Before phishing and ransomware, a quiet scam was draining bank accounts across North America. It didn’t hack systems. It used routine.
Accounting teams would receive a simple fax:
“Please note our banking details have changed. Effective immediately, route all payments to the account below.”
No urgency. No errors. Just familiar letterhead and a believable signature.
So they processed it.
The scam exploited hierarchy and trust. The request appeared to come from a long-time supplier or a senior executive. Questioning it felt unnecessary, even inappropriate. The transfer was approved. The books balanced.
Weeks later, the real supplier would call. They hadn’t been paid.
By then, the money was gone. Funds were quickly moved across accounts and countries. There was no malware, no breached server, no digital trail to analyse. The transfer had been authorised.
Nothing was hacked. Only trust.
By the late 1990s, fax became email. Letterhead became digital signatures. Sometimes urgency was added: “I’m in a meeting,” “Need this done before close.” But the psychology stayed the same:
Authority.
Familiarity.
Routine.
Today we call it Business Email Compromise. It causes billions in losses each year. But the technology isn’t the real threat.
The damage happens when people operate inside systems that reward speed over verification.
Security tools can block malicious links and scan attachments. They cannot stop someone from approving a payment that looks legitimate.
That’s why these scams endure. They don’t ask you to do something unusual. They ask you to do your job.
The fax machine was just the delivery method. The real exploit was behavioural.
The most vulnerable systems are not the ones connected to the internet. They are the ones built on trust, habit, and the assumption that tomorrow looks like yesterday.
The scam didn’t need malware.
It didn’t need hacking tools.
It didn’t even need the internet.
It only needed someone to think, “This looks normal,” and press approve.
The most dangerous frauds rarely feel dangerous.
They feel like work.
If your payment approvals, vendor changes, or executive requests rely on trust alone, it may be time for a second look. Put simple verification controls in place, train your team to pause before processing financial changes, and test your processes before someone else does.
The scams that hurt the most are the ones that look routine. Make sure your routine includes protection.
Find the Weak Points Before Someone Else Does
The reality is, most organisations don’t realise how exposed they are until something goes wrong.
These scams don’t break systems. They move through them quietly, using the same processes your team relies on every day.
That’s why prevention isn’t about more tools. It’s about visibility, verification, and understanding where trust can be exploited.
If you’re not sure how your current processes would hold up, it’s worth taking a closer look.
Book a cybersecurity readiness assessment with Conor and the Expera team. We’ll review how payments, approvals, and vendor changes are handled in your environment, identify where risk exists, and give you clear, practical steps to reduce it.
Because the goal isn’t to slow your business down.
It’s to make sure the things that feel routine are actually secure.
