The Swiss National Cyber Security Centre's Week 19 alert, published on 5 May 2026, identifies a coordinated Business Email Compromise campaign that has caused CHF 2.3 million in confirmed wire transfer losses across three Swiss SMEs. Unlike mass-phishing operations, this campaign is surgical: attackers gain access to a legitimate supplier's email account, monitor live payment conversations, and intervene at the precise moment a wire transfer is being processed — substituting the correct IBAN with one under their control. The scale of individual losses — ranging from CHF 670,000 to CHF 890,000 per incident — underscores that BEC is no longer a problem confined to large corporations. Swiss SMEs operating in manufacturing, logistics, and distribution are now primary targets.
The Attack Methodology
Supplier Account Compromise via Credential Phishing
The campaign begins upstream, outside the victim organisation. Attackers target the email infrastructure of a trusted supplier — a company with an established payment relationship with the intended victim. Initial access is typically achieved through credential phishing directed at the supplier's staff: a convincing email impersonating a courier notification, a software licence renewal, or a shared document link harvests Microsoft 365 or Google Workspace credentials. Once the supplier account is compromised, the attacker has a persistent, authenticated presence inside a legitimate business email environment. There are no malware signatures to detect, no anomalous login from an impossible geography if a VPN is used, and no indication to the victim organisation that anything is wrong — because nothing visible has changed on their side.
Payment Thread Monitoring and Interception
With access to the supplier's inbox established, the attacker does not act immediately. Instead, they configure mail rules to forward copies of incoming and outgoing messages to an external address, then monitor the account passively — sometimes for weeks. They are looking for a specific trigger: an active email thread discussing a pending or upcoming payment. In the manufacturing and logistics context, these threads are routine: purchase order confirmations, delivery notifications cross-referenced with invoices, and requests to confirm payment details before a wire is released. When a suitable thread is identified, the attacker waits for the moment the victim organisation requests confirmation of banking details, or sends a message indicating a payment is imminent, before intervening.
Wire Transfer Redirect with Convincing IBAN Substitution
Interception is executed by replying within the existing email thread from the compromised supplier account. The attacker's reply is indistinguishable from a genuine supplier message: it arrives from the correct address, references prior conversation history, uses the supplier's email signature, and may even mirror the supplier's writing style. The message explains — with a plausible reason such as a banking system migration, a new regional account, or an end-of-month reconciliation requirement — that payment must be directed to a new IBAN. The IBAN provided belongs to a mule account, typically in a EU jurisdiction, from which funds are rapidly moved onward. By the time the victim organisation identifies the fraud, the payment has cleared and the mule account has been emptied. Recovery through Swiss civil or criminal proceedings is possible in principle but rarely yields results within a timeframe that matters operationally.
Why Swiss Manufacturing and Logistics Are in the Crosshairs
The targeting of Swiss SMEs in manufacturing and logistics is not coincidental. Several structural characteristics of these sectors create the conditions BEC actors actively seek.
Supply chain payment volumes in Swiss manufacturing are substantial. Component procurement, tooling contracts, and logistics services involve regular wire transfers of five and six figures — large enough to make individual attacks highly profitable, yet small enough to fall below the enhanced scrutiny applied to seven-figure transactions. Attackers are calibrating their IBAN substitutions to amounts that will not automatically trigger a senior sign-off.
International supplier relationships are the norm. Swiss manufacturers routinely pay suppliers in Germany, Italy, Austria, and further afield. An IBAN for a Belgian or Dutch bank account does not raise an obvious flag when the supplier relationship is pan-European. The mule accounts used in this campaign are specifically registered in EU jurisdictions to avoid raising suspicion.
Invoice culture in the sector is email-heavy and largely unencrypted. Payment instructions are exchanged over standard SMTP, with no signing or encryption, making thread content fully accessible to anyone with mailbox access. There is no cryptographic mechanism in standard email that would allow a recipient to verify that a payment instruction was written by the person claiming to send it.
