Treasury Operations

All payment flows across PNC, JPMorgan, BMO, and Oracle Fusion AP — monitored continuously.

Wires Queued Today

23

across 4 banks

Total Value

$4.2M

USD + CAD equiv.

Cleared by Agent

22

avg review time: 1.4s

Flagged for Review

1

$1.25M held

Wire queue · pending release

Dual-control · Treasury approves, Wire Sentinel watches

Brightworks IndustrialHARDWARE SUPPLIER · NEW BANK ACCOUNT 22h AGO

$1,247,800 req: D. Park 🚨 HELD

Concord Asphalt LLCCONSTRUCTION · monthly

$487,200 req: M. Suarez ✓ CLEARED scheduled 14:00 ET

Quantum Networks (CA)SaaS · monthly

$312,400 CAD req: D. Park ✓ CLEARED scheduled 14:00 ET

PWC LLPADVISORY · invoice 88421

$268,000 req: A. Patel ✓ CLEARED scheduled 14:00 ET

Toronto Port AuthorityLEASE · quarterly

$184,500 CAD req: M. Suarez ✓ CLEARED scheduled 14:00 ET

EY US LLPAUDIT · Q2 milestone

$162,000 req: A. Patel ✓ CLEARED scheduled 14:00 ET

Tempe Property MgmtRENT · monthly

$89,400 req: D. Park ✓ CLEARED scheduled 14:00 ET

… and 16 more wires, all cleared by Wire Sentinel

IB

Isabela's wire brief updated 14 sec ago

22 of 23 wires today cleared all my checks — vendor identity, banking history, payment patterns, SoD on approvers, and amount reasonableness.

One wire I am holding: $1,247,800 to Brightworks Industrial. Three signals concern me. Worth a 60-second look before release.

Recommend investigating before today's 14:00 release window.

Continuous monitoring · 4 banks · 412 active vendors

Treasury Ops › Wire Queue › PNC Outgoing Wire

Brightworks Industrial — Hardware Supply Wire

$1,247,800.00 USD via PNC · scheduled 14:00 ET today

Vendor

Brightworks Industrial
vendor #VND-44312 · Houston, TX

Reason

Hardware purchase order PO-89244
edge lighting controllers × 84 units

Requested by

Devon Park
AP Specialist · 13:42 ET today

Approved by

Aaron Patel
CISO/Treasury · 13:48 ET today

!

Wire Sentinel held this wire 3 RED FLAGS

Detected during pre-release scan · all flags fired within 800ms

1

Bank account changed 22 hours ago. Brightworks's PNC account on file was updated yesterday at 16:08 ET. The ACH instructions you're about to wire to are different from any prior payment to this vendor. Source: PNC vendor master · change event #PNC-VC-20260508-44

2

No callback verification on file. Halcomb's Vendor Bank Verification SOP requires a phone callback to a known vendor contact whenever banking details change. I cannot find a callback ticket in ServiceNow for this change. Policy: SOP-AP-014 · ServiceNow queue VendorBankChange searched 13:53 ET

3

This would be the first payment to the new account — and it's $1.25M. Brightworks has been a vendor for 4 years with 31 prior wires averaging $42K. A 30× larger first payment to a brand-new account on Day 1 fits the textbook business-email-compromise pattern. Pattern matches: BEC vendor takeover · 2024 FBI IC3 typology

Old account · used 31× over 4 years

Routing043000096

Account****8842

BankPNC Pittsburgh, PA

Last payment: $38,400 on Apr 21, 2026

→

New account · 0 prior payments

Routing021000089

Account****1170

BankJPMorgan Chase, NY

⚠ Changed 22h ago · no callback verified

IB

Isabela Blanco Maitrium Operations Agent

Reasoning complete

Any one of these flags would warrant a pause. The combination is consistent with a vendor email compromise attempting to redirect payment. The threat actor likely intercepted the bank-change request, slipped past the callback control, and timed the diversion to the next large invoice.

I have not released the wire. Devon's request and Aaron's approval are both valid — neither would have known about the missing callback without me surfacing it. That's exactly the gap Wire Sentinel exists to close.

Recommendation: Let me assemble the full evidence chain across Fusion, PNC, ServiceNow, email, and the vendor onboarding folder so you can decide in 30 seconds.

Evidence chain · Brightworks wire $1.25M

Pulled from 5 systems. Auditor-ready timeline. Generated in 11 seconds.

📁 Vendor Onboarding Folder 2022-08-14 09:14 ET

Original W-9 + bank verification on file

Brightworks Industrial onboarded 2022. Original PNC account ****8842 verified by callback to Brightworks CFO Sarah Whitfield at +1-713-555-0188 (vendor's published main number).

