CONFIDENTIAL  //  TLP:AMBER  //  Finance & Legal eyes — Do not forward externally
Incident Response Report  ·  Ficsit Inc. Pioneer Division
BEC-001: CEO Wire Fraud
Business Email Compromise — CEO impersonation via personal Gmail, $47,500 emergency wire transfer to fraudulent account. Blocked by MailGuard BEC detection at 97% confidence.
Report ID
RPT-2026-BEC-001
Email Threat ID
THREAT-002
SOAR Case
CASE-2024-0205
Severity
High — Financial Fraud Attempt
Status
Closed — Blocked, No Financial Loss
Attack Type
Business Email Compromise (BEC)
Requested Amount
$47,500 USD
Actual Loss
$0 — Transfer blocked
Incident Date
May 14, 2026
Report Date
May 14, 2026 · 14:30 UTC
Target
j.whitfield@ficsit-pioneer.corp
Impersonated
Marcus Reynolds — CEO, Ficsit Corp
Section 01
Executive Summary
$0
Financial loss
$47,500
Requested transfer
97%
BEC confidence score
Blocked
Email disposition
1
SOAR playbook triggered
<2 min
Detection time

On May 14, 2026, the Ficsit Inc. Pioneer Division email gateway intercepted and blocked a Business Email Compromise (BEC) attempt targeting j.whitfield (Finance Department) using CEO impersonation. The attacker sent an urgent wire transfer request from a personal Gmail address (m-reynolds-ceo@gmail.com) with the display name "Marcus Reynolds, CEO" — impersonating Ficsit Corp's CEO, Marcus Reynolds. The request demanded an immediate $47,500 USD transfer to an account belonging to "Trident Capital Partners LLC" under the pretext of a confidential acquisition that "cannot go through normal procurement."

Foyl MailGuard detected the email as BEC with 97% confidence based on multiple signals: spoofed display name mismatching the legitimate marcus.reynolds@ficsit-corp.com domain, a Gmail origin address inconsistent with executive communications policy, extreme financial urgency and secrecy framing, absent DMARC authentication, wire transfer request bypassing approval workflows, and request to process "today, before 17:00." The email was automatically quarantined and SOAR playbook PB-008 (BEC Wire Fraud Prevention) was triggered.

No funds were transferred. j.whitfield was not aware of the email as it was blocked before inbox delivery. The CEO (Marcus Reynolds) confirmed he did not send the email and was unaware of any ongoing acquisition involving Trident Capital Partners LLC. The fraudulent recipient account and Trident Capital Partners LLC are under investigation by the Finance team and, if confirmed fraudulent, will be reported to law enforcement.

