Budapest, February 2024. The email looks like it came from someone who belongs in the thread. A finance employee at Pepco Hungary opens it, reads the wire instructions, executes. Fifteen and a half million euros leave the company's accounts within hours.
This wasn't ransomware. It wasn't a network intrusion. It was an email, treated as trusted by default, with no out-of-band verification and no audit trail proving who actually sent it.
Pepco Group operates more than 4,800 discount retail stores across 21 countries under the Pepco, Poundland, and Dealz brands, with €1.9 billion in revenue in Q1 of fiscal 2024. Its Hungarian subsidiary runs 248 of those stores.
In a public disclosure on February 27, 2024, the company reported a cash loss of approximately €15.5 million (roughly $16.7 million at the time) before any potential recovery. Recovery prospects remain unclear. Pepco is working with its banking partners and law enforcement. No customer, supplier, or employee data was compromised.
Specialized security press converged on the same diagnosis. SecurityWeek and Help Net Security both identified the attack as a Business Email Compromise (BEC): a fraud in which an attacker manipulates an employee with payment authority into wiring funds to attacker-controlled accounts. The exact technical vector wasn't disclosed, but the playbook is well-documented. Social engineering through email. Manufactured urgency. A payment instruction that looks routine.
Pepco isn't an outlier. It's confirmation that the email channel remains the most profitable entry point for attackers targeting enterprises. According to the FBI's IC3 Annual Report 2025, global BEC losses reached $3.046 billion across 24,768 formal complaints in 2025, making BEC the second-largest category of cybercrime losses behind only investment fraud. Total cybercrime losses crossed $20 billion for the first time, with over one million complaints filed, the highest figure since IC3 began publishing.
A successful BEC isn't a technical incident. It's a process failure.
Email was trusted by default. No independent sender verification. No out-of-band confirmation for material payment instructions. For most enterprises, corporate email is still the only formal channel where wire instructions actually travel. NIS2, in force across the EU since October 2024, requires security measures proportionate to risk for operational communications. A €15.5 million wire executed on the strength of a single unclassified email doesn't meet any reasonable reading of "proportionate." The US equivalent, internal controls under SOX Section 404, sets the same bar in different language: the control failed.
The payment document traveled with no protection of its own. In a BEC attack, the artifact that closes the deal is almost always an attachment: a modified invoice, a change-of-bank-details memo, a wire authorization with altered routing numbers. If that document isn't encrypted, classified, and tagged at creation, there's no way to distinguish an authentic file from one tampered with downstream.
Dual approval on wires didn't catch it. Segregation of duties for payments above threshold is foundational under the NIST Cybersecurity Framework's "Protect" function and a baseline expectation in any SOC 2 audit. Public reporting doesn't clarify what approval policies were in force at the Hungarian subsidiary, but the outcome speaks for itself.
The market data sets the scale. According to the IBM Cost of a Data Breach Report 2025, the global average cost of a phishing-originated breach is $4.80 million. Phishing was the most common initial attack vector in 2025 (16% of all breaches) and one of the most expensive. Pepco's immediate loss was more than three times that average. The funds are almost certainly gone.
BEC is a financial fraud category in which an attacker uses email to impersonate a trusted counterparty (a CEO, a supplier, a banking contact, a finance colleague) and convinces an employee with payment authority to send funds, change banking details, or release sensitive data. Unlike ransomware, BEC leaves no malware on the network. The exploit is the trust the organization places in its inbox.
The FBI tracks five common variants:
The Pepco case fits the vendor or executive variant. The shared structure of all five: a legitimate-looking email, an authority cue, a payment action that bypasses normal verification.
The Pepco attack is exactly the scenario EmailGrant and FileGrant are built for. Neither product would block the phishing attempt itself. A motivated attacker will always find a way to send an email. What changes is the operational value of that email. With financial communications governed and documents encrypted at the source, the attacker ends up operating in an environment where every message is verifiable, every file is tracked, and every payment instruction leaves a chain of custody that can't be forged from outside.
EmailGrant is the secure messaging layer built into FileGrant. Messages stay encrypted on the platform. They never traverse external mail servers. Every access is logged by user, IP, and timestamp. Recipients without a FileGrant account authenticate through an OTP delivered by email. Programmable expiration closes a message at the set date even if it's open at the moment. Post-delivery revocation pulls a message back with one click.
For Pepco, the application is specific. The company can establish by policy that sensitive financial communications (payment requests, bank detail confirmations, wire instructions) travel exclusively through this channel. A request landing in a standard corporate inbox doesn't get processed, no matter what it says. The perimeter doesn't depend on an individual employee's vigilance. It depends on the rule.
An external attacker who sends fraudulent instructions through ordinary email runs into a process where that type of communication produces no operational effect. Sender verification, open-event logging, and full IP and timestamp traceability make every exchange auditable. If something looks wrong, revocation can be applied even after delivery.
Concrete result: payment instructions leave the open email channel and enter a system where the sender is verified, every open is logged, and the content can be pulled back at any moment.
FileGrant encrypts files at the source with quantum-proof CRYSTALS-Kyber cryptography (the NIST post-quantum standard). Corporate tags override manual permissions: a document classified as "financial invoice" or "payment request" inherits the restrictions automatically. No download outside authorized devices. No opening outside permitted roles. Audit log on every interaction.
For Pepco, the leverage is twofold. Invoices and wire requests generated internally or received through verified flows carry the system's authenticity signature: encrypted, tagged, tracked from creation. An invoice arriving through ordinary email without that pedigree looks structurally different from a legitimate document. No analyst review required. The absence of tags and chain of custody is itself the anomaly signal, and the process catches it before execution.
Any financial document created inside FileGrant stays under control throughout its lifecycle. A file shared with a vendor or external advisor through Quick Share keeps the encryption active even after download. If the document is intercepted or ends up in the wrong hands, the contents are unreadable outside the authorized context.
Concrete result: the distinction between an authentic document and a tampered one doesn't depend on human eyes. It's structural. Every file born inside the system carries a verifiable chain of custody, and the ones that don't never enter the approval flow.
1. What do you do if corporate payments still move over open email? Move financial instructions to an authenticated, tracked channel. A standard inbox isn't payment infrastructure. Treating it as such exposes the organization to structural risk that employee training alone can't close.
2. How do you tell an authentic invoice from a tampered one before executing it? Require every financial document to be born encrypted and classified by the system. A file without a corporate tag and a verifiable chain of custody doesn't enter the approval flow.
3. What do you need to defend yourself in an audit after an incident? Logs by file, user, IP, and action, with post-delivery revocation in place. Without structured evidence, an incident becomes indefensible in front of NIS2 regulators, cyber insurers, the SEC, and the courts.
4. Dual signature on payments doesn't protect you if the supporting document is in clear. Segregation of duties is necessary but not sufficient. If the attachment justifying a wire can be swapped for a forged version without the system noticing, multi-signature protects the process but not the data.