The Email That Moved US$340,000 to a Criminal’s Account

The chief financial officer of a Caribbean financial institution received an email at 3:47 p.m. on a Thursday afternoon from what appeared to be the institution’s principal legal counsel. The email referenced an ongoing regulatory matter that the CFO was familiar with, used the attorney’s correct name and email signature format, and included language consistent with previous correspondence between the two parties. The email instructed the CFO to arrange an urgent wire transfer of US$340,000 to an account described as the escrow account for a regulatory settlement that required completion before the end of business on Friday.

The CFO had two concerns. First, the amount was significant but not unprecedented for regulatory settlement payments. Second, the urgency was unusual — but not inconsistent with the regulatory pressure the institution had been experiencing. The CFO forwarded the email to the head of treasury with instructions to process the wire. The head of treasury verified the payment against the CFO’s authorisation, confirmed the beneficiary account details matched those in the email, and submitted the wire. The payment was processed within ninety minutes of the email’s arrival.

On Friday morning, the CFO called the attorney to confirm receipt. The attorney had not sent the email. Had not requested any payment. Had no knowledge of an escrow account. The email was a business email compromise — a meticulously crafted fraud in which the attacker had researched the institution’s legal relationships, identified the ongoing regulatory matter through publicly available information, spoofed the attorney’s email address with a domain that differed by a single character from the legitimate domain, and crafted a request that exploited the CFO’s familiarity with the matter and the urgency of the regulatory context.

The US$340,000 was unrecoverable. The receiving account had been emptied within hours of the wire’s arrival. The institution’s insurance did not cover social engineering fraud. And the incident exposed a cascade of email security failures that the institution had not recognised until US$340,000 revealed them.

The institution’s email system had no domain authentication protocols. The spoofed email — sent from a domain one character different from the attorney’s legitimate domain — was not flagged because the institution had not implemented the email authentication standards (SPF, DKIM, and DMARC) that would have identified the sender as illegitimate. The email system had no advanced threat detection that analysed email content for the behavioural indicators of business email compromise: urgency language, financial requests, unusual sender patterns, and domain similarity analysis. And the institution had no policy requiring out-of-band verification for wire transfers initiated by email — a procedural control that would have prompted the CFO to call the attorney before processing the payment rather than after.

This fictional scenario, while not attributable to any specific Caribbean financial institution, reflects the single most financially damaging category of cyberattack facing Caribbean enterprises: email-based fraud. Business email compromise alone has generated billions of dollars in global losses, and Caribbean enterprises — where business is conducted through personal relationships and email instructions carry the authority of the sender’s reputation — are particularly vulnerable.

Why Email Is the Attacker’s Favourite Weapon

Email is the primary attack vector for cyberattacks worldwide. Approximately eighty per cent of successful breaches begin with a compromised email. The professional services firm in Article 1 was breached through a phishing email. The financial institution in this article lost US$340,000 through a spoofed email. The pattern is consistent: email is how attackers get in, and email is where Caribbean enterprises are most exposed.

Phishing: Mass emails designed to trick recipients into clicking malicious links, opening infected attachments, or entering credentials on spoofed login pages. Phishing emails impersonate trusted brands, service providers, and institutions: banks, courier services, government agencies, and cloud platforms. The volume of phishing targeting Caribbean enterprises has increased dramatically, with attackers tailoring campaigns to regional contexts — referencing Caribbean banks, government agencies, and service providers by name.

Spear Phishing: Targeted phishing directed at specific individuals within the enterprise. The attacker researches the target’s role, responsibilities, relationships, and current activities — often using information available on LinkedIn, company websites, and social media — and crafts an email that is personalised, contextually relevant, and convincing. The professional services firm’s senior associate received a spear phishing email referencing a court filing service the firm actually used.

Business Email Compromise: The most financially damaging email-based attack. The attacker impersonates a trusted party — a CEO, a CFO, an attorney, a supplier, a client — and instructs the target to make a payment, redirect a transfer, or share sensitive information. BEC attacks are sophisticated: they exploit trust, authority, and urgency, and they frequently bypass technical controls because the email itself contains no malware, no malicious links, and no attachments — just a convincing instruction from what appears to be a trusted sender.

