It looked like a routine payment—until it nearly cost $50,000.
Savoy Equity co-founding principal Barrett Linburg said his firm recently received an invoice from a trusted vendor that checked every box: correct logo, project name and invoice number. There was only one difference—a new bank account for payment. "
"If we had paid it, $50K is gone. No recovery. No insurance. Just gone," Linburg wrote on X. Days later, the vendor confirmed their email system had been hacked.
The close call underscores a rising form of business email compromise (BEC) that's increasingly targeting commercial real estate firms.
"If it's a truly convincing attempt, then what you're describing is the monetization phase of a Business Email Compromise cycle," says Travis Simcox, lead cyber threat hunter at The Baldwin Group.
"This is going on all day, every day in all industries, but real estate agents and title companies are the most coveted targets because they tend to use a lot of wire transfers, which are hard or impossible to reverse in the case of fraud."
Attackers often mimic authentic invoice templates to blend seamlessly into legitimate communication.
"They reuse exact official invoice templates, mirror legitimate formats and payment language, and host malicious content on trusted platforms such as DocuSign, Dropbox, or Google Drive," offensive security engineer Kwangyun Keum tells GlobeSt.com.
According to Simcox, the process behind these scams runs deeper than most realize. Some fraudsters pay monthly fees—around $200—to subscribe to phishing-as-a-service platforms. These services distribute deceptive emails designed to compromise vendor accounts. Once inside, attackers search inboxes for keywords such as "invoice," download real documents, alter the payment information and then reinsert the doctored versions back into active correspondence.
"Often, companies don't even realize what's going on until the last step," Simcox explains. "Once the invoice fraud is complete, the fraudster uses the compromised email account to blast out phishing links to everyone in their contact list, starting the next cycle."
At Savoy Equity, internal safeguards helped halt the attempted theft. Linburg said the firm freezes any payment when new banking details appear and confirms changes only through previously stored vendor contact information.
Keum recommends that companies go further by implementing email authentication protocols such as DMARC, DKIM and SPF. These tools verify sender identity and reduce the risk of email spoofing.
Bring in someone who understands the fluctuations in security needs, Keum advises, and make sure you're as set as possible.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.