PRACTITIONER GUIDE | INCIDENT RESPONSE
Practitioner Guide10 min read

Business Email Compromise Incident Response: Stopping the Wire and Recovering the Account

$2.9B
BEC losses reported to FBI IC3 in 2023: highest of any cybercrime
72 hours
Wire recall window before funds are typically unrecoverable
30 min
Median time from account compromise to first fraudulent action
137,000
Average dollar loss per BEC incident

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

BEC is the highest-dollar cybercrime category the FBI tracks, but most security teams treat it as a finance problem rather than a security incident. The reality is that BEC has two simultaneous response tracks that must run in parallel: the financial track (wire recall) operates on a 72-hour window that starts the moment the fraudulent transfer is initiated, and the security track (account containment and forensics) must start immediately because the compromised account is typically still actively used while the financial response is happening.

Delaying either track costs money. This guide structures both tracks and provides the specific steps for each.

Detecting BEC: what makes it different from phishing

BEC does not typically involve malware, malicious links, or suspicious attachments. Standard phishing detection controls (sandbox, URL rewriting, attachment detonation) do not catch BEC. Detection requires different signals.

BEC attack patterns:

Account takeover BEC: The threat actor compromises a legitimate internal account (most commonly via phishing, credential stuffing, or AiTM phishing) and uses it to send fraudulent payment instructions to finance or accounts payable. The email comes from a real internal account, bypasses all email filtering, and appears fully legitimate. Detection requires behavioral anomalies: the account sending emails from a new IP or location, unusual email volume, new mailbox rules forwarding copies to external addresses, or emails sent at unusual hours.

Vendor impersonation BEC: The threat actor sends email from a domain that convincingly resembles a legitimate vendor (invoice@vendorname-invoices.com instead of invoice@vendorname.com) or spoofs the vendor's From header. Detection: DMARC enforcement on the receiving domain, look-alike domain detection in your email gateway, and verification callbacks to known good phone numbers for any payment change request.

CEO fraud: Attacker impersonates the CEO or CFO via spoofed email to pressure an employee to initiate a wire transfer quickly. Always targets urgency and confidentiality ("do not discuss this with anyone"). Detection: DMARC enforcement, executive impersonation detection, and a verified callback policy for any wire transfer request regardless of sender.

Detection triggers for this playbook: finance team reports a suspicious payment change request, IT detects new inbox rules forwarding external email, Entra ID Identity Protection flags anomalous sign-in for a mailbox, email gateway flags a look-alike domain, or a vendor calls to ask about an unpaid invoice after a duplicate was paid to a different account.

Financial track: wire recall within 72 hours

The wire recall process must begin immediately upon discovering a fraudulent transfer. Every hour of delay reduces recovery probability.

Step 1 (within the first hour of discovery): Contact your bank's fraud department directly, not through standard customer service channels. Request an immediate recall or reversal of the fraudulent wire. Provide the transfer amount, date, originating account, and destination account. Many banks have a dedicated fraud response line; find it before an incident.

Step 2: File a complaint with the FBI's Internet Crime Complaint Center (IC3) at ic3.gov immediately. Include the transaction details, originating and destination bank account numbers, and the fraudulent email chain. The FBI Financial Fraud Kill Chain program can freeze destination accounts if initiated within 72 hours of the transfer. After 72 hours, funds are typically moved to overseas accounts and are unrecoverable.

Step 3: If the destination bank is a US institution, your bank can contact them directly to freeze the fraudulent account. International wires are significantly harder to recall; success rates drop to below 10 percent once funds leave US correspondent banks.

Step 4: Notify your cyber insurance carrier immediately. Most commercial crime policies and cyber policies cover BEC losses, but timely notification is required for coverage. Check your policy for the notification window; some require notification within 24 to 72 hours of discovery.

Step 5: Preserve all financial records, email chains, and communications related to the fraudulent transfer for law enforcement and insurance documentation. Do not delete anything.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Security track: account containment and mailbox forensics

While the financial track is running, the security team must contain the compromised account and determine the full scope of attacker access.

Account containment (do immediately in parallel with financial track):

  • Reset the compromised account password and invalidate all active sessions (in Microsoft 365: Entra ID admin center, revoke sessions under the user's sign-in activity).
  • Revoke all OAuth tokens and app consents for the compromised account. Attackers frequently grant OAuth consent to malicious apps during account access to maintain persistence after password reset.
  • Disable any new mailbox rules created in the compromised account. BEC actors commonly create rules to: forward all incoming email to an external attacker-controlled address, delete replies from the vendor or bank being impersonated (to prevent the victim from seeing legitimate replies), or move security alerts to obscure folders.
  • Enable mailbox auditing on the compromised account if not already enabled (verify in the Microsoft Purview compliance portal).

Mailbox forensics (determine full scope of attacker access):

  • Review the mailbox audit log for the compromised account covering the period before detection. Look for: emails read (did the attacker read sensitive threads?), emails sent on behalf of the account (all fraudulent communications sent from it), calendar access, and contact list access.
  • Review the account's sign-in log in Entra ID. Identify: the first unusual sign-in (determines the compromise start date), sign-in locations and IP addresses (identifies attacker infrastructure), and authentication method used (legacy auth bypasses MFA).
  • Review email forwarding rules and any new inbox rules created during the compromise window.
  • Identify all external recipients who received email from the compromised account during the attacker's access window. These recipients may have received fraudulent payment instructions or malicious content.

Preventing recurrence: tenant-level controls

After containment and forensics, close the entry points that allowed the compromise and add controls that detect future attempts.

