Why Email Scams Are Costing Wisconsin Small Businesses More Than Ransomware

Ransomware gets the headlines. But when I get a call from a Wisconsin business owner about real money being lost, it's almost never ransomware. It's an email.

The category is called Business Email Compromise, or BEC. The FBI has been calling it the most expensive cybercrime in the country for years now, and what I'm seeing across our clients here in Southeast Wisconsin tracks with that. The losses aren't always huge in any single incident. But they're frequent, they're quiet, and they're happening to businesses that never thought of themselves as targets.

A few years ago, the targets were predictable. Law firms. Medical offices. Anyone who moved big money around on a regular basis. Now I'm watching it hit coffee shops, landscaping companies, mortgage offices, nonprofits, contractors. I had a client recently, twenty employees, nothing flashy, who lost a wire to a fake vendor email. The money was gone in two hours.

Here are the four versions of this attack I keep running into.

1. Fake vendor invoice swaps

Someone gets into a vendor's email account, watches a thread for a few weeks, then jumps in at the right moment to ask for a banking change. The wire goes to the attacker. This is probably the most common one I see, and the hardest to spot, because the email thread is real. Your bookkeeper is replying to a conversation she's already been having for months. The attacker is just waiting for the right invoice to swap.

2. Owner impersonation

A bookkeeper or office manager gets an urgent email that looks like it's from the boss. Wire this. Buy gift cards. Pay this invoice before end of day. The whole attack is built around urgency. If somebody's rushing you, that's the moment to slow down, not speed up.

3. Account takeover

This is the one that scares me the most. The attacker doesn't spoof an employee. They actually get into the real inbox through a stolen password, usually from a credential phishing email weeks earlier. Every email they send after that is technically legitimate. Your spam filter has nothing to flag. The email is coming from your coworker, because it is.

4. Payroll diversion

HR gets a polite note that looks like it's from an employee, asking to update direct deposit info to a new account. The next paycheck lands in the attacker's account. The employee usually doesn't find out until they check their bank a week later.

The real problem isn't your tools

Here's what gets me about all of this: most of the businesses I work with already have decent security tools in place. Microsoft 365 with the right licensing. A spam filter. Maybe even multi-factor authentication. None of that is what's failing.

What's failing is process. If your bookkeeper can change a vendor's banking info off an email, you're one bad day away from a problem. Doesn't matter what firewall you have.

These attacks succeed because they exploit how normal business actually runs. Someone says they need money moved. Someone else moves it. The technical bar to pull this off is shockingly low. What makes it work is that the attacker is patient and the target is busy.

What actually helps

If you want to reduce your BEC risk, here's where I'd start. None of this is expensive. Most of it is free. But it takes someone actually sitting down with their team and having the conversation, and in my experience, most small businesses haven't.

• Pick up the phone. Any change to banking, wire, or payroll information should require a voice confirmation to a phone number you already had on file. Not the number in the email. Not a number the requester gave you. A number from before this request existed.
• Turn on MFA everywhere. Especially Microsoft 365 and Google Workspace. This is free, takes an afternoon to roll out, and stops most account takeovers cold.
• Train your team to treat urgency as a red flag. The single biggest tell on a BEC email is that it's pushing you to move fast. End of day. Wire by 3pm. Boss is in a meeting and can't be interrupted. That pressure is the attack.
• Check your email forwarding rules every few months. After attackers get into an inbox, they usually set up hidden forwarding rules to monitor what's happening and cover their tracks. Most people never look at this setting in their lifetime.

If this is keeping you up at night

If you're a Wisconsin small business owner reading this and recognizing yourself in any of these scenarios, we should talk. We do free assessments for businesses in the Milwaukee metro and Southeast Wisconsin to identify exactly where the gaps are, both on the technology side and the process side.

The companies I see hit hardest are the ones that thought they were too small to be a target. Nobody is too small anymore. The attackers don't care.

Schedule a free assessment or call us directly at (262) 912-6404. We'll take a look at what you have in place and tell you straight what's working and what isn't.