Brightworks_W9_2022.pdf · CallbackVerified_2022-08-14.pdf · IDverified_SWhitfield.pdf

⚙ Oracle Fusion AP 2022–2026 · 31 payments

Payment history to old account

31 wires totaling $1,302,400 over 4 years to ****8842. Average payment: $42,013. Largest single payment: $87,200 (2024). All cleared without dispute.

✉ Email · Brightworks → AP 2026-05-08 13:42 ET

"Updated banking — please use new account for upcoming PO"

Email from finance@brightworks-industrial.com requesting bank update to JPMorgan ****1170. Reply-to differs from sender (finance@brightworks-industrial.co — note .co not .com). Email language matches several known BEC templates.

From: finance@brightworks-industrial.com · Reply-To: finance@brightworks-industrial.co · Sent via SendGrid (not Brightworks's normal Microsoft 365)

🏦 PNC Vendor Master 2026-05-08 16:08 ET

Bank account changed in PNC

Vendor record updated by AP user (Devon Park) at request of email above. Change committed at 16:08 ET. No supporting ServiceNow ticket attached.

PNC vendor change event #VC-20260508-44 · changed_by: dpark · supporting_doc: (none)

🎫 ServiceNow · VendorBankChange queue 2026-05-09 13:53 ET

Searched for callback ticket — none found

Wire Sentinel queried the VendorBankChange queue for any ticket referencing Brightworks Industrial in the last 14 days. Zero matches. Halcomb's SOP-AP-014 requires a callback ticket before bank-change-related wires.

Query: vendor_id=VND-44312 OR vendor_name LIKE 'Brightworks%' AND created > 2026-04-25 · Results: 0

⚙ Oracle Fusion AP 2026-05-09 13:42 ET

Wire requested · $1,247,800

Devon Park requested wire against PO-89244 (84 hardware terminals). Approval granted by Aaron Patel at 13:48 ET. Wire scheduled for 14:00 ET PNC release.

📄

WireEvidencePack_Brightworks_2026-05-09.pdf · 14 pages

Auto-assembled · all 5 source systems · timestamped · ready for SOX testing or external audit

✓

Wire held · BEC fraud confirmed · funds preserved

Callback to Brightworks CFO at known number confirmed banking change was fraudulent. Original ****8842 account remains in use. Halcomb avoided $1.25M loss.

What happened next

Resolution timeline · all auto-logged

14:01 ET

Wire Sentinel held PNC releasescheduled 14:00 release prevented · queue position: blocked

14:02 ET

ServiceNow ticket auto-openedVBC-2026-0508-09 · assigned to Aaron Patel · Brightworks bank verification

14:11 ET

Aaron called Sarah Whitfield (CFO Brightworks) at +1-713-555-0188known number from 2022 onboarding · NOT the number in the change email

14:14 ET

Sarah confirmed: Brightworks did NOT request a bank changetheir finance email had been compromised 5 days prior · they were unaware

14:18 ET

Bank change reverted in PNC · wire re-released to ****8842vendor record restored to verified state · audit log captures full chain

14:22 ET

Brightworks notified internally + reset their email securityHalcomb Security ops shared the BEC indicators with their CISO

14:28 ET

SOX evidence package archived to /audit/2026Q2/wires/WireEvidencePack_Brightworks_2026-05-09.pdf · 14 pages · auditor-ready

Resolution Summary

From flagged wire to confirmed fraud + auditor-ready evidence: 28 minutes.

Three signals fired simultaneously. Wire Sentinel paused the release, assembled evidence across 5 systems, surfaced the BEC pattern in plain English, and guided Aaron to the right callback number — the one from the original 2022 onboarding, not the one in the fraudulent email.

Without Wire Sentinel

$1.25M loss

Wire releases at 14:00. Funds land in fraudster's JPMorgan account. By the time Brightworks asks "where's our payment?" 5 days later, the money is gone. FBI IC3 average recovery on BEC wires: 14% within 72 hours, near-zero after.

With Wire Sentinel

$0 loss · 28 min

Wire held automatically. Evidence chain assembled in 11 seconds. Callback to known number confirmed fraud. Original account restored. Audit pack archived. Brightworks alerted to their own breach.

$1.25M

Single-wire fraud avoided

11 sec

Evidence chain built

5

Source systems unified

100%

SOX evidence captured

⚡ Always watching

One wire. Five systems. One auditor-ready chain.

Wire Sentinel watches every payment across Oracle Fusion, PNC, JPMorgan, BMO, ServiceNow, email, and your vendor onboarding folder. It catches what dual-control humans cannot — patterns across systems that no single approver ever sees alone.

Book a paid strategy session — $1,499 Free 30-min walkthrough →

Want to see this with your wire data? Bring one suspicious payment to the walkthrough — we'll trace its evidence chain live.