An email that appears to come from the principal, asking the assistant or the accountant to move funds urgently, is one of the oldest forms of attack and remains one of the most successful. The reason is operational, not technical. The request exploits the chain of authority that exists in every office of consequence. An instruction that comes from the top is acted on; the instruction is checked afterwards, not before.
The forgery itself is rarely sophisticated. The sender's address may be a near-perfect copy of the genuine one, off by one letter. The signature line may be reproduced exactly. The tone may be lifted from a previous genuine email. The request is plausible in scale and urgent in framing. None of it has to be convincing for long; it has to be convincing for the few minutes it takes to act.
The defence is the second-channel confirmation: a call to the principal on a known number, a Signal message to a separately verified contact, an in-person check if both parties are in the same place. The mechanism is not difficult. The discipline of using it, even for trusted senders and routine requests, is what separates an office that loses to this attack from one that does not.
A careful reading is what this kind of record asks for. It does not get one from most readers.
More from the desk
The second passport and its quiet footprint
The private jet flight tracker
The maritime tracker and the port record
The art dealer leak and the consignment list
Ransomware and the private family office
The banker who leaves, and what they carry