Business Email Compromise on Slack
Attackers who breach a workspace account use Slack direct messages to impersonate leaders or finance staff and authorise fraudulent transfers under the guise of internal chat.
Part of: Business Email Compromise (BEC)
Last reviewed: 1 June 2026
Slack workspaces feel like trusted internal spaces, which is exactly why they have become a target for business email compromise tactics. A direct message from a recognised name carries an assumption of legitimacy that attackers exploit to push urgent financial requests past normal scrutiny.
The casual rhythm of Slack — quick replies, emoji acknowledgements, informal tone — works against careful verification. A compromised account or a convincingly named impostor can deliver instructions that staff act on without the checks they would apply to a formal email or document.
How this scam works on Slack
An attacker gains entry to the workspace through stolen credentials or by joining as an external connection, then reviews channels and profiles to map the organisation. They send a direct message to a finance or operations employee, posing as a senior leader or a familiar supplier contact.
The message asks for an urgent wire transfer, an updated vendor payment account, or sensitive information, often citing a confidential deal or a tight deadline. The direct-message format isolates the target from colleagues who might raise doubts, and the impersonated profile reinforces the illusion of authority.
When the employee acts, the funds reach an account controlled by the criminal. Because the request arrived inside a trusted workspace, it may go unquestioned until later reconciliation reveals the fraud.
Common red flags
- A direct message requesting an urgent payment or transfer
- A senior leader contacting finance through Slack instead of formal channels
- An unfamiliar external account using a recognisable display name
- Insistence on secrecy or bypassing standard approval workflows
- Pressure to act before a colleague can be consulted
- A request to move banking details based solely on a chat message
How to protect yourself
- Verify all payment requests through a known phone number, never via Slack alone
- Limit and clearly identify external connections within the workspace
- Require multi-factor authentication for every workspace member
- Keep payment approvals in an auditable system, not informal chat
- Encourage staff to question urgent financial direct messages openly
- Review admin and integration permissions regularly for unexpected access
How to report it
- Report the suspicious or compromised account to your workspace administrator
- File a report with your national fraud or cybercrime authority
- Alert your bank without delay if a payment was made
Frequently asked questions
Why would a scammer use Slack instead of email for a BEC attack?
Slack feels like a closed, internal space, so staff often trust messages there more than email and verify them less. A direct message also isolates the target from colleagues who might spot the fraud. The same verification rules should apply on every channel.