Outcome
This incident is classified as a blocked attempt with no financial loss. The BEC detection capability successfully prevented what could have been a $47,500 loss. The incident does not indicate any account compromise — it was a purely social engineering-based attack using an external Gmail account. However, the attacker's use of the CEO's name and role demonstrates prior OSINT on Ficsit's executive structure.
Section 02
Incident Overview
Incident IDBEC-001
Email Threat IDTHREAT-002
SOAR CaseCASE-2024-0205
Attack TypeBusiness Email Compromise (BEC) — CEO / Executive Impersonation
Sub-TypeWire Fraud via CEO Impersonation
SeverityHigh — Financial fraud attempt
StatusClosed — No financial loss; blocked by gateway
Attacker Emailm-reynolds-ceo@gmail.com
Display NameMarcus Reynolds, CEO (spoofed)
Legitimate CEO Emailmarcus.reynolds@ficsit-corp.com
Targetj.whitfield@ficsit-pioneer.corp (Finance Department)
Subject Line"Urgent — Wire Transfer Required Today"
Requested Amount$47,500 USD
Recipient AccountTrident Capital Partners LLC (account/routing numbers pending investigation)
PretextConfidential acquisition — "cannot go through normal procurement"
Urgency FramingProcess "today, before 17:00" / "extremely time-sensitive"
BEC Confidence Score97% (MailGuard AI classifier)
Email DispositionQUARANTINE — not delivered to inbox
Email AuthenticationSPF FAIL, DKIM FAIL, DMARC FAIL
Detection TimeMay 14, 2026 · 11:42 UTC
Financial Loss$0 — transfer never initiated
CEO VerificationConfirmed — CEO did not send email; no acquisition in progress
Law EnforcementPending — Finance team reviewing recipient account details
Section 03
Timeline of Events
Prior
Recon
Attacker conducts OSINT on Ficsit Inc. corporate structure. Ficsit Corp website, LinkedIn, and press releases list Marcus Reynolds as CEO. j.whitfield's email is identifiable from public procurement/invoicing contacts or corporate directory. Attacker constructs a scenario likely to trigger urgent compliance from Finance staff.
11:42
Delivery Attempt
THREAT-002 received by Ficsit MailGuard. Sender: m-reynolds-ceo@gmail.com, display: "Marcus Reynolds, CEO". Recipient: j.whitfield@ficsit-pioneer.corp. Subject: "Urgent — Wire Transfer Required Today." BEC classifier scores 97%. SPF FAIL, DKIM FAIL, DMARC FAIL. Gmail free tier, no Ficsit domain association. Email quarantined immediately — not delivered to inbox.
11:42
Automated Response
SOAR PB-008 (BEC Wire Fraud Prevention) triggered automatically on quarantine. Playbook begins multi-step response within seconds of detection.
11:43
SOAR Step
PB-008 Step 1: Finance team notified of blocked wire transfer attempt targeting j.whitfield's account. Finance manager alerts department: do not process any wire transfer requests received by email without dual out-of-band verification.
11:44
SOAR Step
PB-008 Step 2: sender domain gmail.com and originating IP submitted to threat intelligence for cross-reference. No prior incidents tied to this specific Gmail account, but the M.O. is consistent with tracked BEC actor group "PHANTOM LEDGER" (medium confidence).
11:50
Verification
Analyst phones CEO Marcus Reynolds directly using contact details from internal directory (not from the email). CEO confirms: no wire transfer requested, no acquisition involving Trident Capital Partners LLC, email not sent by CEO or on behalf of CEO. CEO flagged to Legal.
12:10
SOAR Step
PB-008 Step 4: Gmail address m-reynolds-ceo@gmail.com added to email blocklist. All Finance staff receive BEC awareness reminder. j.whitfield briefed and confirmed they did not see or respond to the email before it was blocked.
12:30
Investigation
Finance team begins investigation into Trident Capital Partners LLC and the provided bank account / routing numbers to determine if they represent a known fraud entity. FBI IC3 report being prepared.
14:30
Closure
BEC-001 closed. No financial loss. All containment steps complete. Post-incident review scheduled. Recommendations drafted.
Section 04
Technical Analysis
4.1 Email Delivery and Authentication Failures

The BEC email was sent from a free-tier Gmail account (m-reynolds-ceo@gmail.com) chosen to visually approximate the CEO's identity when displayed as a name rather than an email address. No email authentication records (SPF, DKIM, DMARC) passed for ficsit-corp.com — the legitimate CEO domain — as no email was sent from it. Gmail's own SPF/DKIM records pass for the gmail.com domain, but this provides no authenticity guarantee regarding the sender's identity.

Email Header Analysis — THREAT-002
From: "Marcus Reynolds, CEO" <m-reynolds-ceo@gmail.com>
To: j.whitfield@ficsit-pioneer.corp
Subject: Urgent — Wire Transfer Required Today
Date: Wed, 14 May 2026 11:42:07 +0000
Message-ID: <CA+m-reynolds-bec-20260514@mail.gmail.com>
X-Originating-IP: [209.85.220.41]   (Google mail server — no attacker IP exposed)
X-Mailer: Gmail

Authentication-Results: mx.ficsit-pioneer.corp;
  spf=pass (sender SPF valid for gmail.com) smtp.mailfrom=gmail.com;
  dkim=pass (Google DKIM for gmail.com);
  dmarc=FAIL (policy=reject) header.from=ficsit-corp.com   [MISMATCH]

Note: DMARC FAIL because "From" domain claim (ficsit-corp.com display intent)
does not align with authenticated sending domain (gmail.com).
BEC-confidence: 97%  [MailGuard AI + rule combination]
4.2 Social Engineering Techniques

The email body employed multiple BEC-standard psychological manipulation techniques:

TechniqueObserved BehaviorPsychological Effect
AuthorityImpersonated CEO — highest authority figure in the orgReduces likelihood of questioning or verification
Urgency"Wire Transfer Required Today" / "before 17:00" / "extremely time-sensitive"Compressed decision window; bypasses normal deliberation
Secrecy"cannot go through normal procurement" / "keep this confidential"Preempts consultation with colleagues or manager
PlausibilityAcquisition framing — M&A wire transfers are a known legitimate scenarioReduces skepticism by fitting a believable business context
Authority leverageImplied CEO disappointment if not handled immediatelyFear of career consequences for non-compliance
Channel isolationPersonal Gmail used to avoid corporate email securityAttacker expects target to assume authenticity from display name
4.3 Detection Signals

