It’s a message no business owner ever wants to hear: “Someone’s in our email.”
Whether it’s a single compromised mailbox or an organization-wide breach, a Business Email Compromise (BEC) demands immediate action. These attacks are among the most financially damaging cybercrimes impacting organizations today, but a clear response checklist can dramatically limit the damage.
What Is a Business Email Compromise?
A Business Email Compromise (BEC) happens when a cybercriminal gains unauthorized access to a business email account and uses it to defraud the organization, its customers, or its partners. Common entry points include phishing, credential theft, and password reuse across multiple services.
Once inside, an attacker may:
Impersonate executives, finance staff, or vendors to redirect payments or change banking details.
Intercept or alter invoices and purchase orders to route funds to attacker-controlled accounts.
Send phishing emails from a trusted account to compromise additional users and systems.
Quietly monitor email for weeks, learning approval workflows and financial habits before striking.
BEC is dangerous because it exploits trust and normal business processes rather than relying solely on malware or obvious “hack” activity.
What To Do When a Compromised Email Account Is Discovered
Treat every suspected email compromise as a security incident, even if you’re not yet sure of the full impact. Use this checklist as an immediate response guide.
Isolate and contain the affected account
Disable or suspend sign-in for the compromised account as quickly as possible, but do not delete it. You need it intact for investigation and evidence.
Force sign-out of all active sessions
Use your email or identity platform (e.g., Microsoft 365, Google Workspace, Okta) to revoke tokens and sign out all active sessions for the user.
This step cuts off any attacker who is still connected through existing browser sessions, mobile apps, or cached credentials.
Reset the account password (and related passwords)
Change the password on the compromised account immediately, following strong, unique password practices.
If the user reused this password on other systems, reset those too. Attackers often pivot using shared credentials.
Reset and re-enroll Multi-Factor Authentication (MFA)
Remove all existing MFA methods (authenticator apps, SMS numbers, hardware tokens) tied to the account.
Require the user to re-enroll MFA through a verified, secure process to ensure the attacker hasn’t registered their own device.
Check for malicious mailbox rules and hidden forwarding
Review the mailbox for suspicious rules that auto-delete, auto-move, or auto-forward emails (for example, rules that target terms like “invoice,” “payment,” or “wire”).
Remove any external forwarding addresses or hidden redirect rules that send copies of email to attacker-controlled accounts.
Review sign-in logs and account activity
Examine sign-in logs for logins from unusual locations, IP addresses, devices, or times, and establish when the compromise began.
Identify which emails were read or sent by the attacker, which helps determine who else may be at risk.
Contact your cyber insurance provider to trigger incident response
If you have cyber insurance, notify your carrier immediately; many policies include or require the use of approved incident response (IR) and digital forensics providers.
Early notification can speed access to legal guidance, forensics, and communication support, and may be required for coverage.
Preserve evidence for investigation
Retain audit logs, mailbox logs, suspicious emails, and security alerts; do not purge the mailbox.
Capture key details such as suspicious IPs, forwarding addresses, and timestamps to support IR, insurance, and potential law enforcement reporting.
Communicate internally using trusted channels
Notify leadership, IT, and relevant staff via a secure channel (such as phone, messaging, or a collaboration tool), not from the compromised account.
Provide clear instructions, such as pausing approvals for certain payments until verification procedures are in place.
Check for additional compromised accounts and systems
Review other accounts for similar suspicious behavior, especially high-risk roles such as finance, HR, and executives.
Scan endpoints for malware or tools that may have been used to capture credentials or maintain persistence.
Notify affected third parties when appropriate
If attackers used your account to send fraudulent invoices or requests, contact impacted customers, vendors, and partners as soon as feasible.
Explain what happened, what they should watch for (e.g., bogus payment requests), and how you will securely verify future financial communications.
Report to law enforcement and regulators when required
Consider reporting BEC to appropriate law enforcement, especially if funds were stolen.
If regulated or personal data may have been exposed, consult legal counsel to determine any notification or compliance obligations under applicable laws.
Risks of Business Email Compromise to Your Business
A BEC is more than “just” a hacked inbox; it can trigger a wide range of business, financial, and legal consequences.
Direct financial loss
Attackers often redirect wire transfers, change vendor bank details, or send fraudulent invoices, leading to immediate monetary losses.
In many cases, funds are quickly moved through multiple accounts, making recovery difficult or impossible if action is delayed.
Reputational and relationship damage
Customers and partners who receive scams from your domain may lose trust in your security practices and controls.
Rebuilding that trust can require significant time, transparency, and investment in improved security.
Contractual obligations and breach notifications
Many vendor and customer contracts now include security and incident-notification clauses that require you to alert them to a potential breach within a defined time window, even if “only” an email account was compromised.
Missing those notification timelines can trigger contractual penalties, damage key relationships, or jeopardize renewals and future business.
Downstream compromise and legal liability
If a threat actor uses your compromised account to send malicious links or fraudulent payment instructions, and a customer or vendor is later compromised or suffers a financial loss because they trusted that email, you may face claims that your organization failed to protect their data or adequately secure your systems.
Even if you ultimately prevail, responding to regulatory inquiries, lawsuits, or demands from partners can be costly, time-consuming, and disruptive for your team.
Data exposure and regulatory impact
Email contains sensitive information: contracts, personal data, financial details, credentials, and internal strategy.
If regulated data is exposed, you may face investigation, fines, and increased compliance obligations under frameworks such as GDPR, HIPAA, or industry-specific regulations.
Operational disruption and recovery costs
Incident response, forensics, legal review, communication, and control improvements consume significant time and resources.
During investigation, normal operations, especially finance and approvals, may slow or stop, impacting cash flow and productivity.
Taken together, these financial, reputational, contractual, and legal risks are why Business Email Compromise must be treated with the same seriousness as any other data breach. Not “just” a hacked inbox.
Preparing Before an Email Compromise Happens
The best time to prepare for BEC is before an incident occurs. A few foundational measures can dramatically reduce both likelihood and impact:
Implement enforced MFA and conditional access for all business email accounts.
Run regular security awareness and phishing training for employees, focusing on payment and invoice scams.
Establish clear out-of-band verification steps for changes to banking details, large transfers, or urgent payment requests.
Maintain and test an incident response playbook for BEC, including who to contact, which systems to review, and how to communicate with stakeholders.
Argus can help your organization build that readiness. From BEC playbooks and Microsoft 365 hardening to real-time incident response when something goes wrong.