The 'Urgent' Transfer That Wasn't

This week, someone we know well called about a scam unfolding at their company. There was no hacked server and no stolen password. An employee had been messaging on Microsoft Teams with a "company executive" who first asked about the balance on a couple of bank accounts and then asked them to make an urgent transfer to a new third-party account. Every message pressed the same point: this is urgent, do it now.

The executive was a stranger.

This is one of the most expensive scams in business, and it has a name: business email compromise, sometimes called "CEO fraud." It doesn't break in, it asks. And it works often enough that the FBI counted close to $2.8 billion in reported losses in 2024 alone, with nearly $8.5 billion lost over three years — and those are only the cases anyone reported.

How it works

The attacker uses the name of someone an employee won't want to second-guess: the CEO, the owner, the CFO — or sometimes a familiar supplier or the company's lawyer. The message arrives carrying authority and urgency, often with a note of secrecy: "I'm going into a meeting, can't talk, please handle this discreetly." It turns out Teams often lets external contacts message your staff unless an admin restricts it, and attackers use the display name of some executive found in public records. In the case we helped to address, the attacker added a "." before the CEO's name and hid the contact details, so Teams wouldn't display the attacker's domain.

The request tends to follow a pattern. A little reconnaissance first — what's our balance, which account do we use for this? — and then the ask: wire a payment to a new account, or change the bank details for a supplier you already pay. The pressure is relentless and time-boxed, because the urgency is the technique. It's engineered to push a helpful person past the moment where they'd normally stop and check.

Traditionally this arrived by email. Increasingly it comes through chat — Microsoft recently documented impersonation attacks moving into Teams, which is exactly how this week's incident played out. The channel changes; the manipulation doesn't.

Why your other defenses didn't catch it

We've written about multi-factor authentication, password managers, and locking down your email and website settings. Each one is worth doing — and not one of them stops this.

Notice what this scam never needs: no password, no malware, nothing to install, no security warning to click past. There's nothing for a technical control to detect, because nothing is technically broken. Even email authentication — the SPF, DKIM, and DMARC setup we wrote about recently — only stops someone forging your exact domain. It does nothing about a message from a lookalike address, a free email account, or a Teams chat from outside your company. This scam lives precisely in that gap.

The layer under attack is a person who wants to be responsive to their boss. That can't be patched. But it can be defended with a process.

What actually stops it

The fix here isn't a security tool. It's a payment habit that urgency can't override.

Verify every payment change out of band. Any new payee, any changed bank details, any unexpected urgent transfer gets confirmed by a phone call — to the person, on a number you already have, never the contact in the message. Make it a standing rule, not a judgment call, so no employee has to find the nerve to doubt the "CEO" in the moment.

Require two people for payments over a threshold. Dual authorization means one pressured person can't move money alone. Urgency stops being a weapon when the answer is always, "two of us have to approve and that's the process."

Name the red flags out loud to the team. Urgency, secrecy, and a change to where money goes are the signature of this scam. Leadership should say it plainly: I will never ask you to make an urgent, secret transfer over chat or email. If a message from me does, it isn't me.

Keep the External label on in Teams, and teach people to check the real identity behind a display name as anyone can set their name to your CEO's.

If it happens, move fast. Call your bank immediately to try to halt the transfer, then report it to the authorities. Speed matters enormously: the FBI's recovery team manages to freeze a majority of fraudulent transfers when they're reported quickly. Hours count, so the team needs to know it's safe to raise the alarm the instant something feels off — even if they already sent the money.

And rehearse. You can't write a policy that creates a reflex. People hold their nerve against this pressure only if they've met a safe version of it before — which is what phishing simulation is for. The aim isn't to catch anyone out; it's to make the fake familiar so the real attack feels wrong.

The layers, complete

Across these articles we've raised the technical walls — authentication, passwords, the settings that keep your name and your site from being abused. This scam is the reminder that walls have a gate, and the gate is held by people. Defend on purpose — a verification habit, a two-person rule, named red flags, rehearsals — and your team becomes the layer that lets the "urgent" message wait the five minutes it takes to fall apart.

---

Would your team pause on the "urgent" request from the boss? Confidanti runs a free phishing test for growing businesses — a safe rehearsal of exactly this kind of pressure, with no platform to install and no commitment.