Attackers Can Insert Themselves into Your Email Threads

In 2026, you should know how dangerous it is to click links or open attachments in emails from unknown senders.

But attacks are rapidly evolving to the point where bad actors can now compromise a Microsoft account, insert themselves into your email discussions and request a change to banking information without you even thinking twice about it.

This very real scenario recently happened to one of our clients’ customers. Luckily, we realized what was happening before money was sent to an attacker.

Let’s examine how this kind of attack works, how we found out it was fake and what you can do to protect yourself and your organization in similar incidents.

Attack Background

A client reached out to our CPA division for help with its business entity. It’s a common client request.

The parties go back and forth — over several weeks — as the CPA firm answers questions and the client provides necessary documentation. Eventually, the firm discovers the client is owed a refund for an extra payment.

The client emails its banking information, and that’s when the attacker strikes.

The “client” sends another email about 24 hours later, telling the firm to disregard the old banking information and instead send the payment to the new account.

However, it wasn’t the client who sent the email about the new banking information; it was an attacker who had compromised the client’s account.

But that simple request to change banking details was enough for us to question its legitimacy.

Request to Change Banking Information is a Red Flag

For years, attackers have compromised vendor accounts and requested changes to banking information to receive payments. If anyone asks for a change to banking information over email, it’s a red flag.

What’s different about this specific attack is they didn’t make this request out of the blue. It was during an ongoing discussion that had spanned several emails, and the attacker found an opportunity to subtly strike.

The account compromise likely occurred months ago, and the attacker set up a rule to send a banking change email whenever there was any mention of account numbers.

Additionally, there was no shift in tone from the other emails sent. Generally, phishing emails contain:

• A sense of urgency
• Bad grammar
• Uninitiated messages

This email had none of those major red flags you usually spot in a phishing attack.

When trying to determine if an email is legitimate, ask yourself these four questions:

1. Did the message arrive unexpectedly?
2. Is it the first time the sender has asked you to perform the requested action?
3. Does the request include a stressor, such as “you need to do this now?”
4. Can performing the request harm your interests?

If you answer “yes” to all these questions, you should go out of your way to confirm the request is legitimate. In this instance, we could only answer “yes” to No. 4.

Our CPA firm sometimes issues refunds to clients, so it’s not unusual to see this request.

Key Takeaway and How to Protect Yourself

Your organization shouldn’t rely on email alone for any banking or direct deposit changes.

Instead, you should:

• Verbally verify any change to ACH, refunds or direct deposit information
• Call the client or employee using a known phone number (not one provided in an email)

Emails can serve as documentation, but they cannot serve as verification.

It might seem silly to call someone you’ve been corresponding with over email to verify a request, but extra time to confirm could save your organization from a nightmare scenario.

Stay Alert, Stay Secure

We avoided a major catastrophe, but you might not.

Unfortunately, email compromises happen weekly. Even well-trained teams can miss it because there are sometimes no visible warning signs.

Not sure if your current processes would catch this attack? Contact us to request a security assessment, during which we’ll identify gaps in your company’s protection.

Stay updated! Get tips and insights delivered to your inbox weekly by subscribing to our newsletter.