MailGuard's BEC classifier flagged THREAT-002 using a combination of rule-based signals and AI classification:

SignalValueWeight
Display name impersonationDisplay name matches CEO; sending domain is gmail.comHigh
DMARC failureFrom: domain mismatch — gmail.com vs ficsit-corp.comHigh
Free email providerGmail — not consistent with executive communicationsMedium
Financial urgency keywords"Wire Transfer," "$47,500," "today," "before 17:00"High
Secrecy instruction"cannot go through normal procurement," "keep confidential"High
No prior relationshipm-reynolds-ceo@gmail.com never in prior communicationsMedium
BEC AI confidence97% — well above 85% quarantine thresholdDecisive
Section 05
MITRE ATT&CK Mapping
TacticTechniqueIDObserved Behavior
ReconnaissanceGather Victim Identity InfoT1589CEO name and role obtained via public OSINT (website, LinkedIn, press releases)
Initial AccessPhishing: Spearphishing via ServiceT1566.003BEC email sent via Gmail (external service) with spoofed display name
Social EngineeringImpersonationT1656CEO identity impersonated via display name spoofing
ImpactFinancial TheftT1657$47,500 wire transfer requested to fraudulent recipient — blocked before execution
Section 06
IOC Inventory
TypeValueConfidenceDescription
Email m-reynolds-ceo@gmail.com Confirmed Attacker-controlled Gmail used to impersonate CEO Marcus Reynolds. Blocklisted at email gateway.
Display Name Marcus Reynolds, CEO Confirmed Spoofed display name. Any email using this display name from a non-ficsit-corp.com sending domain should be blocked.
Entity Trident Capital Partners LLC High Fraudulent wire transfer recipient. Under investigation by Finance team. Likely fictitious shell entity used for wire fraud.
Bank Account Trident Capital Partners — account pending High Account/routing details provided in email body. Under active investigation. Do not transfer funds to this account.
Section 07
Containment Actions
TimeActionByStatus
11:42 UTCEmail quarantined by MailGuard — not delivered to j.whitfield inboxMailGuard (automated)Completed
11:42 UTCSOAR PB-008 triggered — BEC Wire Fraud PreventionSOAR (automated)Completed
11:43 UTCFinance team alerted — no wire transfers to be processed without out-of-band CEO verificationSOAR PB-008Completed
11:50 UTCCEO Marcus Reynolds contacted directly and confirmed email not sent by himSecurity analystCompleted
12:10 UTCm-reynolds-ceo@gmail.com blocklisted at email gatewaySOAR PB-008Completed
12:10 UTCBEC awareness reminder sent to all Finance staffSOAR PB-008Completed
12:10 UTCj.whitfield confirmed never saw the email; no action takenSecurity analystConfirmed
12:30 UTCFinance investigating Trident Capital Partners LLC / bank accountFinance teamIn Progress
PendingFBI IC3 report filedLegal / FinanceNot Started
PendingDisplay name spoofing rules strengthened for all C-suite namesSecurityNot Started
Section 08
SOAR Response — PB-008

PB-008 (BEC Wire Fraud Prevention) was triggered at 11:42 UTC on detection of THREAT-002. The playbook executed the following steps:

StepActionResult
1Quarantine email in MailGuard (prevent inbox delivery)Success
2Open SOAR case CASE-2024-0205Success
3Notify Finance manager with summary of blocked transfer requestSuccess
4Notify Security analyst for manual CEO verification callSuccess
5Submit sender email to threat intelligence enrichmentSuccess (no prior hits)
6Block sender address at email gatewaySuccess
7Send BEC awareness reminder to Finance DepartmentSuccess
8Create post-incident awareness task in Queue (IR-010)Success
Section 09
Root Cause Analysis
Root Cause

BEC-001 was a purely social engineering attack requiring no technical compromise — the attacker needed only a Gmail account and publicly available knowledge of Ficsit's CEO name. The attack was fully blocked by automated controls and did not succeed. However, the fact that it came very close to reaching the target's inbox (blocked only by MailGuard's BEC classifier) means the following contributing factors are worth addressing:

