Business Email Compromise
Business email compromise, or BEC, is a practical fraud problem more than a technical spectacle. Attackers gain access to a mailbox or impersonate a trusted sender, then use normal business conversations to redirect payments, request gift cards, change banking details, or harvest confidential information.
Small businesses are attractive because payment approval is often relationship-based. A law clerk, clinic administrator, bookkeeper, or consultant may know the requester personally and want to keep work moving. The best defence combines Microsoft 365 controls with simple finance procedures that make unusual requests easier to verify.
What it means
BEC can involve full mailbox compromise, lookalike domains, display-name spoofing, or a changed reply-to address. In many cases, the message does not contain malware. It works because it fits into a real business process.
After mailbox access, attackers often search for words like invoice, payment, wire, closing, retainer, payroll, or tax. They may create forwarding rules, hide replies, and wait until the right conversation appears.
How it affects small businesses
A professional office may have a small finance team, a managing partner who approves payments by email, and vendors that send invoices as PDFs. That is normal, but it creates predictable workflows attackers can study.
The impact can include misdirected funds, delayed closings, vendor disputes, client notification work, mailbox cleanup, and staff confidence issues. Even when money is recovered, the business loses time proving what happened and tightening the process.
Invoice redirection
Attackers change banking details during an active vendor or client conversation.
Hidden mailbox rules
Rules can forward messages externally or move replies to folders users rarely check.
Trusted account abuse
Messages from a real staff mailbox can bypass the healthy skepticism people apply to unknown senders.
How the attack usually starts
Business email compromise usually starts with mailbox access, lookalike domains, display-name impersonation, or a compromised vendor or client account. The message often contains no malware. It works because it fits into a real business workflow.
Once attackers have a mailbox or convincing impersonation path, they study invoices, retainers, payroll, wire instructions, closing dates, or vendor conversations. The attack becomes a process problem as much as a security problem.
Mailbox compromise
A real user account is used to send or monitor payment-related conversations.
Impersonation
A display name, reply-to address, or lookalike domain makes an outside message appear familiar.
Vendor thread hijack
Attackers enter an existing conversation and wait for the right payment moment.
What attackers are trying to achieve
Change payment details
The common goal is redirecting an invoice, retainer, payroll, or vendor payment.
Hide replies
Inbox rules may move replies away from the user so the fraud can continue.
Use trust inside the business
Messages from a real mailbox are more believable than outside spam.
What it looks like in a real small business
A 28-person law office receives updated payment instructions during an active closing. The message appears in the same thread and uses familiar wording. The attacker has access to one mailbox and created a rule that hides replies containing words like bank, wire, and invoice.
The office catches the issue because its payment process requires phone verification using a known number, not the number in the email. The technical cleanup still matters: revoke sessions, check rules, review sign-ins, and inspect other mailboxes that may have received internal phishing.
Common warning signs
New inbox or forwarding rules
Rules that delete, archive, forward, or hide messages are a common compromise indicator.
Changed reply-to or unusual sender domain
A message may look familiar while replies go somewhere else.
Strange sent mail or missing sent items
Attackers may send messages then delete traces or use rules to hide responses.
Urgent vendor payment changes
Banking detail changes should be verified through a known phone number or established out-of-band process.
Signals to check
Inbox and forwarding rules
Look for rules that delete, archive, move, or forward messages externally.
Mailbox audit logs
Review rule creation, message access, sent items, delegate changes, and suspicious logins.
Reply-to and domain details
Check whether replies go to an unexpected address or a lookalike domain.
Payment-change history
Trace when banking details changed, who approved it, and what verification occurred.
What to do first
Pause payment changes
Stop related transfers until the request is verified through a known out-of-band method.
Secure suspected mailboxes
Reset credentials, revoke sessions, review MFA methods, and remove suspicious rules.
Preserve evidence
Keep headers, messages, audit logs, and approval notes for investigation and insurance conversations.
Notify affected internal stakeholders
Finance, leadership, and the account owner should understand what was seen and what to watch for.
How to reduce the risk
Require MFA and monitor MFA changes
MFA reduces password-only compromise, while alerts for new MFA methods help catch account takeover attempts.
Enable mailbox auditing and alerting
Audit logs, inbox rule alerts, forwarding alerts, and suspicious sending alerts make response faster.
Use payment verification procedures
Verify new banking details or urgent payment changes through a known phone number, not by replying to the email thread.
Train staff on workflow checks
Training should focus on practical moments: invoice changes, executive requests, new vendors, and unexpected secrecy.
Review external forwarding
Disable or tightly control automatic forwarding to external addresses unless there is a documented business need.
Common mistakes
Treating BEC as only a phishing issue
BEC is often a mix of mailbox security, payment process, and user verification.
Not reviewing mailbox rules
Rules are one of the most common ways attackers hide their activity.
Verifying by replying to the thread
If the thread is compromised, replies may go back to the attacker.
Ignoring vendor compromise
The suspicious message may come from a real vendor account, not your own tenant.
CtrlShift IT review checklist
In a security risk review, we focus on the operational checks that show whether the control is actually working for a small business, not just whether a setting exists.
Mailbox rule and forwarding audit
We review forwarding, hidden rules, mailbox permissions, delegates, and unusual sent mail.
MFA and session review
We confirm MFA coverage, revoke suspicious sessions, and check security info changes.
Email authentication posture
We review SPF, DKIM, DMARC, anti-phishing policies, and external sender handling.
Finance workflow review
We identify where email-only approval creates avoidable payment risk.
Alerting and logging readiness
We check whether mailbox auditing, forwarding alerts, and suspicious sign-in alerts are usable.
FAQ
What is business email compromise?
Business email compromise is fraud that abuses trusted email relationships, often through mailbox compromise, impersonation, or hijacked vendor conversations.
Does BEC always involve malware?
No. Many BEC attempts contain no malware and rely on trust, timing, and normal payment workflows.
What should we check first after a suspected BEC incident?
Check mailbox rules, forwarding, sign-in logs, sent mail, MFA methods, and the payment approval trail. Preserve evidence before deleting anything.
How can a small office reduce BEC risk quickly?
Require MFA, enable mailbox auditing and alerts, restrict external forwarding, and verify payment changes through a known phone number or established process.