Malware Delivery: Emails that deliver ransomware, trojans, keyloggers, and other malicious software through infected attachments or links to compromised websites. The ransomware that encrypted the professional services firm’s systems in Article 1 was delivered through an email link. The malware may execute immediately or establish a persistent presence that the attacker activates days or weeks later.

Credential Harvesting: Emails that direct the recipient to a spoofed login page — a replica of the enterprise’s email login, its cloud platform, or its banking portal — that captures the user’s credentials when they attempt to log in. Harvested credentials provide the attacker with legitimate access to the enterprise’s systems, bypassing perimeter defences entirely.

The Five Layers of Email Defence

Effective email security is not a single product or a single technology. It is a multi-layered defence that addresses different threats at different points in the attack chain.

Layer 1 — Gateway Filtering and Threat Detection: The first layer intercepts threats before they reach the user’s inbox. Gateway filtering analyses every inbound email for known malicious signatures, suspicious attachments, malicious URLs, and the behavioural indicators that distinguish phishing and BEC from legitimate email. Advanced threat detection uses machine learning and sandboxing to analyse attachments and links in a controlled environment, identifying threats that signature-based detection would miss. Dawgen Global’s Email Threat Defence service deploys gateway filtering and advanced threat detection that intercepts the vast majority of malicious emails before any user sees them.

Layer 2 — Domain Authentication and Anti-Spoofing: The second layer verifies that emails claiming to be from a specific domain are actually sent from that domain. SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are the three protocols that, when properly configured, prevent attackers from spoofing the enterprise’s email domain and detect incoming emails from spoofed domains. The financial institution’s failure to implement these protocols allowed the spoofed attorney email to pass unchallenged. Dawgen Global’s Email Threat Defence includes the configuration and monitoring of SPF, DKIM, and DMARC for the enterprise’s email domains.

Layer 3 — Business Email Compromise Detection: The third layer specifically targets BEC attacks. Because BEC emails typically contain no malware and no malicious links — they are pure social engineering — they bypass traditional security filters. BEC detection analyses email content for the behavioural patterns that characterise BEC: impersonation of known contacts, urgency language, financial requests, unusual sender behaviour, and domain similarity (the single-character domain difference that the attacker used against the financial institution). Dawgen Global’s Email Threat Defence includes AI-powered BEC detection that identifies impersonation attempts based on behavioural analysis, not just technical signatures.

Layer 4 — DNS-Level Protection: The fourth layer blocks threats at the DNS level — preventing users from reaching malicious websites even if they click a phishing link. When a user clicks a link in an email, the DNS request (the lookup that translates the website name into an address) is intercepted and checked against threat intelligence databases. If the destination is known to be malicious, the connection is blocked before the user’s browser loads the page. DNS-level protection provides a safety net for the phishing emails that bypass gateway filtering and the links that users click despite training. Dawgen Global’s Email Threat Defence includes DNS-level protection across the enterprise’s network and devices.

Layer 5 — Email Backup and Recovery: The fifth layer ensures that the enterprise’s email data is protected against loss, whether from attack, accidental deletion, or system failure. Cloud email platforms like Microsoft 365 provide limited native retention and recovery. Comprehensive email backup provides independent, searchable archives of all email data with point-in-time recovery capability. This layer protects against the data loss scenario where an attacker deletes mailbox contents after exfiltrating the data, and satisfies the record retention requirements that regulated Caribbean enterprises must meet. Dawgen Global’s Email Threat Defence includes automated email backup for Microsoft 365 environments.

Business Email Compromise: The Caribbean Vulnerability

BEC is particularly dangerous in the Caribbean for reasons that are rooted in the region’s business culture.

Relationship-Based Authority: Caribbean business operates on relationships. An instruction from a trusted partner, attorney, or senior executive carries weight because of who sent it, not because of the technical verification behind it. The CFO processed the wire because it came from the attorney — a person the CFO trusted. BEC attackers exploit this relational authority by impersonating the specific individuals whose instructions the target would naturally follow.

Small Community Visibility: In Caribbean markets, the identities, roles, and relationships of senior business professionals are widely known. An attacker researching a Caribbean financial institution can identify the CFO, the external counsel, the key suppliers, and the regulatory relationships through LinkedIn, company websites, regulatory filings, and news coverage. This information enables the personalised, contextually accurate BEC emails that Caribbean enterprises find difficult to distinguish from legitimate communication.

