Business email compromise: how it happens and how to stop it

BEC is fraud that uses email (and sometimes phone follow-ups) to trick people into sending money or data. Attackers impersonate executives, vendors, or trusted partners. The message is boring on purpose—an invoice resend, a payroll update, a rush wire before close.

Losses are real because the process looked normal. That is why generic “don’t click links” training alone fails finance teams under deadline pressure.

Vendor invoice redirect: “Our bank changed—here is the new ACH info.” CEO fraud: “I am traveling—wire this today, keep it confidential.” Payroll diversion: “Please update my direct deposit.” Account takeover: attacker reads mail for weeks, then inserts wire instructions into an existing thread.

Look-alike domains and mailbox rules that auto-forward or hide replies extend the attack window. Assume compromise if forwarding rules appear that nobody remembers creating.

Out-of-band verification for any wire or bank change—call a known number, not the one in the email. Dual control on payments over a threshold. MFA on all mail and admin accounts; disable legacy auth. Monitor for new inbox rules and impossible travel alerts.

Train finance and AP on thread hijacks, not cartoon phishing examples. Run a tabletop: “It is 4 p.m. Friday and AP got this message—what do we do?”

Contain accounts, reset credentials with MFA, review mail flow and rules, and preserve headers/logs. Notify your bank and insurer per your policy. Communicate internally with a single source of truth so rumors do not spread.

After containment, harden: payment verification playbooks, vendor master data ownership, and periodic access reviews—not just password resets.