Business Email Compromise Response Playbook: Complete Guide

Introduction

Business Email Compromise requires no malware, no exploits, and no technical skill to execute. Just a convincing email, a gap in process, and someone with wire transfer authority who didn't verify a banking change.

The financial damage is staggering. According to the 2025 FBI IC3 Annual Report, BEC/EAC losses totaled over $3 billion across 24,768 complaints — making it consistently the highest-loss cybercrime category the FBI tracks.

What separates a BEC response playbook from a generic incident response plan is scope. BEC attacks decision-makers, financial workflows, and organizational trust — not systems. Legal, finance, and the board aren't supporting cast here. They're central participants from minute one.

This guide covers:

  • The attack chain leaders need to understand
  • A six-phase response framework
  • First-24-hour priorities
  • Board communication strategy
  • Prevention controls that hold under real incident conditions

TLDR

  • BEC generates over $3 billion in annual losses with no malware involved — it exploits process gaps and human trust
  • The response requires legal, finance, and board involvement immediately — not after technical containment
  • Fund recovery is possible but the window closes fast — hours matter, not days
  • DMARC set to "reject" plus phishing-resistant MFA eliminate the most common attack vectors
  • No seated CISO means specific governance gaps in escalation authority and board communication when incidents go live

What Makes BEC Uniquely Dangerous

No Payload, No Alert

BEC bypasses most technical defenses because there's nothing to detect. No malicious attachment, no suspicious link, no obfuscated script. A well-crafted BEC message is indistinguishable from normal business correspondence — because it mirrors exactly how your executives communicate.

Antivirus, endpoint detection, and email filters are built to catch anomalies. BEC contains none. Attackers study your organization long enough to write like your CFO, reference real vendor relationships, and time their message for maximum credibility.

The Financial and Regulatory Stack

A single BEC event can trigger legal, regulatory, and financial exposure at the same time:

  • Wire fraud losses — the 2025 IC3 data puts average losses at roughly $123,000 per complaint
  • HIPAA breach notification — compromised inboxes containing PHI can trigger 60-day notification requirements; HHS OCR's 2025 settlement after a phishing attack compromised 45 employee email accounts illustrates how regulators respond
  • GDPR obligationsEDPB guidelines require supervisory authority notification within 72 hours of becoming aware of a qualifying breach
  • Cyber insurance complications — insurers scrutinize whether required controls (MFA, DMARC) were actually enforced
  • Vendor and partner trust damage — particularly when a compromised account was used to contact your customers

The AI Acceleration Problem

The FBI warned in 2024 that attackers are using AI to craft highly convincing voice messages, video, and emails that enable fraud at scale. Modern BEC campaigns use AI to mimic executive writing styles, pull real transaction details from public disclosures, and splice fabricated payment instructions into live email threads.

This eliminates employee skepticism as a reliable defense. When a message reads exactly like your CEO writes, references a real deal in progress, and arrives during a known travel window, even well-trained staff will act on it.

How a BEC Attack Unfolds: The Attack Chain

Reconnaissance

Before sending a single email, attackers map the target. LinkedIn reveals org structure and reporting lines. Press releases identify key executives, active deals, and vendor relationships. Regulatory filings expose transaction volumes and recurring payment workflows. Executive travel schedules, often announced publicly, tell attackers exactly when a CFO will be unreachable by phone.

Organizations with high public visibility — publicly traded, active in M&A, or prominent in their industry — are more attractive targets because the reconnaissance requires less effort.

Initial Access

Attackers gain entry through several routes:

  • Credential phishing — fake login pages that harvest real passwords
  • Password reuse — credentials from unrelated breaches tested against corporate accounts
  • MFA fatigue attacks — repeated push notification requests designed to exhaust users into approving access
  • Domain spoofing — mimicking a legitimate address without actual inbox access

Four BEC initial access methods credential phishing MFA fatigue spoofing comparison

The distinction between account takeover (attacker controls a real inbox) and display-name spoofing (attacker mimics an address) matters for response. Account takeover is harder to detect and gives attackers access to real email history.

Silent Surveillance

Once inside, skilled attackers don't act immediately. They read email threads, learn the cadence of payment approvals, and identify the exact language used for wire requests. Inbox forwarding rules get configured to shadow responses in real time — often routing copies to free email services that don't raise alerts.