Limited Verification Culture: Many Caribbean enterprises have not implemented out-of-band verification procedures for financial instructions received by email. The assumption is that email from a known contact is authentic. BEC defence requires a cultural shift: every email requesting a financial transaction, a change in payment details, or the transfer of sensitive information must be verified through a separate channel (phone call to a known number, in-person confirmation) before the instruction is executed.

Dawgen Global’s Email Threat Defence Service

Dawgen Global’s Email Threat Defence is a comprehensive, multi-layered email security service designed for Caribbean enterprises.

What It Includes: Gateway filtering and advanced threat detection that blocks phishing, malware, and spam before it reaches the inbox. AI-powered business email compromise detection that identifies impersonation, urgency patterns, and domain spoofing. Domain authentication configuration and monitoring (SPF, DKIM, DMARC) that prevents the enterprise’s domain from being spoofed and detects incoming spoofed emails. DNS-level threat protection that blocks access to malicious websites even when users click phishing links. Automated email backup for Microsoft 365 that provides independent, searchable email archives with point-in-time recovery.

How It Is Delivered: Dawgen Global deploys the Email Threat Defence service through cloud-based infrastructure that integrates with the enterprise’s existing email platform (Microsoft 365, Google Workspace, or on-premises email). Deployment does not require changes to the enterprise’s email infrastructure and is typically completed within five to ten business days. The service includes ongoing monitoring, threat intelligence updates, and quarterly reporting on threats blocked, trends identified, and recommendations for improvement.

What It Costs: Email Threat Defence is priced on a per-user, per-month basis that scales with the enterprise’s size. For Caribbean mid-market enterprises with fifty to two hundred users, the service represents a fraction of the cost of a single successful email-based attack — and a fraction of the US$340,000 the financial institution lost to a single BEC email.

The Procedural Layer: Email Cannot Be Solved by Technology Alone

Dawgen Global’s Email Threat Defence addresses the technical dimensions of email security. But the financial institution’s US$340,000 loss was not solely a technology failure — it was also a procedural failure. The institution had no policy requiring out-of-band verification for email-initiated wire transfers. This procedural gap meant that even if the technical controls had flagged the email as suspicious, the absence of a verification requirement would have left the enterprise exposed to any sufficiently convincing email.

Payment Verification Procedures: Every wire transfer, every change in supplier payment details, and every financial instruction received by email should be verified through a separate communication channel before execution. This verification should be mandatory, documented, and enforced regardless of who the apparent sender is.

Domain Awareness Training: Employees who handle financial transactions should be trained to examine email domains carefully. The single-character domain difference that the BEC attacker used is the most common spoofing technique — and the most preventable, if the recipient knows to look for it.

Authority Limits for Email Instructions: The enterprise should define limits on the financial actions that can be authorised by email alone. Transactions above a defined threshold should require verbal confirmation, dual authorisation, or in-person approval — controls that eliminate the attacker’s ability to move funds through email instruction alone.

Article 4 of this series will examine the human risk management dimension in detail — the training, awareness, and behavioural change programmes that address the human vulnerabilities that technology alone cannot close.

The Front Door Is Open

The fictional financial institution’s US$340,000 loss was the cost of an open front door. The email that moved the money was not sophisticated malware, was not a zero-day exploit, and was not a state-sponsored attack. It was a carefully crafted email that exploited the absence of domain authentication, the absence of BEC detection, and the absence of a verification procedure. The front door was open because nobody had installed the locks.

Every Caribbean enterprise whose email system lacks multi-layered threat detection, domain authentication, BEC-specific defence, DNS-level protection, and verified email backup is operating with its front door open. The attackers are already probing it. The question is whether the enterprise will install the locks before or after the attacker walks through.

Dawgen Global’s Email Threat Defence closes the front door. Five layers of protection. Deployed in days. Monitored continuously. And priced at a fraction of the cost of a single successful attack.

Secure Your Email Environment

Dawgen Global invites Caribbean enterprises to assess the security of their email environment and close the gaps that attackers exploit every day.

Request a Dawgen Global Email Security Assessment or deploy Email Threat Defence for your enterprise. Email [email protected] or visit www.dawgen.global to begin the conversation.

DAWGEN GLOBAL | Big Firm Capabilities. Caribbean Understanding.

Request a Dawgen Global Email Security Assessment or deploy Email Threat Defence.

Email: [email protected]

Web: www.dawgen.global

About Dawgen Global