How to Prevent Business Email Compromise and How to Respond if It Happens

Quickly responding to and containing a cybersecurity incident is critical for business continuity, lower remediation costs, reputation protection, and minimizing other damages. This may be especially true of business email compromise (BEC) scams, which have risen sharply over the past few years. IBM’s Cost of a Data Breach report found the following alarming business email compromise statistics in 2024: a BEC attack on average costs $4.88 million, and social engineering attacks take longer to identify and contain than zero-day vulnerabilities, which in turn makes them costlier.

In this essential guide*, part of a series that includes Cybersecurity Beginner’s Guide: Three Best Practices to Prevent Cyber Incidents and Quick Guide to Preventing Third-Party Cyber Incidents, we’re taking a deeper look at how to prevent business email compromise attacks, and mobilize when your organization is hit to staunch the flow of data loss as quickly as possible.

(*The content below offers a preview of the Business Email Compromise Playbook inside Breach Plan Connect®, powered by NetDiligence®. To explore the full playbook and other incident response playbooks on common types of cybersecurity incidents, start your 30-day free trial of Breach Plan Connect today.)

What Is Cyber Incident Containment?

These are the steps taken to limit the impact of a cyber incident after it has been detected. The primary goal is to prevent further damage, protect sensitive data, and maintain business operations.

What Is a BEC Scam?

A BEC scam is a type of cyber attack where bad actors compromise a company’s email account to deceive employees or partners into making unauthorized transactions through fraudulent fund transfer or sharing sensitive information.

How Do BEC Scams Usually Occur?

BEC scams typically occur through a combination of social engineering and technical exploits which can include phishing, spear phishing, exploiting weak passwords, using stolen credentials, or credential stuffing to gain access to email accounts and take actions to compromise a business.

Containing BEC Incidents

As soon as your organization becomes aware of a potential business email compromise and/or fraudulent fund transfer, you should take the following steps to secure your systems and contain the incident fallout.

Immediate Steps

1. Isolate the affected account and reset passwords immediately.
2. Revoke authentication token to drop active email sessions and/or sign out of all active sessions or force log-outs on all devices.
3. Confirm multifactor authentication (MFA) is enabled.
4. Review login activity for malicious IP addresses or unauthorized devices.
5. Remove malicious email rules the attacker might have installed such as forwarding rules.
6. Ensure that no other accounts were affected.
7. Implement blocks for any identified indicators of compromise (IOCs).
8. Address external notification requirements with business partners and vendors who might be impacted by the breach.
9. Immediately contact any financial institutions to halt fraudulent fund transfers or transactions that might be in progress.
10. Notify law enforcement about the attack.

Next Steps

1. Strengthen email security with email filtering, encryption, and improved email monitoring systems.
2. Educate employees about social engineering and the risks of BEC attacks, how to identify suspicious communications, and avoid cybersecurity lapses.
3. Continue to monitor impacted accounts and stay in communication with any affected parties.
4. Strengthen security controls for financial transactions such as authorization requirements.

BEC scams will continue to impact small to midsize companies, but identifying the incident and responding in a timely manner can save your company money and lessen the damage.

Want to read our full response playbooks on the most common types of cyber incidents? Start your 30-day free trial of Breach Plan Connect® today. Get critical insights on responding to the most common types of cyber incidents that organizations face today, like business email compromise, malware and ransomware attacks, and more!