BEC and corporate carding 2026: A silent theft of millions, where the victim supplies the details.

[Professor]

Business-to-business (BEC) attacks and corporate carding: how legal entities are hacked and cashed out through company accounts.​

Business email compromise (BEC) attacks and corporate carding are no longer "hacking" in the classic sense. They are highly precise social engineering and controlled fraud operations aimed at companies' financial flows. In 2026, this is one of the most financially successful cybercriminal "businesses," with the average loss per incident amounting to hundreds of thousands of dollars, and the risk to the perpetrator significantly lower than with retail carding.

The Bottom Line: Why is business a lucrative target?​

1. Volumes: Transfers between legal entities are tens and hundreds of thousands of dollars, not $500 from an individual's card.
2. Procedures: Despite regulations, in reality decisions are often made by real people, subject to influence, authority, and haste.
3. Trust infrastructure: Within a company there is a hierarchy and delegation of authority that can be manipulated.
4. Difficulty of cancellation: Bank transfers between legal entity accounts, especially in different countries, are almost impossible to cancel once executed.

Phase 1: Reconnaissance and Preparation (Not Hacking, But Research)​

The goal is not to break the firewall, but to obtain a comprehensive picture of the company from open sources (OSINT).

• Studying the structure: Through LinkedIn, the company website, and press releases, the financial hierarchy is revealed: CFO, financial director, head of procurement, accountant.
• Communications analysis: Letter styles, signature templates, and internal jargon are studied (for example, what is the accounting department called — "finance," "accounting," or "FO"?).
• Finding vulnerable chains: Who initiates payments? Who approves them? Who executes them? Where in the chain is the least resistance (e.g., an overloaded accountant, a new intern)?
• Registration of look-alike domains: rnicrosoft.com instead of microsoft.com, mycompany-payments.com instead of mycompany.com.

Phase 2: Infiltration and Compromise (Key Stage)​

Scenario A: The Long Game of Email Compromise.

• Method: The target employee (not a top manager, but a regular employee in the finance department) receives a phishing email (see Phishing 2.0) — supposedly a software update or satisfaction survey. They enter their corporate login and password.
• Action inside: The attacker gains access to the mailbox. They don't change the password or send spam. They sit quietly and read for weeks or months.
• Goal: Learn the processes, the language used, the invoice templates, and the schedule of manager absences (like "I'm on vacation" voicemails). Wait for the right moment.

Scenario B: CEO Fraud.

• Method: Create an email account that is as similar as possible to your real boss (for example, ceo@mycompany-world.com instead of ceo@mycompany.com).
• Trigger: A time is chosen when the real CEO is on vacation or at a conference (checked via social media or an answering machine).
• Message: The accountant receives an urgent email: "I'm in a meeting with investors and can't make calls. I need to make a transfer URGENTLY to close the deal. Our lawyer/partner has all the details. Report back when it's done." The "lawyer" (another fake account) then joins the chain and sends the bank details.

Scenario B: Compromise of correspondence with a counterparty (Vendor Fraud).

• Method: The email of the victim company is hacked, not its supplier (for example, a construction company).
• Action: The attacker sees that the companies are exchanging information on a real invoice for $150,000. At the right moment, they replace the invoice details with their own, mimicking a letter from the supplier's accountant: "Please pay using the new details due to the invoice being reissued."

Phase 3: Execution and Cashing Out (Operation at the Junction of Digital and Legal)​

• Transfer details: These are not personal cards, but accounts of controlled LLCs (shell companies), opened in the names of front men in the same country, or accounts of crypto exchangers/payment systems registered as legal entities.
• Social engineering in a bank: If a payment raises questions, the "company CFO" calls and authoritatively confirms the transaction, citing a "secret deal."
• Instant cash-out:
  1. Method 1 (within the country): As soon as the money arrives in the account of the shell LLC, it is immediately transferred to the accounts of other companies or withdrawn in cash from the bank's cash desk "for salary."
  2. Method 2 (international): Money is transferred through a chain of shell companies to jurisdictions with weak controls (Seychelles, Dominica) and cashed out or converted into cryptocurrency.
  3. Method 3 (crypto): Direct transfer of part of the funds to crypto exchange addresses with subsequent mixing.

Why is this so hard to stop? Differences from retail carding​

• Legitimacy at the first stage: From the bank's perspective, everything appears to be a standard intercompany payment under a contract. AML systems target individuals and money laundering schemes, not one-time transfers.
• Human factor as a vulnerability: You can't enforce 2FA on every employee's decision. Authority pressure ("the CEO himself is asking for it") is stronger than any instructions.
• Slow response: The company may only discover the loss days or weeks later, when the real supplier asks for payment. By this time, the money has already disappeared.
• Problems with legal prosecution: The investigation requires cooperation between police forces in several countries and inquiries from banks, which takes months. By this time, the shell companies have already been dismantled.

Business Security in 2026: Processes Over Technology​

1. Multi-level payment verification: Mandatory verbal confirmation via a known phone number (not an email!) for any changes to bank details or large transfers. Use of hardware tokens to authorize payments in the bank client.
2. Training not only rank-and-file employees but also top managers: The CEO must know that his name is the main tool of attack and never demand violations of financial procedures.
3. Technical measures: DMARC/DKIM/SPF for email protection, dedicated communication channels with key partners, systems for monitoring unusual email activity (logins from new IPs, forwarding rules).
4. A "carrot and stick" procedure: Clear regulations outlining personal financial liability for violations. At the same time, they reward vigilance, even if a "deal breakdown" turns out to be a false alarm.
5. Cyber Insurance: The Last Line of Defense, But It Shouldn't Replace Security.

Conclusion: Business compromise is the pinnacle of carding evolution.​

This is no longer an attack on technology, but an attack on trust, procedures, and the social dynamics within an organization. In 2026, successful BEC groups are highly organized cybercriminal syndicates with a clear division of roles: intelligence (OSINT), hackers (phishing), social engineers (correspondence handlers), logisticians (opening companies and accounts), and cash-out operators.

Antivirus software is not enough to combat this. A corporate culture of paranoid verification is required, where any exception to financial regulations, even signed by "the boss himself," is considered a hostile act until proven otherwise by an independent and predetermined method. In this game, the winner is not the one with the best software, but the one with the strongest discipline and the least blind trust in digital emails and signatures.