In February 2024, a finance team at Pepco Group (a retailer with 4,800 stores across 21 countries) received what looked like a routine internal email. The sender appeared legitimate, the request was familiar, and the instruction was one that landed in their inbox every day: process a payment. They processed it, and then another, and by the time the fraud was identified, €15.5 million had been wired to accounts controlled by attackers. Pepco confirmed publicly that recovery was unlikely.