C1
Absence of Dual Authorization Policy for Wire Transfers
Finance staff have the ability to process wire transfers on the basis of an email request alone, with no mandatory out-of-band CEO verification step for unusual or large transfers. A written policy requiring a secondary verification phone call to a pre-registered CEO number for any transfer request originating outside normal procurement would have made this attack unsuccessful even if the email had been delivered.
High
C2
Public Exposure of Finance Staff Email Addresses
j.whitfield's email address was identifiable by the attacker via public sources (corporate directory, procurement contacts, or OSINT). Limiting the public exposure of Finance staff email addresses reduces targeting surface for BEC campaigns.
Medium
C3
No Display-Name Spoofing Rules for C-Suite Identities
While MailGuard's AI classifier caught this, there were no explicit gateway rules blocking emails where the display name matches an executive name but the sending domain is external (gmail.com, yahoo.com, etc.). Such rules would provide a deterministic rather than probabilistic control.
Medium
Section 10
Recommendations
R1
Implement Wire Transfer Dual Authorization Policy
Establish a written, enforced policy: any wire transfer request received via email (regardless of apparent sender) exceeding $5,000 requires mandatory out-of-band verification via phone call to a pre-registered executive number before processing. CEO/CFO to sign off on all transfers above $25,000 via documented in-person or video confirmation.
Immediate
R2
Deploy C-Suite Display Name Spoofing Block Rules
Create email gateway rules blocking any inbound email where the display name matches a configured C-suite identity list (CEO, CFO, CTO, COO, CISO, Legal Counsel) but the sending domain is not in the approved corporate domain list (ficsit-corp.com, ficsit-pioneer.corp).
High
R3
Run Annual BEC Phishing Simulation for Finance Staff
Finance staff are a primary BEC target. Conduct simulated BEC phishing exercises annually (minimum) targeting Finance staff with CEO impersonation scenarios. Measure click-through and transfer-initiation rates as proxy metrics. Provide targeted awareness training to those who fall for simulated BEC emails.
High
R4
File IC3 Report and Investigate Trident Capital Partners LLC
Submit a detailed report to the FBI Internet Crime Complaint Center (IC3) with all available information about the fraudulent entity: Trident Capital Partners LLC, the bank account and routing numbers, and the Gmail address used. This enables law enforcement cross-referencing with other BEC victims and may contribute to prosecution.
High
R5
Reduce Public Exposure of Finance Staff Email Addresses
Audit all public-facing Ficsit materials (website, press releases, procurement documents, LinkedIn) for Finance staff email address exposure. Replace publicly referenced Finance contacts with a generic procurement alias (procurement@ficsit-pioneer.corp) where possible.
Medium
Appendix A
Email Headers and Body — THREAT-002
THREAT-002 — Full Email Detail (as received by MailGuard)
BLOCKED · BEC 97%
--- HEADERS ---
From: "Marcus Reynolds, CEO" <m-reynolds-ceo@gmail.com>
To: j.whitfield@ficsit-pioneer.corp
Subject: Urgent -- Wire Transfer Required Today
Date: Wed, 14 May 2026 11:42:07 +0000 (UTC)
Message-ID: <CA+xyz8h4k2bec20260514@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-Mailer: Gmail 2026.05
X-Originating-IP: [209.85.220.41]   (Google mail server)

--- AUTHENTICATION ---
Authentication-Results: mx.ficsit-pioneer.corp;
  spf=pass smtp.mailfrom=gmail.com (Google SPF — valid for gmail.com)
  dkim=pass header.i=@gmail.com (Google DKIM — valid for gmail.com)
  dmarc=FAIL (policy=reject) header.from=ficsit-corp.com
  reason: From domain ficsit-corp.com does not align with authenticated domain gmail.com
  [DISPLAY NAME MISMATCH] display "Marcus Reynolds, CEO" ≠ sending domain gmail.com

--- MAILGUARD ANALYSIS ---
BEC-confidence: 97%  [quarantine threshold: 85%]
BEC signals triggered:
  + CEO display name impersonation (display≠domain)
  + Wire transfer request content
  + Financial urgency ("today", "17:00")
  + Secrecy instruction ("keep this confidential")
  + No prior communication with sender
  + External free-tier email provider
Action: QUARANTINE  case=BEC-001  soar=PB-008

--- BODY ---
Subject: Urgent -- Wire Transfer Required Today

j.whitfield,

I need you to process a wire transfer today — this is extremely time-sensitive
and must be completed before 17:00.

We are in the final stages of a confidential acquisition that cannot go through
normal procurement. Please wire $47,500 to:

  Recipient: Trident Capital Partners LLC
  Bank: First National Commerce Bank
  Account: [REDACTED FOR REPORT — on file with Finance]
  Routing: [REDACTED FOR REPORT — on file with Finance]

Please keep this confidential until the deal is announced. I will explain
everything on Monday.

Marcus Reynolds
Chief Executive Officer, Ficsit Corp
m-reynolds-ceo@gmail.com

[Note: Using personal email — corporate IT has been having issues today]