BEC attacks cost U.S. businesses $2.8 billion in 2024, according to the FBI's Internet Crime Complaint Center. In Q2 2025, the average wire transfer BEC attack requested $83,099, a 97% increase from the prior quarter. Financial institutions were the most-targeted sector, accounting for 18.3% of all phishing attacks. For mortgage companies processing six-figure wire transfers daily, these aren't abstract numbers.
Three weeks had passed since Chad clicked that link.
The suspicious invoice had been flagged. CYA Finance's IT team followed their standard incident response protocol. They revoked Chad's credentials. They reset passwords across key systems. They ran a security review and filed a report. The language was familiar: "phishing incident," "credential compromise," "recommend further employee training."
Everyone breathed a sigh of relief. Systems were running. Emails were flowing. Business carried on.
But the attacker had never left.
NullGhost knew the playbook. They were counting on it.
Before the first help desk ticket was opened, NullGhost had planted a custom script on a forgotten file server. It was disguised to look like part of the routine backup process. It ran quietly in the background. It blended in with scheduled jobs.
The script didn't collect data. Not yet. It just kept the door open.
After Chad's account was deactivated and the "immediate threat" was neutralized, NullGhost still had access. That single overlooked script acted as a beacon. It pinged out at regular intervals, waiting for the all-clear.
When everyone moved on, NullGhost resumed operations.
With access restored, NullGhost launched the second phase.
They didn't smash and grab. They exfiltrated data slowly. Client records. Financial spreadsheets. Email archives. Each batch was encrypted and sent off-site in small packets disguised as system telemetry or cloud sync activity. Every transfer flew under the radar. No alerts triggered. Nothing looked unusual.
Then came the kill shot.
NullGhost identified a routine vendor payment scheduled for the following week. Using their access to internal communications, they altered the payment instructions just enough to redirect funds to a lookalike bank account under their control.
Nobody noticed. Not until the money was gone.
By the time CYA Finance discovered the discrepancy, the six-figure wire transfer had cleared, moved through a cryptocurrency tumbler, and vanished across three jurisdictions.
Weeks later, a forensic audit uncovered a single strange DNS query originating from a machine with no known user login. The query matched a hostname tied to the original proxy phishing site NullGhost had used.
Whether it was a mistake or a deliberate taunt, nobody could say.
The message was clear: Chad's click was never the breach. It was just the invitation.
CYA Finance followed a standard incident response playbook. Reset credentials. Run a scan. File a report. Move on. That playbook works for commodity threats. It doesn't work for persistent attackers who plan their access in layers.
Here's what a proper response would have included:
CYA Finance paid over $15 million in direct financial costs, legal fees, and regulatory fines. They lost 75% of their customers. Every one of them said the same thing: "We can't trust you with our data."
The breach didn't end with the incident report. It ended only when CYA Finance brought in outside experts with the tools and talent to find the ghost hiding in the machine. By then, the damage was done.
Financial institutions are prime targets for exactly this type of attack. The APWG recorded over 1.1 million phishing attacks in Q2 2025 alone. Wire transfer BEC attacks increased 27% quarter over quarter. And 70% of BEC attacks launch from free webmail accounts, making sender verification critical.
Mortgage Workspace deploys Guardian MxDR, which pairs Microsoft Defender, Sentinel, and Secure Score with 24/7 human monitoring. Persistent threats get hunted, not just flagged. Wire fraud controls, identity monitoring, and forensic response capabilities come standard.
Serving 750+ financial institutions, Access Business Technologies configures these protections specifically for mortgage operations. No third-party MSP platforms. Pure Microsoft stack. Zero supply chain exposure from tools like ConnectWise or Kaseya that keep getting breached.
Talk to a mortgage IT specialist about continuous threat monitoring for your environment.
Standard incident response resets credentials and runs antivirus scans. Persistent attackers plant backdoors in scheduled tasks, startup scripts, and forgotten servers before the response begins. These persistence mechanisms survive password resets and basic scans. Detecting them requires forensic threat hunting, DNS log analysis, and behavioral monitoring through tools like Microsoft Defender for Identity and Sentinel.
Business Email Compromise wire fraud involves an attacker impersonating a trusted party to redirect payment instructions. Mortgage companies handle six-figure wire transfers daily, making them high-value targets. BEC attacks cost U.S. businesses $2.8 billion in 2024. The average wire transfer BEC request reached $83,099 in Q2 2025, and financial institutions were the most-targeted sector for phishing attacks.
Microsoft Sentinel correlates network telemetry, identity events, and endpoint behavior across your entire environment. It detects patterns like encrypted data flowing to unknown domains in small bursts, DNS queries to suspicious hostnames, and service accounts accessing resources outside normal hours. Custom detection rules specific to mortgage operations flag these anomalies for your security team in real time.
Out-of-band verification is the primary defense. When payment instructions change, confirm the change through a separate channel, such as a phone call to a known number, not the number in the email. Dual authorization for transfers above a threshold, callback verification for new payees, and real-time alerts for payment instruction modifications all reduce wire fraud exposure. These controls work alongside Microsoft Defender and Sentinel monitoring.