Business Email Compromise (BEC): Preventing Wire Fraud

BEC attacks are effective because they exploit normal business processes. The email looks like a routine request from a trusted party, and the timing is often aligned with real business events like invoice cycles, quarter-end payments, or vendor onboarding.

• Vendor payment change: "We updated our bank details, please use this routing and account number." The email comes from what looks like a vendor you already work with, and the request seems routine.
• CEO or executive urgency: "I need this wired in the next 30 minutes, I'm in a meeting." The email appears to come from a senior leader, and the urgency pressure prevents the recipient from following normal verification procedures.
• Payroll or W-2 request: a request for employee tax info or direct deposit updates, often sent to HR or payroll staff. This variant targets sensitive personal data rather than direct payments.
• Compromised vendor mailbox: the email is truly from your vendor, but an attacker has access to their mailbox and has altered the invoice details. This variant is the hardest to detect because the email is genuinely from the vendor's domain.

The attacker's advantage is timing and context. They often wait until they see an invoice thread, a project kickoff, or a quarter-end payment rush before striking.

BEC prevention sits at the intersection of email security, identity controls, and process design. No single tool stops all BEC variants. The defense comes from layering controls that address different parts of the attack chain.

• Email authentication (DMARC, DKIM, SPF) reduces domain spoofing by making it harder for attackers to send email that looks like it comes from your domain or your vendors' domains. This stops some BEC variants but not compromised-account attacks.
• MFA and conditional access reduce the risk of account compromise that enables BEC from legitimate but hijacked mailboxes. If the attacker can't get into the email account, they can't send requests from it.
• SIEM and SOC provide the detection layer that catches suspicious sign-ins, mailbox rule changes, and forwarding rule creation. These are indicators of account compromise that precede BEC attacks.
• Tabletop exercises are how you test whether your team will follow the verification procedures when a real BEC attempt arrives. An exercise that simulates a CEO-impersonation email during a busy period reveals whether the process controls actually work under realistic conditions.

Process controls are the most important layer of BEC defense. Technology can reduce risk, but a well-designed payment verification process catches attacks that no tool can detect. The reason is simple: BEC exploits human judgment under pressure, and process controls remove the pressure by requiring verification before action.

Out-of-band verification for payment changes

If banking instructions change, verify using a known-good phone number from your vendor master record. Don't reply to the email thread and don't use a number contained in the email. The verification call is the single most effective control against vendor payment change fraud. It takes two minutes and stops the most expensive BEC variant.

Dual approval for high-risk payments

Require two independent approvals for wires or ACH above a threshold, and for any "first payment" to a new payee. The second approver should be someone who wasn't involved in the original request. This catches both external BEC attempts and internal fraud.

A written exception process

Fraud often succeeds because "this one time" bypasses the controls. Decide what exceptions are allowed, who can approve them, and how they're documented. Every exception should have a business justification and an owner who accepts the risk.

Technical controls reduce the attack surface and improve detection. They don't replace process controls, but they make BEC attacks harder to execute and faster to detect.

• Email authentication: implement DMARC, DKIM, and SPF to reduce spoofing. Start with DMARC in "report-only" mode to see what's being blocked before enforcing.
• MFA everywhere: start with MFA for email, finance apps, and admin roles. Phishing-resistant MFA (hardware keys, passkeys) provides the strongest protection against credential theft.
• Conditional access: use conditional access to reduce risk from unknown devices, unusual locations, and impossible travel scenarios.
• Least privilege: reduce admin sprawl with RBAC and access reviews. If a compromised account has limited permissions, the attacker can do less damage.
• Logging and alerting: centralize critical events (sign-ins, mailbox rules, forwarding changes) via a SIEM approach. These indicators often appear before the BEC attempt, giving you a window to contain the compromised account.

Speed matters when BEC is suspected. If funds have already moved, the window for recovery is measured in hours, not days. The first actions should focus on stopping further damage and preserving evidence.

1. Freeze the payment: contact your bank immediately (recall or hold). If money moved, speed matters more than certainty.
2. Contain the account: reset credentials, revoke sessions, review MFA methods, and check for mailbox forwarding or rules. The compromised account may have been used to set up persistence mechanisms.
3. Preserve evidence: keep the email headers, messages, and any related ticketing notes. This evidence supports the bank recall request, insurance claim, and any law enforcement report.
4. Notify the right owners: finance leadership, IT or security, and the vendor relationship owner. Coordinate before communicating externally.
5. Report: file a complaint with IC3 and follow your organization's reporting requirements. Law enforcement involvement can support recovery efforts and may prevent others from being targeted by the same attacker.

We recommend practicing this response path as part of an incident response tabletop exercise. A BEC scenario is one of the highest-value tabletop exercises because it tests process controls, coordination, and decision-making under realistic pressure.