Business Email Compromise: How Attackers Exploit Trusted Email Identities
Business Email Compromise is consistently one of the highest-value attack categories in terms of financial loss, and it is one of the least technically sophisticated. There is no ransomware payload, no encrypted file server, no dramatic system outage. In most BEC incidents, the attacker spends weeks reading a victim's email, learning the organisation's language, understanding payment processes, and identifying the right moment to redirect a transaction. By the time the fraud is discovered, the money is gone and the evidence is in an email inbox that looked completely legitimate.
The defining characteristic of BEC is that it exploits trusted identity rather than technical vulnerability. An attacker using a genuine, compromised email account to request a payment change is vastly more convincing than one using a spoofed address. The recipient has email history with that address. The writing style matches. The context references real transactions. There is nothing in the email itself that signals fraud. This is what makes BEC so effective and so difficult to detect through standard security controls that focus on malicious attachments and links.
How BEC Attacks Are Executed
BEC attacks typically begin with an account compromise: a phishing email, a credential stuffing attack against a reused password, or exploitation of a weak or absent multi-factor authentication configuration. Once the attacker has access to a legitimate account, they spend time in reconnaissance mode, reading email threads, learning organisational structure, identifying financial processes, and understanding the language and tone used in internal and external communications. This dwell time can last weeks. The attacker is learning, not acting.
The attack itself is then timed to coincide with a credible trigger: an invoice due date, a property settlement, a supplier payment run, a new employee who does not yet know all the right procedures for verifying payment changes. The attacker, using either the compromised account directly or an impersonation of it, requests an account change or initiates a new transaction. In some cases, the attacker engages in multi-email exchanges with the target, building false urgency and using social engineering techniques to overcome hesitation. Financial institutions report that BEC transfers are among the most difficult to recover once initiated.
The DFIR Investigation of a BEC Incident
When a BEC incident is identified, the forensic investigation must establish several things: when the account was first compromised, what the attacker accessed during their dwell time, whether other accounts in the organisation were also compromised, what rules or forwarding configurations the attacker set up to maintain access or hide their activity, and the full scope of communications conducted using the compromised identity. This is not a quick investigation. Attackers frequently set up inbox rules that delete or redirect incoming emails to prevent the legitimate account holder from seeing replies, which means the compromise can persist long after the initial access.
Cloud email platform logs are the primary forensic artefact in a BEC investigation. These logs record authentication events, including source IP addresses, geographic locations, device identifiers, and session activity. Comparing these logs against the legitimate user's known access patterns frequently identifies the attacker's access sessions clearly. However, log retention in cloud email platforms is often limited to 30 or 90 days by default, and in some configurations even less. If the compromise began more than 90 days before the investigation, critical authentication logs may no longer exist.
Controls That Actually Reduce BEC Risk
Multi-factor authentication on all email accounts is the single most effective control for preventing initial account compromise. An attacker with a stolen username and password cannot authenticate if MFA is properly configured and enforced. Many BEC incidents we investigate involve accounts where MFA was available but not enforced, or where legacy authentication protocols were left enabled and allowed the attacker to bypass MFA entirely. Blocking legacy authentication protocols is as important as enabling MFA in the first place.
Process controls are equally important and address the cases where account compromise has already occurred. Payment verification procedures that require confirmation through a second channel for any change in payment details significantly reduce BEC success rates. The second channel must be genuinely independent: a phone call to a known number, not a reply to the same email thread. Organisations that implement a verified callback procedure for account change requests, even when they seem to come from known and trusted senders, remove the primary vector through which BEC fraud completes.
What to Do When BEC Is Suspected
When BEC is suspected, the first priority is determining whether an account compromise is active. If the account holder's credentials are still in use by the attacker, changing the password alone may not be sufficient if the attacker has established persistent access through OAuth tokens or application passwords. All active sessions must be terminated, legacy authentication must be blocked for that account, and the account should be reviewed for inbox rules, forwarding configurations, and consent grants to third-party applications.
Contact your financial institution immediately if a fraudulent transfer has been initiated. The window for recovery is narrow, typically hours, and some institutions have BEC-specific rapid response processes. Do not assume the transfer cannot be recovered without asking. Concurrently, notify your insurer and preserve all email evidence before any accounts are cleaned up. The evidence in the inbox, including headers showing source IP addresses, is critical for both the investigation and any subsequent legal action.
We investigate BEC incidents and help organisations understand the scope of an account compromise and what the attacker accessed during their dwell time. Contact us at info@cyberlinx.com.au if you are dealing with a suspected BEC incident or want to assess your exposure.
Related Articles







