Business email compromise (BEC) hits fast, hides well, and often looks like normal business. One altered invoice, one redirected payroll change, or one convincing “urgent” wire request can move money and sensitive data out the door in minutes. A strong business email compromise response is about more than resetting a password. It is a coordinated series of actions that contain the breach, protect people, support financial recovery, and close every backdoor an attacker could use to come back.
BEC does not only affect large enterprises. Families with a shared inbox for a trust, an executive traveling with a personal phone, a boutique firm relying on a cloud suite—each faces the same attacker playbook. That means the response plan must be practical, human-centered, and ready to execute on whatever devices and accounts are in use, whether corporate-managed or personal.
The First 24 Hours: Detect, Contain, and Stabilize
The initial hours define outcomes. The priority is to confirm what happened, stop active abuse, and protect funds and relationships. Indicators of compromise include unexpected password resets, sign-ins from unfamiliar locations, rules automatically forwarding mail to external addresses, or clients receiving messages you didn’t send. When any of these appear, treat the situation as an active incident and move quickly.
Start with account control. From a clean device, change the compromised account’s password to a unique, long passphrase and immediately enable strong multi-factor authentication (preferably an app or hardware key over SMS). In Microsoft 365 and Google Workspace, revoke active sessions, reset refresh tokens, and sign out of all devices. Review and remove malicious inbox rules—especially those that forward mail externally, hide certain messages, or auto-delete replies—and document everything before deleting. Check delegated access and any admin role changes that could give the attacker ongoing control.
Preserve evidence while you contain. Before modifying too much, capture screenshots of mailbox rules, OAuth app grants, and suspicious messages. Export sign-in logs, audit trails, and message trace reports. Documentation supports fraud claims with financial institutions and helps analysts pinpoint the root cause. Avoid mass deletions that erase clues; methodical containment prevents both data loss and future reinfection.
Next, safeguard the money. Contact banks and payment providers to request holds, reversals, or recalls for suspicious transactions. Alert clients, vendors, and internal teams via an out-of-band channel—phone or secure messaging—not the compromised email thread. Provide clear guidance: do not act on any payment change requests until verified by a known phone number, and escalate anything unusual. If payroll redirection or vendor fraud is suspected, coordinate quickly with finance to pause changes and verify beneficiary details through a dual-confirm process.
Expand the blast radius assessment. Check other accounts for signs of reuse: executive assistants, finance shared mailboxes, personal email used for account recovery, and admin accounts often share risk. Disable legacy protocols (IMAP/POP) that bypass modern MFA, block automatic forwarding to external domains, and verify that conditional access baselines are enabled. If a mobile number is tied to authentication, contact the carrier to place a SIM-swap lock.
Finally, begin formal reporting and coordination. File a report with the appropriate cybercrime channels, notify cyber insurance within policy timelines, and engage legal counsel if sensitive data may be impacted. Timely reporting increases the chance of financial recovery and ensures actions align with regulatory expectations. In these first 24 hours, a disciplined, incident response mindset can mean the difference between a brief disruption and a cascading financial loss.
Root Cause and Eradication: Close Every Backdoor
Containment is not the end. To prevent a quiet return by the attacker, eradicate all footholds and understand precisely how they got in. Was the initial access a phishing credential harvest, password reuse from a breached site, OAuth consent to a malicious app, or SIM-swapped MFA? Each path leaves different artifacts and requires specific countermeasures.
Start with forensic triage in your email platform. In Microsoft 365, review sign-in events, risky sign-ins, and the unified audit log for new inbox rules, external forwarding, mailbox delegate additions, and admin role assignments. In Google Workspace, check the security investigation tool for login anomalies, OAuth app grants, and routing changes. Pay attention to “impossible travel,” suspicious IPs or ASNs, and repeated failures preceding a success—clues that suggest automated credential stuffing or targeted phishing.
Eliminate persistence. Remove malicious transport rules and connectors, revoke OAuth consents to unfamiliar third-party apps, and reset application passwords. Confirm the MFA methods registered on affected accounts; drop SMS where possible in favor of app-based prompts or hardware security keys. Disable legacy authentication protocols and enforce conditional access policies (e.g., block high-risk geographies if appropriate). In smaller environments or mixed personal/professional setups, these hardening steps often get overlooked, yet they are critical for a thorough BEC response.
