When a company loses six figures to wire fraud, the instinct is to ask what technical control failed. Usually, the honest answer is: none did. The email got through because SPF, DKIM, and DMARC were misconfigured or the domain was a convincing lookalike — but the money moved because a human approved a payment change with no second check. That's a process gap, not a technology gap, and it's the one most companies never test.
Two separate failure points, one loss
Business Email Compromise (BEC) and Vendor Email Compromise (VEC) losses almost always require both a technical opening and a process failure to succeed:
- The technical opening: a spoofed domain, a compromised mailbox, or missing email authentication that lets a convincing fraudulent message land in an inbox.
- The process failure: a wire or vendor banking change gets approved without out-of-band verification — nobody calls the vendor's known phone number to confirm before the funds move.
Fix only the first and you've addressed half the risk. Most companies stop there because SPF/DKIM/DMARC is the part IT already understands how to test.
What a real assessment has to cover
A technical assessment alone — checking email authentication gaps, domain spoofing exposure, phishing susceptibility — tells you how easy it is for a fraudulent email to arrive convincingly. It says nothing about whether your finance team would actually catch it before wiring money. That requires a controls audit: segregation of duties on wire approval, whether out-of-band verification is actually required (not just written in a policy nobody follows) for vendor banking changes, and whether the audit trail would hold up after the fact.
The question that exposes the real gap
Ask your finance or AP team this: "If a vendor emailed tomorrow saying their bank account changed, what happens next?" If the honest answer involves anyone updating payment details based on an email alone — without calling a known, pre-verified number to confirm — that's the gap. No amount of email filtering fixes a process that trusts the inbox by default.
Not sure where your actual gap is?
BEC/VEC engagements pair a technical assessment with a CISA-aligned audit of your approval and verification controls.
View engagement tiers