This surveillance phase can run for days or weeks before any fraudulent request is sent. The attacker's goal is to absorb enough context that their eventual message raises no flags at all.

The Fraudulent Request

When attackers move, they engineer the message with precision:

  • Authority — the sender appears to be a CEO, CFO, outside legal counsel, or known vendor
  • Urgency — quarter-end closing, executive travel, time-sensitive deal language
  • Timing — sent when verification is hardest (Friday afternoon, holiday week, mid-travel)
  • Specificity — references real transaction names, real vendor relationships, correct dollar ranges

The request is almost always one of three things: a wire transfer to updated banking details, an invoice payment redirect, or a payroll direct deposit change.

Execution and Exit

Once funds move, they move fast. Transfers are typically routed through layered intermediary accounts and converted or distributed internationally within hours. That window — often measured in hours, not days — is why contacting your financial institution is the first call to make, not the second.

Building Your BEC Response Playbook: The Six-Phase Framework

Phase 1: Preparation — Before the Incident Happens

Preparation is the only phase that occurs before an attack. Most organizations underinvest in it until after their first incident.

A solid preparation framework includes:

  • CSIRT formation — named roles with defined responsibilities, not just job titles
  • Decision rights documentation — who can authorize account suspension, engage outside counsel, approve emergency spend, or notify regulators without waiting for a board vote
  • Escalation thresholds — dollar amounts, data sensitivity levels, and downtime impacts that automatically trigger higher-level response
  • Email log retention — at minimum 90 days of logs stored in a secure secondary location (SIEM or equivalent), not only in the email platform itself
  • Call tree — a tested, after-hours contact list that actually works under pressure

BEC incident response preparation framework five key components checklist infographic

Organizations without a seated CISO face the sharpest preparation gap. When no one has defined decision rights before an incident, critical hours during the real event get consumed by process debates rather than containment actions.

Closing that gap is the first priority in Tyson Martin's interim CISO engagements. Within 30 days, organizations have an updated incident response plan with named roles, escalation rules, and current contact lists — plus minimum viable playbooks for BEC, ransomware, and suspected data exposure. Each playbook specifies first-hour actions, evidence to preserve, and who can authorize major steps.

Phase 2: Identification — Detecting the Compromise

Most BEC incidents are not discovered by security tools. They surface through employee reports ("something feels off about this wire request") or financial reconciliation ("this payment doesn't match any invoice").

Behavioral signals worth monitoring actively:

  • Login activity from unusual geographies or unrecognized devices
  • Inbox forwarding rules created to external addresses (especially free email services)
  • Sudden volume spikes in finance-related messages from low-activity accounts
  • Display name/domain mismatches in message headers
  • Emails where the reply-to address differs from the visible sender

Identification process steps:

  1. Interview the affected user — establish the timeline and what they observed
  2. Review authentication logs for anomalies (unusual location, device, or login time)
  3. Search for inbox rules created without the user's knowledge
  4. Assess what data was accessible in the compromised mailbox (financial, legal, HR)
  5. Check whether other accounts show similar compromise patterns

Phase 3: Containment — Limiting the Damage Window

Critical: preserve forensic evidence before taking any containment action. Inbox rules, forwarding configurations, deleted items, and sign-in logs must be captured and archived before you reset or modify anything. Evidence destroyed during containment cannot be recovered for legal proceedings.

Containment sequence (after forensic preservation):

  1. Force sign-out of all active sessions on the compromised account
  2. Revoke OAuth tokens and API access grants connected to that account
  3. Reset credentials through an out-of-band channel — not the compromised email
  4. Block malicious sender domains and associated indicators at the email gateway
  5. Alert relevant staff to disregard any instructions received from the compromised account

Five-step BEC containment sequence from session revocation to staff notification process flow

Phase 4: Eradication — Removing All Footholds

A single compromised account rarely tells the full story. A thorough eradication sweep covers:

  • Audit all mailboxes for unauthorized forwarding or auto-delete rules
  • Review sign-in logs for secondary accounts that may have been accessed from the same session
  • Check linked cloud services (document storage, calendar, billing platforms) that shared the same credentials
  • Validate that no attacker-controlled redirects remain in financial or procurement systems

Phase 5: Recovery — Restoring Operations Safely

Recovery priorities in order:

  • Validate all financial transactions during the suspected compromise window — not just the flagged one
  • Confirm account integrity before re-enabling user access
  • Engage cyber insurance carrier if financial loss occurred
  • Reinstate heightened monitoring on the affected account for an extended period

Phase 6: Lessons Learned — Turning the Incident Into Improvement

The post-incident review should produce two distinct outputs: a detailed technical report for the response team and a plain-language executive summary for the board.

