CRITICALALT-2026-121019m ago

BEC Attack: CFO Wire Request — Writing Style Deviation Detected

Email from CFO account requesting $285K wire to new vendor account shows 94% writing style deviation from baseline. Sent at 11:47 PM from unfamiliar device in Eastern Europe. Vendor banking details changed 2 hours prior.

Export Report

Compound Score

92/100

Confidence

96/100

FP Likelihood

low

Subject

BEC-EXT-0041

Domains

3/100

Subject

BEC-EXT-0041

external_threat — CFO Email Compromise — Impersonation

Domains

becfinancesecurity

Assigned To

Sarah Kim

Teachers Federal Credit Union

Summary

A Business Email Compromise attack targeting CFO email account detected via writing style analysis, device fingerprint mismatch, and vendor payment change correlation. Pattern matches FBI IC3 BEC typology — $3B+ in annual losses.

Evidence Chain (4 items)

#14/6/2026, 11:47:00 PMwriting_style_deviation

CFO email requests urgent $285K wire transfer to "updated" vendor account. Writing style scores 94% deviation from learned CFO baseline.

Source: Microsoft 365 — Email Analytics | Ref: MSG-2026-EML-88421

Writing cadence, vocabulary, and formatting deviate significantly from 18-month CFO email baseline model.

#24/6/2026, 11:45:00 PMunfamiliar_device_auth

Email sent from IP 185.xx.xx.42 (Kyiv, Ukraine) — device not in CFO known device registry

Source: Azure AD | Ref: AUTH-2026-99812

CFO has never authenticated from this geography or device.

#34/6/2026, 9:30:00 PMvendor_payment_change

Vendor Acme Corp banking details updated to new account 2 hours before wire request

Source: Workday Financials | Ref: VND-CHG-4418

Vendor banking details change followed by urgent payment request — classic BEC sequence per FBI IC3.

#44/6/2026, 11:47:00 PMurgency_pressure

Wire request marked "URGENT — process before end of business" — pressure language detected

Source: RiskRadar NLP Engine | Ref: NLP-URGENCY-0092

Urgency language is a primary BEC social engineering tactic.