For account takeover BEC (credential-based initial access):

  • Enforce phishing-resistant MFA for all mailbox accounts. Standard TOTP MFA is vulnerable to real-time phishing and AiTM (adversary-in-the-middle) attacks using tools like Evilginx and Modlishka. Phishing-resistant MFA (FIDO2 hardware keys or Microsoft Authenticator with number matching and location verification) is not.
  • Block legacy authentication protocols via Conditional Access. Legacy auth (Basic auth, IMAP, POP3) bypasses MFA and is the most common BEC initial access vector.
  • Deploy Entra ID Identity Protection sign-in risk policies to automatically block or require step-up MFA for risky sign-ins (impossible travel, anonymous IP, leaked credentials).

For vendor impersonation and CEO fraud BEC:

  • Enforce DMARC (p=reject or p=quarantine) on your sending domain. This prevents external actors from spoofing your domain to target your vendors and partners.
  • Implement look-alike domain detection in your email gateway (Defender for Office 365 impersonation protection, or third-party tool). This catches domains like vendorname-invoices.com targeting your users.
  • Implement a verified callback policy for all payment change requests: any request to change banking details for a vendor or to initiate a wire transfer must be verified via a callback to a pre-established phone number, regardless of how convincing the email is. This single procedural control defeats the majority of BEC attempts.

The bottom line

BEC response requires simultaneous action on the financial and security tracks from the moment of discovery. The 72-hour wire recall window is non-negotiable; start the IC3 filing and bank contact within the first hour while the security team contains the compromised account in parallel. After the incident, close the technical entry points (legacy auth, missing MFA, no DMARC) and implement the procedural control that beats almost all BEC attempts: a verified phone callback for any payment change request.

Frequently asked questions

What is business email compromise?

Business Email Compromise (BEC) is a social engineering attack where threat actors use a legitimate compromised email account or a convincing impersonation of one to fraudulently redirect financial transactions or steal sensitive data. Unlike phishing, BEC does not rely on malicious links or attachments and bypasses most technical email security controls. The FBI IC3 reported $2.9 billion in BEC losses in 2023, making it the highest-dollar-volume cybercrime category. Common BEC scenarios: vendor impersonation with fake invoice payment instructions, CEO fraud requesting urgent wire transfers, and payroll diversion changing direct deposit accounts.

Can you recover money lost to BEC?

Recovery is possible if you act within 72 hours. The FBI Financial Fraud Kill Chain program can freeze destination accounts when a complaint is filed at ic3.gov within 72 hours of the fraudulent transfer. Your bank can also contact the destination bank to freeze the account if both are US institutions. After 72 hours, funds are typically moved to overseas accounts through a series of money mule accounts, making recovery rare. Contact your bank's fraud department and file an IC3 complaint simultaneously within the first hour of discovering the fraudulent transfer. Cyber insurance (commercial crime or cyber policy) may cover losses that cannot be recovered.

How do BEC attackers get access to email accounts?

The three most common BEC initial access methods are: (1) phishing emails with credential-harvesting fake login pages that capture username and password, (2) adversary-in-the-middle (AiTM) phishing using tools like Evilginx that intercept MFA tokens in real time, defeating standard TOTP-based MFA, and (3) credential stuffing using username and password combinations leaked from other breaches and reused for work email accounts. Once access is established, attackers often spend days monitoring email threads to understand ongoing financial transactions before inserting fraudulent payment instructions at the right moment.

What mailbox rules do BEC attackers create?

BEC attackers commonly create three types of malicious inbox rules: (1) forwarding rules that copy all incoming email (or email from specific senders like the victim's bank or the impersonated vendor) to an external attacker-controlled email address, giving the attacker continuous access even after password reset; (2) deletion rules that automatically delete replies from the impersonated vendor or bank, preventing the victim from seeing legitimate communications that would expose the fraud; and (3) folder-move rules that hide security alerts and account notification emails in obscure folders. Audit all inbox rules for a compromised account immediately upon containment and remove any created during the attacker's access window.

Does MFA prevent business email compromise?

Standard MFA (TOTP codes from an authenticator app) reduces BEC risk significantly but does not fully prevent it. AiTM phishing attacks using transparent reverse proxies capture both the credential and the MFA token in real time, allowing the attacker to establish a session that bypasses MFA. Phishing-resistant MFA methods (FIDO2 hardware security keys like YubiKey, or Microsoft Authenticator with number matching plus location verification) are not vulnerable to AiTM attacks and effectively prevent credential-based BEC initial access. Microsoft Entra ID Conditional Access can enforce phishing-resistant MFA for all sign-ins on a per-user or global basis.

How do I prevent BEC attacks?

The highest-impact BEC prevention controls are: (1) phishing-resistant MFA for all mailboxes (FIDO2 or Microsoft Authenticator with number matching), which prevents the credential theft initial access vector; (2) blocking legacy authentication protocols via Conditional Access, which eliminates the MFA bypass vector; (3) DMARC enforcement on your domain at p=reject or p=quarantine, preventing external parties from spoofing your domain to target your vendors; (4) a verified phone callback policy for any payment change request or wire transfer instruction, regardless of the apparent sender, which defeats impersonation-based BEC even when the technical controls are bypassed; and (5) Entra ID Identity Protection risk policies that automatically flag or block anomalous sign-ins.

Sources & references

  1. FBI IC3 BEC Complaint Submission
  2. CISA BEC Guidance
  3. Microsoft BEC Detection and Response

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.