Workplace & Gig Economy Threats
Workplace fraud does not require breaking into systems. It requires one person to believe an email is legitimate and act on it before verifying.
The Invoice That Wasn't
The finance team at a mid-size logistics company processed supplier payments every Friday. One Wednesday, an email arrived from a long-standing vendor. Bank details had changed. Please update before the next payment run.
The email looked right. The name was right. The logo matched. The writing style matched.
One field was different: the email domain. The real vendor used .com. This email came from .net, a lookalike domain registered two weeks earlier.
The finance coordinator processed the update. The Friday payment of £87,000 went to an account the vendor had never heard of.
The vendor called on Monday. By then, the money had moved through three accounts and was largely unrecoverable.
What Is Actually Happening
$2.77B
lost to Business Email Compromise in the US in 2024, the highest-loss cybercrime category for the sixth consecutive year.
Every one of these attacks impersonated a trusted person or organisation. No malware or technical breach was required in the majority of cases.
Source: FBI IC3 Annual Report, 2025Average BEC Loss Exceeds $125,000
The median loss per BEC incident is $125,000. The top incidents exceed $5M. Vendor payment fraud and CEO impersonation account for the majority of cases. Recovery rates drop sharply after 24 hours.
Platform Account Takeover Surging
Gig platform accounts (Uber, Fiverr, Upwork, Deliveroo) represent income streams that are immediately exploitable after takeover. Attackers redirect earnings, run fraudulent orders, or sell accounts. Many workers have no recourse path when locked out.
Five Workplace Threat Vectors
Business Email Compromise and CEO Fraud
BEC attacks impersonate executives or trusted contacts to redirect payments or request credential resets. The attacker researches the target organisation via LinkedIn, company websites, and previous invoices before sending a message calibrated to look completely routine. The one verification step that defeats every BEC attack: call the person on a number already saved in your contacts, not any number in the email.
Vendor Payment Scams and Invoice Fraud
The vendor bank detail change is the most common BEC variant. A lookalike domain sends a plausible request at a plausible moment (typically just before a scheduled payment run). Domain lookalikes are registered weeks in advance. The writing style is copied from previous legitimate correspondence.
Gig Worker Account Takeover
Gig platform accounts are targeted because they represent immediate, liquid income. Attackers use phishing, credential stuffing, and SIM swap attacks. Once inside, they redirect payment destinations and, in some cases, run fraudulent transactions that get the legitimate worker banned from the platform.
Content Creator Impersonation and Hijacking
Verified social media accounts and YouTube channels with large audiences sell for significant sums. Creators are targeted with phishing disguised as brand partnerships, sponsorship offers, and platform notifications. Once an account is taken over, revenue, identity, and years of work disappear simultaneously.
Remote Worker and Home Office Vulnerabilities
Home routers are less frequently patched than corporate networks. Video call backgrounds accidentally reveal home addresses. Personal and work devices sharing a network create cross-contamination risk. Remote workers are also targeted by fake IT support requests that would be immediately identified as suspicious in an office environment.
Try It: The Vendor Invoice
You are a finance team member. A familiar supplier has emailed about updated bank details. What do you do?
What That Just Showed You
The email was designed to pass a quick look.
The domain was registered weeks in advance. The writing style was copied from previous legitimate correspondence. The request arrived at a predictable moment in the payment cycle. This is research-driven fraud, not opportunistic spam.
Visual checks fail at this level.
The human brain processes familiar brand names and writing styles before it reads character-by-character. Seeing ".net" instead of ".com" requires active, deliberate inspection. Under normal workload, that inspection rarely happens.
One phone call defeats the whole attack.
Calling the vendor on a number already saved in your system takes 60 seconds and breaks every variant of this fraud. The attack relies entirely on the payment being processed without that call being made.
Three Things Worth Doing
1. Call to confirm any bank detail change, on a number you already have. No email, however legitimate it looks, is sufficient authorisation for a payment destination change. One call to the vendor on a number already in your records catches this attack every time.
2. Enable 2FA on all gig platform and creator accounts. Account hijacking is significantly harder with a hardware key or authenticator app. SMS-based 2FA is better than nothing but is vulnerable to SIM swap attacks.
3. Implement a payment change verification policy. For businesses: require dual authorisation for any payment destination change, with at least one confirmation via a pre-existing contact channel. This is the organisational version of the "call to verify" rule.
One Question Before You Continue
The BEC email the finance coordinator received came from a lookalike domain, .net instead of .com. Why did this still succeed, and what would have caught it?