You get a message from your CFO asking you to wire funds to a new vendor. The email looks legitimate. It comes from the right address, uses the right tone, and references a real project. You process the payment. Two days later, you discover that email was sent by an attacker who had compromised your CFO's account.
This scenario is not hypothetical. Business email compromise (BEC) cost organizations over $2.9 billion in reported losses in 2023 alone, according to the FBI's Internet Crime Complaint Center. For businesses in Maryland, the Baltimore metro, and the DMV area, where government contracting, legal, financial, and healthcare industries are concentrated, the risk is particularly acute.
What Is Business Email Compromise?
Business email compromise (BEC) is a type of attack where a cybercriminal gains access to a legitimate business email account and uses it to deceive employees, partners, or clients. Unlike phishing, which casts a wide net with fake emails, BEC is targeted and operates from a real, compromised account.
BEC attacks typically fall into a few categories:
- CEO/executive impersonation — The attacker uses a compromised executive account to request wire transfers or sensitive data from finance or HR staff.
- Vendor invoice manipulation — The attacker intercepts email threads with vendors and substitutes their own bank account details on invoices.
- Account compromise for data theft — The attacker uses a compromised account to access confidential files, client data, or intellectual property stored in the mailbox or connected services.
- Attorney impersonation — The attacker poses as legal counsel to pressure employees into quick, confidential transactions.
Warning Signs Your Email May Be Compromised
The danger of BEC is that the attacker is often sitting inside the account for days or weeks before taking action, quietly reading emails and learning your processes. Here are the signs to watch for:
- Unexpected password reset notifications that you did not initiate, for your email or connected services like Microsoft 365 or Google Workspace.
- Sent messages you did not write. Check your Sent and Deleted Items folders regularly. Attackers sometimes send messages and then delete them to cover their tracks.
- Inbox rules you did not create. A classic BEC technique is to create an inbox rule that automatically forwards certain emails to an external address or moves messages from specific senders to a hidden folder.
- Login activity from unusual locations. Most email platforms show recent sign-in activity. If you see logins from IP addresses or geographic locations that do not match your team, that is a red flag.
- Contacts reporting suspicious messages from you. If clients, vendors, or colleagues say they received strange or unexpected emails from your address, treat it as a potential compromise.
- Multi-factor authentication prompts you did not trigger. Repeated MFA push notifications or code requests when you are not trying to log in could indicate an attacker who has your password and is attempting to get past MFA.
- Missing emails. If expected messages are not arriving, an attacker may have created forwarding or deletion rules.
Act immediately if you notice any of these signs. The longer an attacker has access, the more damage they can do. Minutes matter.
Immediate Steps If You Suspect a Compromise
Emergency Response Protocol
- Change the password immediately from a different, trusted device. Use a strong, unique password that has never been used before.
- Revoke all active sessions. In Microsoft 365, go to the admin center and sign the user out of all sessions. In Google Workspace, use the security panel to revoke access.
- Check and remove suspicious inbox rules. Look for rules that forward, redirect, or delete messages. Attackers almost always create these.
- Review recent sent messages and file access. Determine what the attacker may have seen, sent, or downloaded.
- Enable or verify multi-factor authentication. If MFA was not enabled, enable it now. If it was enabled, verify the registered methods have not been changed.
- Notify your team and affected contacts. Anyone who received messages from the compromised account should be warned not to act on recent requests, especially those involving payments or sensitive data.
- Contact your bank immediately if any fraudulent wire transfers or payment changes were made. Speed is critical for recovering funds.
- Report the incident. File a report with the FBI's IC3 at ic3.gov and notify your cyber insurance provider if applicable.
How to Prevent Business Email Compromise
Enable Multi-Factor Authentication (MFA)
This is the single most effective defense against email account takeover. With MFA enabled, even if an attacker steals a password through phishing or a data breach, they cannot access the account without the second factor. Use app-based authentication (like Microsoft Authenticator) rather than SMS, which is vulnerable to SIM-swapping attacks.
Implement DMARC, SPF, and DKIM
These three email authentication protocols work together to prevent attackers from sending emails that appear to come from your domain:
- SPF (Sender Policy Framework) specifies which mail servers are authorized to send email on behalf of your domain. It is a DNS TXT record that looks like:
v=spf1 include:_spf.google.com ~all - DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails so recipients can verify they were not altered in transit.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving mail servers what to do with messages that fail authentication (quarantine or reject them). It also provides reporting so you can see who is sending email using your domain.
If you do not have DMARC configured, anyone can send emails that appear to come from your domain. Most small businesses in Maryland and the DMV area have not configured DMARC. This is one of the fastest security improvements you can make.
Establish Verification Procedures for Financial Requests
No wire transfer, payment change, or sensitive data request should be executed based solely on an email. Establish a policy that requires verbal confirmation via a known phone number (not one provided in the email) for any financial transaction over a defined threshold. This single policy can prevent the majority of BEC losses.
Train Your Team to Recognize BEC Tactics
BEC attacks exploit trust and urgency. Train employees to be skeptical of emails that create artificial time pressure ("this needs to be done before end of day"), request secrecy ("don't discuss this with anyone else yet"), or involve changes to payment details. Regular security awareness training is essential.
Monitor Email Activity Continuously
Configure alerts for suspicious sign-in activity, new inbox rules, and mail forwarding changes. A managed security operations center can monitor these signals 24/7 and respond before an attacker can act. Learn about how PalisadeOne's platform provides this level of visibility across your entire environment.
The Bottom Line
Business email compromise is effective because it exploits the way people naturally communicate and trust each other at work. Technical defenses like MFA and DMARC raise the bar significantly, but they need to be paired with procedural safeguards and ongoing monitoring.
If your organization has not reviewed its email security posture recently, now is the time. The cost of a single successful BEC attack can dwarf the cost of proper prevention many times over. Review our pricing to see how managed email security fits into a comprehensive protection plan.