By Jordan Polasek · July 17, 2026

A few months back, a small Houston professional services firm came to us after a scare that nearly cost them $47,000. Their office manager — sharp, detail-oriented, the kind of person who catches typos in contracts — almost wired that money to a criminal. She didn't fall for anything sloppy. She fell for something that looked exactly like her boss asking a normal favor. That's the part business owners underestimate, and it's why we're telling this story.

How the attack actually unfolded

The email arrived on a Thursday afternoon, timed for when people are tired and clearing their inbox before the weekend. It appeared to come from the firm's managing partner. The tone was right. It referenced a real vendor the firm used. It asked her to process a wire for an "urgent closing" and to keep it quiet because the deal was sensitive.

Nothing about it screamed fraud. The sender name matched. The signature matched. The only tell — and it was tiny — was that the reply-to address was a lookalike domain, one letter off from the real one. She'd started filling out the wire form when something felt off about the "keep this quiet" line. She picked up the phone and called the partner directly. He had no idea what she was talking about.

That phone call saved the firm $47,000. It shouldn't have come down to a gut feeling on a busy afternoon.

Why smart people get fooled

The attackers had done homework. They'd likely scraped the firm's website, LinkedIn, and public records to learn who the partners were, who handled money, and which vendors the firm worked with. This is called business email compromise, and it's one of the most expensive types of cybersecurity threat facing small businesses today — precisely because it doesn't rely on malware or hacking. It relies on trust.

There's no antivirus that stops an email asking a human to do their job. The defense is the human knowing what to look for and having permission to slow down. In our experience, that only happens when a company has trained its people and built simple verification habits into the workflow.

What we changed for this Houston firm

After the near-miss, we worked with them to put practical guardrails in place. None of it was expensive or complicated. Most of it was about habits and a few technical settings.

That last point matters more than the technology. The office manager did the right thing because she felt safe questioning her boss. If your team is afraid to ask "is this really you?", you've already lost your best defense.

Training is a program, not an event

One thing we tell every client: a single annual security video does almost nothing. Attackers change their tactics every few months, and people forget what they learned by lunch. Effective employee security training is ongoing, short, and tied to the real threats your industry sees. It's woven into how the business operates, not bolted on once a year to check a compliance box.

This is where working with a managed IT services partner pays off. We handle the phishing simulations, track who needs a refresher, keep the technical protections current, and turn near-misses like this one into teachable lessons for the whole team.

Your quick self-check

  1. Does everyone who touches money know to verify payment requests by phone?
  2. Is multi-factor authentication turned on for email and banking?
  3. Are external emails visibly flagged in your inbox?
  4. Has your team seen a phishing test in the last three months?
  5. Would an employee feel safe questioning a request from the boss?

If you answered "no" or "not sure" to any of these, you have a gap a criminal can walk through. The good news is these fixes are affordable and fast to deploy — far cheaper than a wire you'll never get back.

At BVTech, we help Houston-area small businesses build security training and protections that actually hold up in the real world. If this story hit close to home, reach out to our team and let's close the gaps before someone tests them for you.