Harden your domain and mail flow. Publish and align SPF and DKIM, and set a DMARC policy that moves from monitor (p=none) to enforcement (p=quarantine or reject) with proper reporting. Ban automatic external forwarding at the org level, and monitor for sudden spikes in forwarding bounces—a common sign of attacker testing. Educate staff and family members about “reply chain” hijacking, where attackers insert themselves into existing threads to appear legitimate and accelerate payment changes.
Don’t neglect the device and identity layer. Ensure endpoint protection is up to date, browsers are cleaned of malicious extensions, and credential stores are checked for saved enterprise and personal accounts. If a phone number is part of authentication, request a carrier account lock to reduce SIM-swap risk. Encourage use of a reputable password manager and rotate passwords anywhere account reuse was possible. Where feasible, move high-risk roles (finance, executives, personal assistants) to phishing-resistant MFA like FIDO2 security keys.
When the stakes are high or the environment spans personal and business systems, professional escalation is prudent. Specialized teams can coordinate technical containment, evidence preservation, financial recovery efforts, and stakeholder communications under one plan. For tailored support in these scenarios, see Business email compromise response.
Recovery, Notification, and Long-Term Prevention
With access restored and persistence removed, recovery focuses on trust: financial trust with banks and vendors, communication trust with clients, and structural trust inside the organization or household. Begin by establishing a verified communications channel to all impacted parties. Send a clear notice that explains the nature of the email compromise and outlines safe next steps: a verified callback number for payment approvals, confirmation that no changes will be processed without dual verification, and instructions for reporting suspicious messages.
Coordinate with financial institutions on ongoing protections—enhanced verification for wire changes, positive pay services, and dual-approval workflows. Document the fraud timeline, including dates, messages, bank interactions, and any recovered funds. Notify cyber insurance promptly and follow counsel’s guidance on regulatory or contractual notifications, which can vary based on the data involved and jurisdictions. Maintain a central evidence log to support potential claims or law enforcement requests.
Transform the incident into durable controls. Implement a standing “payment change protocol” that requires two known-person verifications, conducted via a phone number independently verified from the supplier master file—not from the email thread. Add a mandatory waiting period for first-time or high-value disbursements. Segment duties so no single person can both approve and execute a payment. In small firms and families, practical guardrails beat complex policies: a shared, printed call sheet of verified numbers; a simple rule that any urgency increases the need for voice verification; and a hard stop on acting from mobile email alone.
Strengthen identity hygiene. Move critical roles to phishing-resistant MFA, enforce unique passwords with a password manager, and disable legacy authentication. Address the personal-business boundary head-on: secure personal inboxes that may receive business documents, ensure executive and family accounts have strong MFA, and verify that recovery emails and phone numbers are accurate and not shared. Encourage passkeys where supported, and restrict the number of devices that can access sensitive mailboxes.
Provide targeted, scenario-based training. Simulate real invoice-change attacks, payroll redirection attempts, and “urgent CEO” requests that use existing threads. Teach teams—and family members who help manage finances—how to spot forwarding rules, recognize OAuth consent prompts, and use out-of-band verification. Keep the curriculum short, frequent, and specific to the tools actually in use, whether that’s Microsoft 365, Google Workspace, or a mix of personal providers.
Consider a brief case example to anchor the approach. A boutique professional services firm noticed a client questioning an overdue invoice that had already been “paid.” Within two hours, the firm reset access from a clean device, revoked sessions, removed forwarding rules, and alerted the bank to initiate a recall. They implemented dual-call verification for payment changes, pushed phishing-resistant MFA to finance and executive assistants, and moved DMARC to enforcement. Because action was swift and evidence preserved, the bank recovered most funds, clients trusted the transparent communication, and the organization emerged with stronger controls than before.
Resilience after BEC is not just technical; it is operational and human. Clear verification rituals, right-sized controls, and prompt, transparent communication protect relationships as much as they protect balances. With a well-practiced plan, even a sophisticated attack can be contained and converted into a lasting upgrade to security and trust.
Lagos architect drafted into Dubai’s 3-D-printed-villa scene. Gabriel covers parametric design, desert gardening, and Afrobeat production tips. He hosts rooftop chess tournaments and records field notes on an analog tape deck for nostalgia.