Business email compromise drains real money from small Canadian firms, and it usually begins with a single hidden mailbox rule. How the attack works and how to shut it down.
The most expensive cyberattack on a small firm rarely involves malware. There are no locked screens and no ransom note, nothing that looks like an incident at all. A supplier sends an invoice, someone in accounts pays it, and weeks later the real supplier calls asking where their money is. By then the funds have moved through three banks and are gone. The firm did everything it normally does, and that is exactly why it worked. This is business email compromise, and it is the quiet giant of cybercrime losses. The Canadian Anti-Fraud Centre consistently ranks it among the costliest fraud types it tracks, with reported losses running into the tens of millions of dollars a year, and the centre is open about the fact that most victims never report at all. South of the border, the FBI's Internet Crime Complaint Center has tied more than $55 billion in losses to this single pattern over the past decade. The reason it dwarfs ransomware in dollar terms is simple. There is nothing to clean up and nothing to restore. The money just leaves. The attack hides inside a normal conversation Here is how it usually plays out for a 30-person firm on Microsoft 365 or Google Workspace. Someone clicks a convincing login page, maybe a fake "your mailbox is full" notice or a shared-document prompt, and types their email password. If the account has no multi-factor authentication, or weak text-message MFA the attacker can phish at the same time, that login now belongs to a stranger. Nothing visible changes. No new program appears on the laptop. The inbox looks exactly as it always did. What the attacker does next is the part most founders have never heard of. They create an inbox rule. In Outlook and in Gmail you can set