The debrief covers four questions:

  • What happened?
  • What controls failed?
  • What did the attacker access?
  • How did the response perform against the playbook?

Specific areas to audit for gaps:

  • MFA enforcement gaps (which accounts had SMS-based or no MFA)
  • Payment verification procedures (whether verbal callbacks were actually required)
  • DMARC/SPF/DKIM configuration on all sending domains
  • CSIRT readiness against the playbook — what worked, what was improvised

Immediate Actions: The First 24 Hours After BEC Discovery

Speed and sequence both matter. The first 24 hours after BEC discovery determine whether funds are recoverable, whether evidence survives, and whether regulatory exposure compounds.

Hour 1: Simultaneous actions

  • Revoke the compromised account's active sessions
  • Notify legal and compliance leadership immediately — not after technical investigation concludes

Legal must be in the loop from the start to assess breach notification obligations under HIPAA, GDPR, or applicable state laws, and to establish attorney-client privilege over the investigation. Waiting until technical facts are confirmed before calling legal is a common mistake that complicates both regulatory response and insurance claims.

If a fraudulent wire transfer has occurred:

Contact your bank's fraud department immediately and file an FBI IC3 complaint. The FBI's Recovery Asset Team (RAT) can initiate a Financial Fraud Kill Chain (FFKC) to freeze and recall funds.

According to 2025 IC3 data, RAT initiated 3,900 FFKC incidents and froze $679 million of $1.16 billion in attempted theft — a 58% success rate. That recovery rate depends entirely on early reporting. Every hour of delay narrows the window.

FBI IC3 Financial Fraud Kill Chain fund recovery statistics data visualization dashboard

Internal communications:

Identify every employee, vendor, and partner who received messages from the compromised account during the exposure window. Notify them directly, before they act on potentially fraudulent instructions.

Give recipients specific, verified guidance: a known-good phone number, alternative email contact, and explicit direction on what to do with any payment, data, or access requests they received.

Evidence preservation (active priority, not afterthought):

Assign one specific team member to lock and archive the compromised mailbox state immediately. Capture:

  • All inbox rules (active and recently deleted)
  • Sent items and forwarding configurations
  • Authentication logs and sign-in history
  • Full thread history of any suspicious communications

External communications:

With legal counsel in the lead, move quickly on three fronts:

  • Determine which parties require formal notification and on what timeline
  • Establish a single communications lead to manage all outbound messaging
  • Document every notification sent, including recipient, timestamp, and content

Board Communication and Governance During a BEC Incident

What Boards Actually Need

During an active BEC incident, boards don't need a technical briefing. They need five things:

  1. A clear timeline — what happened and when
  2. Estimated financial exposure
  3. What containment steps have been authorized
  4. What decisions require board-level sign-off
  5. Who is leading the response

The first communication to the board chair — ideally within hours of confirmation, not days — should be short: current impact, actions underway, and when the next update arrives. Steady cadence matters more than comprehensive detail in the early hours.

Decision Rights: The Pre-Incident Work That Pays Off

The most expensive governance failure in a BEC incident is discovering that no one was pre-authorized to make critical decisions. Common gaps include:

  • Who can suspend employee accounts without a board vote
  • Who can engage outside counsel and at what spend threshold
  • Who can notify regulators, and on what timeline
  • Who owns external communications to vendors and customers

When decision rights aren't documented before the incident, response teams spend the critical early hours in process debates. The answer is to establish and document escalation thresholds — keyed to dollar impact, data sensitivity, and operational exposure — before an incident occurs, not during one.

The CISO Translation Problem

Organizations navigating BEC without a CISO in-seat face a specific gap: no one can translate the technical incident into defensible governance language in real time. Boards receive either overly technical updates that don't support decisions or vague reassurances that don't establish accountability.

