The $55.5 Billion Problem No One Talks About

Business email compromise — or BEC — is the most financially devastating cybercrime in the world. According to the FBI's Internet Crime Complaint Center, BEC has caused $55.5 billion in cumulative global losses, with $2.77 billion stolen in 2024 alone. Yet most companies have never heard of it, and even fewer have defenses in place.

BEC works because it exploits trust, not technology. An attacker impersonates a CEO, a vendor, or a colleague and convinces someone to wire money, share credentials, or change payment details. The emails look real. The phone calls sound real. And now, with deepfake voice cloning and video, they can literally be real — at least to human perception.

$2.77B
lost to business email compromise in 2024 alone (FBI IC3)

The Arup Deepfake: $25 Million Gone in One Video Call

In February 2024, a finance worker at the engineering firm Arup in Hong Kong joined a video conference with what appeared to be the company's CFO and several colleagues. Every face on the call was a deepfake. The AI-generated participants gave instructions to transfer $25 million across five transactions. The employee complied. By the time the fraud was discovered, the money had vanished across multiple bank accounts.

This wasn't a sophisticated nation-state attack. It was a criminal gang using commercially available deepfake tools. The attack succeeded because the employee could see and hear people who looked and sounded exactly like his coworkers. Visual and auditory verification — the foundation of human trust — had been completely compromised.

"We are seeing deepfake video and voice increasingly used as part of BEC fraud. What used to require impersonating an email address now involves impersonating an entire person." — FBI Cyber Division, 2024

MGM Resorts: One Phone Call, $100 Million in Damage

In September 2023, the hacking group Scattered Spider called MGM Resorts' IT helpdesk and impersonated an employee. The call lasted about 10 minutes. Using information scraped from LinkedIn, the caller convinced the helpdesk technician to reset the employee's credentials. That single phone call gave the attackers access to MGM's entire network.

The result: slot machines went dark across Las Vegas, hotel key cards stopped working, and MGM's operations ground to a halt for 10 days. The estimated cost exceeded $100 million. All because an IT helpdesk worker couldn't verify who was really on the other end of a phone call.

Vishing attacks — voice phishing — surged 442% in the past year, according to security firm Hoxhunt. IT helpdesks are the #1 target because they have the keys to the kingdom: password resets, MFA enrollment, and account access.

Why Traditional Security Fails Here

Companies spend billions on firewalls, endpoint detection, and multi-factor authentication. But none of these protect against a trusted insider being socially engineered over the phone. MFA doesn't help when the attacker convinces IT to reset it. Email filters don't catch a phone call. Endpoint security doesn't stop a human from authorizing a wire transfer.

  • Multi-factor authentication — attackers social-engineer IT into resetting it
  • Email security filters — irrelevant when the attack comes via phone or video
  • Caller ID — trivially spoofed to show any number
  • Visual verification on video calls — defeated by real-time deepfakes
  • Security awareness training — teaches employees to spot phishing emails, not live voice impersonation

The Missing Layer: Verbal Verification

A safeword is something a deepfake can't replicate because it isn't derived from any public information. It's a shared secret — a piece of knowledge that exists only in the minds of the people who agreed on it in person. No amount of LinkedIn scraping, voice cloning, or video deepfaking can produce it.

NIST Special Publication 800-63B — the US government's digital identity guidelines — explicitly approves voice-based out-of-band authentication via the public switched telephone network (PSTN). The principle is sound: verify identity through a separate channel using shared knowledge the attacker can't intercept.

How to Implement Workplace Safewords

  • Establish a team safeword shared in person during an all-hands meeting — never over email or chat
  • Create a policy: any financial transaction over a threshold (e.g., $5,000) requires verbal safeword confirmation
  • IT helpdesk must verify the department safeword before resetting passwords or MFA
  • Rotate the safeword quarterly — announce the new one at the next in-person meeting
  • Vendor payments: establish safewords with key vendors for payment change requests
  • Executive communications: if the CEO calls with an urgent request, the safeword must be provided before anyone acts

Vendor Impersonation: The Fastest-Growing BEC Vector

According to Abnormal AI, 60% of modern BEC attacks now involve vendor impersonation rather than executive impersonation. An attacker compromises a vendor's email, monitors invoicing patterns, and then sends a convincing message: "Our bank account has changed. Please update your records and send the next payment to this new account."

A safeword shared between your accounts payable team and each critical vendor would stop this cold. Before any payment detail change is processed, the vendor must provide the shared verification word — over the phone, to a known contact, at a known number.

Remote Work Made This Worse

When teams worked in the same office, you could walk over to someone's desk and confirm a request face-to-face. Remote and hybrid work eliminated that option. Now, all verification happens over digital channels — the very channels deepfakes can compromise. Safewords restore the in-person trust layer to remote interactions.

Start today: use the Safewords.io Protocol Builder to create a workplace verification protocol. Choose "Workplace" as your group type, add your team members, and establish when the safeword should be required. Print the security card and share it at your next team meeting.