Business email compromise and wire fraud emails: what to check
A wire or invoice request can be fraudulent even when SPF, DKIM, and DMARC pass. Message Loupe checks the original email for impersonation, unusual routing, risky links or attachments, and text-only BEC patterns, then tells you when to verify the request outside email.
What is business email compromise?
Business email compromise (BEC) is fraud that uses a trusted business identity to persuade someone to send money, change payment details, disclose sensitive information, or enter credentials. The identity may be spoofed, registered on a lookalike domain, or taken over through a real mailbox. Microsoft's BEC overview describes the same mix of impersonation and social engineering.
Can an email scanner detect BEC?
It can detect many warning signs, but no scanner can prove every request is legitimate. Message Loupe is strongest when the attacker spoofs a sender, uses a lookalike domain, changes the reply address, fails authentication, hides a destination behind misleading link text, or combines payment language with a risky delivery pattern.
A compromised real account is the hard case. Its messages can authenticate correctly because the real provider sent them. For that reason, Message Loupe caps money, credential, payroll, and account-change requests at Caution and tells the user to verify by phone.
Check a wire-transfer email in three steps
Pause the payment
Do not reply, open an attachment, or use contact details supplied by the message.
Analyze the original message
Save the .eml file or copy the full raw headers. Regular forwarding removes the evidence needed for sender and routing checks.
Verify and report
Call a known contact to confirm the request. If money moved, contact the bank immediately and file a report with IC3.
Warning signs Message Loupe checks
- From, return-path, reply-to, and DKIM domain disagreements
- SPF, DKIM, and DMARC failures or missing trusted results
- Lookalike, newly registered, unrelated, or raw-IP link hosts
- Wire, ACH, routing, remittance, invoice, and bank-change language
- Unexpected attachments paired with payment or document requests
- Routing and mail-provider inconsistencies
See the full email-analysis methodology for how those signals affect a verdict.
Common BEC and wire-fraud patterns
- Invoice redirection
- A vendor supposedly changed its bank or ACH instructions just before payment.
- Executive impersonation
- A senior leader requests secrecy, urgency, a wire, gift cards, or sensitive records.
- Payroll diversion
- An employee or executive supposedly asks to change direct-deposit details.
- Credential capture
- A familiar sender shares a document or sign-in link that leads to an unrelated domain.
Frequently asked questions
Can SPF, DKIM, and DMARC pass on a fraudulent email?
Yes. Those checks can prove that a domain authorized and signed the message, but they cannot prove the request is honest. A criminal using a compromised real mailbox can send a fully authenticated BEC email.
Can Message Loupe prove that an email is safe?
No. It can identify technical and content warning signs and explain why a message needs caution. Money, credential, payroll, and account-change requests should be verified through a contact method you already trust.
Does Message Loupe upload the email?
No. The email is analyzed in the browser. Optional DNS and RDAP lookups may send only the visible sender domain to public lookup services, never the message, headers, links, or verdict.
What should I do if money was already wired?
Contact the sending bank immediately and ask it to recall or freeze the transfer. Then report the incident to the FBI Internet Crime Complaint Center and your local law enforcement or security team.
Primary sources and standards
Check the original email
Message Loupe runs in the browser and does not upload the message. Use the original .eml file or full raw headers for the strongest analysis.
Scan a suspicious email