Filling that gap — connecting technical incident status to financial exposure, legal obligations, and board-level decision points — is what an interim CISO engagement directly addresses. When Tyson Martin works with boards during incidents, the structure centers on a single source of truth: what is known, what is suspected, what is still unknown, and what decision is needed from the board right now.

Post-incident, the board receives a complete package:

  • Full incident timeline with key decision points noted
  • Decisions made and the authority under which they were made
  • Evidence preserved and chain-of-custody documentation
  • Customer and vendor impact assessment
  • Remediation plan with owners, costs, and completion dates

Prevention Controls That Meaningfully Reduce BEC Risk

Identity Layer Controls

  • Phishing-resistant MFACISA identifies FIDO/WebAuthn as the only widely available phishing-resistant standard. Hardware-backed FIDO2 keys or Windows Hello for Business provide protection that SMS and email-based codes do not
  • Conditional access policies — flag or block logins from unusual geographies, unrecognized devices, or outside normal hours
  • Inbox forwarding restrictions — block the creation of forwarding rules to external addresses via administrative policy; this eliminates one of the most common attacker persistence mechanisms

Process Controls

These interrupt the attacker's most powerful tool: timing pressure.

  • Callback verification — any change to vendor banking details or wire instructions requires verbal confirmation via a phone number stored independently of the email thread
  • Dual-approval for disbursements — all financial transfers above a defined threshold require two authorized approvers
  • Email-only payment prohibition — final authorization for any payment cannot be based solely on email instruction, regardless of apparent sender authority

These controls sound obvious until you see how routinely they're bypassed under urgency pressure. The process discipline has to exist before the attack — test it in a tabletop exercise before an attacker tests it for you.

Email Authentication Enforcement

DMARC is the most direct technical control against domain spoofing , but only when properly enforced. Currently, only 42% of domains use quarantine or reject settings, meaning the majority leave spoofing windows wide open.

The key distinctions:

DMARC Policy Effect
p=none Monitoring only — spoofed messages still deliver
p=quarantine Suspected spoofs routed to spam — partial protection
p=reject Unauthenticated messages blocked — full enforcement

DMARC policy levels none quarantine reject protection comparison table infographic

CISA recommends p=reject as the standard that provides actual protection against domain spoofing. Monitoring mode (p=none) is a valid starting point during deployment, but leaving it there permanently provides no protection against spoofing.

One additional control worth implementing: reply-to address divergence detection. This catches spoofed messages where the visible "From" address passes DMARC alignment but replies route to an attacker-controlled address — something DMARC alone won't catch.

Frequently Asked Questions

What is the single most important first step when a BEC attack is suspected?

Simultaneously revoke active sessions on the suspected compromised account and notify legal and compliance leadership before any other remediation steps. Evidence lost during premature containment cannot be recovered, and legal needs to assess breach notification obligations from the start.

How quickly should the board be notified after a BEC incident is confirmed?

The board chair, or at minimum the audit/risk committee chair, should receive an initial notification within hours of confirmation. That first communication should cover financial exposure, containment status, and which decisions require board-level authorization.

Is it possible to recover funds lost in a BEC wire fraud?

Recovery is possible but time-sensitive. Contact your bank's fraud department immediately and file an FBI IC3 complaint. The FBI's Financial Fraud Kill Chain process achieved a 58% fund-freeze rate in 2025 — act within the first few hours for the best chance of recovery.

How is BEC different from phishing?

Phishing is mass-distributed, relies on malicious links or attachments, and targets credential theft broadly. BEC is targeted, contains no payload, and exploits trusted authority relationships and established financial workflows to redirect funds or sensitive data.

Does a BEC incident trigger regulatory reporting obligations?

Yes — BEC can trigger HIPAA, GDPR, and state breach notification requirements even without traditional data exfiltration. If the compromised inbox contained PHI, PII, or financial data, breach notification may apply. Legal counsel should assess obligations immediately upon confirmation.

What email authentication controls are most effective against BEC spoofing?

DMARC set to p=reject, with enforced SPF and DKIM, provides the foundational layer against domain spoofing. Pair this with reply-to address mismatch detection, which catches spoofed messages that pass DMARC alignment but route replies to attacker-controlled accounts.