Out-of-band verification is not standard practice in most Swiss SMEs. Unlike the financial sector — where callback verification for large wire transfers has been institutionalised under FINMA guidance — many manufacturing and logistics finance teams operate without a mandatory secondary confirmation step for changed banking details. The attacker is exploiting a procedural gap, not a technical one.
◆ Key Takeaway
Business Email Compromise succeeds because it exploits trust, not technology. The attacker sends a message from a real account, within a real conversation, to a real counterpart. No email security gateway or endpoint agent will flag it. The only reliable defence is a procedural control: verify every new or changed IBAN by telephone — using a number independently sourced, not one provided in the email — before releasing payment. This single control would have prevented all three confirmed cases in the NCSC's Week 19 alert.
The Three Confirmed Cases
The NCSC's Week 19 alert describes three confirmed incidents, all following the same attack pattern. Details have been anonymised.
Case 1 — Machine Tool Manufacturer, CHF 890,000. A mid-sized Swiss machine tool manufacturer was in the process of settling a large outstanding invoice with a German component supplier. During the payment confirmation thread, the attacker — operating from the compromised supplier account — requested that payment be redirected to a new IBAN, citing an internal banking restructuring. The finance team processed the wire transfer without telephone verification. The loss of CHF 890,000 was identified only when the genuine supplier followed up on the outstanding invoice several days later.
Case 2 — Freight Forwarder, CHF 740,000. A Swiss freight forwarding company regularly settled freight charges with an Eastern European logistics partner. An attacker who had compromised the logistics partner's email account monitored correspondence for approximately three weeks before intervening in a thread relating to a consolidated quarterly settlement. The substituted IBAN was for an account at a Dutch payment institution. CHF 740,000 was transferred before the substitution was discovered. The Dutch account had been emptied within hours of receipt.
Case 3 — Food Distributor, CHF 670,000. A Swiss food distribution company with an established supplier relationship in Northern Italy received what appeared to be a routine request from the Italian supplier to update banking details ahead of a large seasonal payment. The request arrived from the supplier's genuine email domain and referenced a prior invoice by number. CHF 670,000 was transferred to the substituted account. The Italian supplier's email account had been compromised via a credential phishing attack targeting their Microsoft 365 environment approximately six weeks earlier.
What Swiss Organisations Must Do Now
- Implement mandatory out-of-band IBAN verification by telephone for every first payment and every changed payment instruction. Call a contact number sourced independently — from a previous contract, the company's official website, or a prior verified communication — never a number provided in the same email requesting the change. This procedural control is the single most effective measure against BEC and would have prevented all three cases in this alert.
- Enforce DMARC at your own domain, and verify it for your key suppliers. Configure your domain with a DMARC policy of
p=rejectto prevent attackers from spoofing your domain in messages to others. Check whether your critical suppliers have equivalent protection using a DMARC lookup tool — a supplier without DMARC enforcement is a higher-risk counterpart. - Enable external sender banners in your email client for all inbound messages. Configure Microsoft 365 or Google Workspace to display a visible warning on every email arriving from outside your organisation. Even when an attacker operates from a compromised supplier account, this banner reminds recipients that the message originated externally and warrants additional scrutiny for payment instructions.
- Conduct targeted awareness training for finance teams specifically on payment thread hijacking. General phishing awareness training does not cover BEC. Finance staff must understand that a fraudulent payment request can arrive from a genuine email address, within a genuine ongoing conversation, with no visible indicators of compromise. Training scenarios should simulate this exact pattern: a familiar supplier, an existing thread, a plausible reason for an IBAN change.
- Report incidents and suspicious activity to the NCSC immediately at report.ncsc.admin.ch. Early reporting allows the NCSC to coordinate with financial institutions to attempt recall of fraudulent transfers before funds are moved onward, and contributes to the intelligence picture that enables alerts like Week 19. Time is critical: wire recall success rates drop sharply after the first 24 hours.