How to Detect and Prevent Business Email Compromise

The most impactful BEC attacks involve a compromised legitimate account. When an attacker controls the CFO's email account, there is no impersonation to detect — the emails come from the real account, are signed with the real signing key, and pass all authentication checks. Preventing account takeover is therefore the highest-priority BEC control.

Phishing-resistant MFA is the single most impactful account takeover prevention control. FIDO2/passkeys and hardware security keys are resistant to AiTM (adversary-in-the-middle) phishing kits that can steal session tokens from standard MFA methods. AiTM phishing is the dominant account takeover technique in current BEC campaigns — it presents a real-time proxy of the legitimate login page, capturing the authentication session after the victim completes MFA. FIDO2 keys are cryptographically bound to the origin domain, making them immune to AiTM because the key refuses to authenticate to a proxy domain.

Conditional access policies that detect impossible travel, unfamiliar device registration, and session anomalies catch AiTM-compromised sessions even when MFA was bypassed. Configure conditional access to require re-authentication from persistent high-risk signals and to block token replay from unexpected locations.

Audit email forwarding rules monthly. A common BEC technique is to create inbox rules on a compromised account that forward incoming emails matching specific keywords (invoice, payment, wire) to an attacker-controlled address. This allows the attacker to monitor financial email correspondence for weeks before initiating the fraud attempt. Alert on new forwarding rule creation in your email platform (Microsoft 365 Unified Audit Log, Google Workspace Admin SDK) and review all existing forwarding rules quarterly.

Because BEC emails typically contain no malware, link, or attachment to scan, detection must rely on behavioral analytics that identify anomalous email patterns.

Domain impersonation detection catches lookalike domains that attackers register to impersonate vendors, executives, or partners. Configure your email gateway to detect: lookalike domains using homoglyph characters (rn versus m, 0 versus O), typosquatting domains (company-name.net when the real domain is company-name.com), and cousin domains (companyname-invoices.com). Abnormal Security, Agari (Fortra), and Proofpoint all provide domain impersonation detection that generates alerts on emails from domains registered within the past 30 days that closely resemble your supplier domains.

Urgency and payment keyword detection flags emails with language patterns characteristic of BEC: requests for wire transfers or gift card purchases with urgency framing, requests to change payment account information, and requests to override normal approval processes. This detection produces significant false positives in organizations with legitimate urgent payment workflows — tune it with exceptions for known senders and domains before enabling alerting.

Abnormal communication detection identifies emails from known contacts that display atypical patterns: an email sent from a supplier's domain at an unusual time, from an unusual IP geolocation, or with unusual grammar patterns. Abnormal Security is the commercial leader in AI-based behavioral BEC detection — its models baseline communication patterns per sender and flag deviations that signature-based controls miss.

Technical controls reduce BEC exposure but cannot eliminate it entirely. Process controls that require out-of-band verification for high-risk transactions are the backstop when email-based controls are insufficient or bypassed.

For wire transfer requests: require phone verification using a known, pre-registered number (not a number provided in the request email) for any wire transfer above a defined threshold. The verification call must occur before the transfer is initiated, not as a callback after. Document the call in the transaction record. This single control prevents the majority of successful BEC wire fraud attempts because attackers cannot control the voice call.

For payment information changes: require a formal change request form, multi-person approval, and verification call before updating any banking information for an existing vendor or employee. Payroll diversion BEC specifically targets HR and payroll teams with fraudulent requests to update direct deposit information — the request appears to come from the employee but originates from a compromised account or impersonation. Require that all direct deposit changes be submitted through a self-service portal with MFA authentication rather than via email request to HR.

For vendor email compromise: verify payment information changes from vendors through a previously established contact channel before processing. If a vendor emails to notify you that their banking details have changed, call the vendor using a phone number you independently verified (from their website, a previous invoice, your existing vendor file) rather than any number provided in the change notification email. Vendor email compromise (VEC) attacks target organizations' accounts payable processes specifically and frequently involve compromised vendor accounts rather than impersonation.

BEC fraud moves faster than most financial institution fraud recovery processes. The first two hours after discovery are the only window in which fund recovery is possible.

If an employee suspects they have processed a fraudulent payment: immediately contact your bank and request a recall of the wire transfer. US-based organizations should also contact the FBI's Internet Crime Complaint Center (IC3.gov) and request activation of the Financial Fraud Kill Chain (FFKC) — a program that coordinates with receiving financial institutions to freeze funds in transit. The FFKC has a high success rate for recoveries initiated within 24 hours of the transfer.

Preserve all email evidence: full email headers, the complete email chain, and any email forwarding rules or inbox rules created during the incident period. Do not delete the compromised email account — preserve it for forensic analysis by your incident response team or external IR provider.

Reset all credentials for the compromised account and any accounts with shared credentials or access to the same systems. Review inbox rules, email forwarding, and OAuth application permissions for the compromised account — attackers frequently create persistence mechanisms that survive a password reset. Revoke and re-issue email signing keys and review mail flow rules for any backdoors the attacker may have inserted at the organizational level.

BEC is a hybrid attack: it succeeds through a combination of technical account compromise or impersonation and social engineering that exploits organizational payment workflows. Defending against it requires both technical controls (phishing-resistant MFA, behavioral email analytics, impersonation detection) and process controls (out-of-band verification for high-risk financial transactions). Either layer alone is insufficient. Organizations that have only one layer will continue to lose money to BEC until they have both.