised an account and is silently forwarding wire-related emails.
7. Set up alerts for suspicious inbox rules. BEC attackers almost always create inbox rules to hide their activity. Configure an alert in Microsoft 365 Defender that triggers when any user creates a rule that forwards or redirects email to an external address. This is one of the earliest indicators of a compromised account.
8. Enable tenant-wide external email tagging. Configure Exchange Online to prepend a visible warning to every email from outside your organization. The message should be unmistakable: "CAUTION: This email originated from outside your organization. Verify the sender before clicking links or following wire instructions."
Wire Transfer Verification: Process Controls Beyond Technology
Email security controls reduce the chance of a fraudulent email reaching your team. But technology alone is not enough. The financial institutions that avoid wire fraud combine email security with process controls that work even when a phishing email gets through.
Verbal callback verification on every wire. Before processing any wire transfer, the wire room operator must call the requesting party using a phone number obtained independently — not from the wire instructions themselves. Use the number on file from the customer's account opening or the last verified contact update. Never use a phone number from the same email that contains the wire instructions.
Dual-authorization for wires above a threshold. Any wire over a set amount (many institutions use $10,000 to $25,000) requires approval from two authorized individuals. This prevents a single compromised employee from redirecting funds.
Wire instruction change protocol. If wire instructions change at any point during a transaction, treat it as a red flag until proven otherwise. The change must be verified by phone callback to a known number, documented in the transaction file, and approved by a supervisor. Changed instructions close to a funding deadline should receive extra scrutiny.
Customer education at account opening. At the time of commercial account opening, provide every business customer with a written notice explaining that your institution will never send wire instructions by email without a confirming phone call. Include the specific phone number they should call to verify any instructions they receive.
Vendor and correspondent vetting. Before adding a correspondent bank or vendor to your approved wire list, verify their email security posture. At minimum: do they have DMARC at enforcement? Do they require MFA for all employees? These questions should be part of your vendor due diligence process. The identity layer is only as strong as the weakest link in the chain.
FBI IC3 2024 Annual Report"The FBI's Financial Fraud Kill Chain froze $469 million in domestic fraudulent wire transfers in 2024 — but only when banks reported the fraud within 24 hours. After that window closes, recovery rates drop sharply."
Incident Response: When a Phishing Attack Gets Through
Even with strong email security and process controls, some attacks will get through. Your incident response plan determines whether a successful phishing email becomes a contained event or a six-figure loss.
Immediately (within 15 minutes of discovery):
- Disable the compromised account. Reset the password and revoke all active sessions in Entra ID.
- Check inbox rules on the compromised account. Delete any rules forwarding or redirecting email to external addresses.
- If a fraudulent wire was sent, contact your wire department and correspondent bank immediately. The FBI's Financial Fraud Kill Chain has a 66% success rate for freezing domestic fraudulent transfers, but only if the bank is notified within 24 hours.
- File a complaint with the FBI IC3 at ic3.gov. File a SAR with FinCEN. Notify your BSA officer.
Within 1 hour:
- Notify all parties in the affected transaction. Every customer, vendor, and correspondent who communicated with the compromised mailbox needs to know.
- Review the audit logs. Determine when the compromise started, what the attacker accessed, and whether inbox rules were created to monitor other wire requests.
- Check for lateral movement. Did the attacker use the compromised account to send phishing emails to other employees or customers?
Within 24 hours:
- Complete a full sign-in log review for the compromised user. Identify any unusual locations, IP addresses, or devices.
- Notify your cyber insurance carrier. Most policies require notification within 24 to 72 hours.
- Determine regulatory notification requirements. Report to your primary federal regulator (OCC, FDIC, NCUA, or Fed). State data breach notification laws vary and may require separate filings.
- Conduct an institution-wide credential review. If one account was compromised via credential phishing, others may be at risk.
Within 1 week:
- Complete a root cause analysis. How did the attacker gain access? Which control failed? What would have stopped this attack?
- Update your email security configuration based on findings. If the attack exploited a gap in anti-phishing policy, fix it.
- Conduct targeted security awareness training for the affected team, focusing on the specific attack pattern that succeeded.
- Document the incident for your examination file and cyber insurance renewal. Prepare a board report summarizing the event and remediation steps.
"Every examination we prepare institutions for reveals the same pattern: the controls exist, but the configuration doesn't match the policy. That gap is where examiners focus — and where breaches happen."
Serving 750+ financial institutions since 1999
Stop Guessing About Your Email Security Posture
The gap between what you think your email security looks like and what it actually looks like — that is where BEC attacks succeed. ABT's assessment covers SPF, DKIM, DMARC, Conditional Access, and anti-phishing configurations across your M365 tenant.
Frequently Asked Questions
Business Email Compromise is the most common and most costly email attack targeting banks and credit unions. BEC attacks typically involve an attacker gaining access to a legitimate email account or spoofing a trusted domain to send fraudulent wire instructions or payment requests. The FBI recorded $2.77 billion in BEC losses across all industries in 2024. Financial institutions are disproportionately targeted because they process high-value wire transfers and ACH payments daily.
DMARC prevents attackers from sending emails that impersonate your bank's domain. When configured at enforcement level (p=quarantine or p=reject), DMARC instructs receiving email servers to block or quarantine emails that fail SPF and DKIM authentication checks. This stops an attacker from sending fraudulent wire instructions that appear to come from your institution's domain. However, only 43% of banking and financial services organizations have achieved DMARC enforcement, leaving the majority vulnerable to domain spoofing.
Banks on Microsoft 365 should enable Safe Links for real-time URL scanning, Safe Attachments with Dynamic Delivery, anti-phishing impersonation protection for key personnel and commercial customer domains, external email warning banners, and alerts for suspicious inbox rule creation. They should also block legacy authentication protocols through Conditional Access and require multi-factor authentication for all users who handle wire transfers or payment instructions.
If a fraudulent wire transfer is sent, immediately contact your wire department and correspondent bank to request a recall. File a complaint with the FBI IC3 at ic3.gov and a SAR with FinCEN within 24 hours. The FBI's Financial Fraud Kill Chain achieved a 66% success rate in freezing domestic fraudulent transfers in 2024, but only when reported promptly. Simultaneously, disable the compromised email account, revoke all sessions, check for inbox forwarding rules, and notify all parties in the affected transaction. Contact your cyber insurance carrier and your primary federal regulator within the required notification window.
PCI DSS v4.0.1 requires anti-spoofing controls including DMARC, SPF, and DKIM for organizations that process payment card data, effective March 31, 2025. While no banking-specific regulation explicitly mandates DMARC by name, FFIEC examination procedures and federal banking agency guidance increasingly expect demonstrable email security controls as part of information security programs. FDIC, OCC, and NCUA examiners routinely ask about email authentication during IT examinations. DMARC enforcement is rapidly becoming a baseline expectation.