Business email compromise rarely announces itself with anything dramatic or obvious at first glance. One mailbox gets quietly accessed, usually through a convincing phishing email or a reused password picked up cheaply from an old data breach somewhere online, and from there an attacker simply settles in and watches patiently. They read invoices carefully, study the tone and rhythm of genuine correspondence over time, and wait for exactly the right moment to intervene decisively and profitably.
Patience is the attacker’s real weapon
Unlike ransomware, which announces itself dramatically the moment it detonates across a network, business email compromise thrives instead on staying quiet for as long as it possibly can. An attacker sitting inside a compromised mailbox might wait for several weeks, studying exactly how the finance team phrases its requests and precisely when large invoices typically go out each month, before sending a single fraudulent message timed carefully to land at exactly the right moment in that established cycle.
That single compromised mailbox is frequently the direct result of a weakness that a proper external network pen testing would have flagged well in advance of any incident occurring. Weak password policies, no multi-factor authentication enabled on email accounts, and login pages with no meaningful protection against automated guessing attempts are the recurring, rather unglamorous themes behind the vast majority of these incidents once the root cause finally gets traced back properly by an investigator.

The fraudulent invoice itself
Once inside the mailbox, the attacker typically waits for a genuine invoice to go out as normal, then sends a near-identical follow-up message from that same compromised account, requesting payment to a different bank account entirely with a plausible-sounding excuse attached, such as a recent banking change or a routine audit query. Because it comes from the real mailbox, with the real signature and the real established tone, it slips straight past scrutiny that would have caught an obviously spoofed external sender immediately and without hesitation.
William Fieldhouse has walked several clients through the aftermath of exactly this kind of scenario.
“One client lost a genuinely significant sum of money because an attacker sat quietly inside their finance director’s mailbox for nearly three weeks, carefully watching invoice patterns, before sending a bank detail change that looked entirely legitimate on every level. It read exactly like every other email that mailbox had ever sent, because in every practical sense it was.”
— William Fieldhouse, Director of Aardwolf Security Ltd
That authenticity is precisely what makes the fraud so effective in practice, and so genuinely hard to catch through the usual employee awareness training alone. The email itself is not some clumsy forgery riddled with obvious tells for staff to spot. It comes from the genuine account, written in the genuine voice, after weeks of careful and patient observation that nobody on the inside ever noticed happening in real time.
Close the door before the watching starts
Multi-factor authentication on every single email account, strong unique passwords enforced properly, and regular external testing to catch weak points before they get exploited all reduce this particular risk substantially and fairly cheaply. Pairing that with a thorough web application pen testing review of any customer-facing portals tied to invoicing closes the loop firmly on one of the most financially damaging attacks a small business is ever genuinely likely to face.
