Business Email Compromise

Business Email Compromise (BEC) is a sophisticated cyber fraud where attackers impersonate trusted individuals or partners via email to defraud companies. It is one of the most financially damaging online crimes, with businesses reporting billions in losses annually. Beyond immediate financial theft, a successful BEC attack can have wide-ranging impacts on an organisation’s finances, data security, operations, reputation, and legal standing. This advisory article outlines the key consequences of BEC incidents, supported by real-world examples, and provides guidance on steps organisations can take to mitigate future risks.

Financial Losses Due to Fraudulent Transactions

The most direct impact of a BEC attack is often significant financial loss. Attackers usually trick employees into making unauthorised bank transfers to accounts under the attackers control. In many cases, the stolen amounts are substantial, and cna affect cash flow and budgets. Such losses can be devastating, especially for small or mid-sized businesses, and recovery is difficult since the funds are often quickly moved overseas or withdrawn by the criminals.

Theft of Sensitive Customer or Company Data

Not all BEC attacks are limited to stealing money; some are designed to steal confidential data. Attackers may target finance or HR personnel with convincing emails to obtain sensitive information such as customer details, employee records, or proprietary business data. For instance, payroll or HR staff might receive a spoofed email from a CEO or CFO requesting copies of employee tax forms or client databases. A real-world case involved an employee at a major technology company who was duped by an email purportedly from the CEO and inadvertently sent out all current and former employees’ tax forms to cybercriminals. The theft of such data can lead to multiple consequences: affected individuals may become victims of identity theft, the company may have to notify customers or employees of the breach, and regulatory penalties may follow if the breach violates data protection laws. Moreover, stolen information can be leveraged in further fraud—criminals might use it to impersonate those individuals or to craft even more credible future scams.

Disruption of Business Operations

A BEC incident can disrupt normal business operations in several ways. First, the immediate response to the fraud—investigating the incident, securing email systems, and coordinating with banks or law enforcement—consumes valuable time and resources. Key staff may be pulled away from their regular duties to manage the crisis. This diversion of attention can delay important projects or day-to-day transactions. For example, if an accounts payable team is dealing with a fraudulent payment diversion, legitimate vendor payments might be delayed, potentially straining supplier relationships or halting critical supplies. In some cases, companies freeze financial accounts or halt outgoing payments while assessing the damage, which can put operations on hold. Even after the immediate incident, there can be ongoing disruption: employees may need to adopt new verification steps for payments, and enhanced security checks might slightly slow down previously routine processes. Overall, the productivity loss and internal upheaval caused by a BEC breach can be significant, as the company’s focus shifts from growth to damage control.

Damage to Company Reputation and Loss of Client Trust

Falling victim to a BEC scam can severely damage an organisation’s reputation. Customers and business partners trust companies to safeguard finances and sensitive information; a successful fraud suggests a lapse in security or oversight. News of a BEC-related loss or data breach can spread quickly, eroding confidence among clients, investors, and the public. Clients may question whether the company’s internal controls are sufficient and worry about their own data or transactions. Many organisations report that beyond monetary loss, the loss of trust is one of the most painful impacts of cyber incidents. If customers find out that their information was compromised or that funds intended for the company were misdirected to criminals, they may hesitate to continue doing business with the firm. Similarly, partners might impose stricter requirements or even reconsider partnerships if they perceive the company as a security risk. Rebuilding trust after such an event is challenging and often time-consuming. Companies may need to invest in public relations efforts and improved customer communications to reassure stakeholders that they have addressed the vulnerabilities. In essence, the reputational harm from a BEC attack can result in lost business and a tarnished brand image that lingers long after technical issues are resolved.

Legal and Regulatory Consequences

A BEC compromise can put the victimised organisation in legal jeopardy or subject it to regulatory scrutiny. If customer data or personal information was exposed due to the scam, privacy laws may require the company to report the breach and could hold it accountable for failing to protect that data. Regulations such as the NZ Privacy Act or industry-specific laws mandate strict data security practices; non-compliance (revealed by a breach) can lead to fines. Additionally, companies that are publicly traded might have to disclose significant cyber incidents (like a major fraud loss) to shareholders and regulators, potentially affecting stock price and inviting regulatory inquiries. Legal consequences are also a risk: the organisation may face lawsuits from affected parties. In other instances, business partners who suffer losses because of a BEC scam might pursue legal action to recover damages. Internally, if negligence is found, executives or employees could face consequences, and insurance companies might dispute cyber insurance claims if proper protocols were not followed. In summary, the fallout from a BEC attack can extend into costly legal battles and regulatory penalties, adding another layer of financial and operational strain on the organisation.

Increased Cybersecurity Costs for Recovery and Prevention

In the wake of a BEC incident, organisations often find themselves incurring additional costs to recover from the attack and to bolster their defenses. Beyond recovery, companies typically must invest in improved security measures to prevent future incidents. This can include upgrading email security solutions, deploying advanced threat detection systems, and implementing email authentication protocols. We have listed some basic guidance below:

Configure

Many New Zealand organisations are either anticipating, or have recently migrated, to a cloud-based email system. On deployment, the email system should be configured to protect against security risks. This guidance is targeted at small to medium sized organisations, who are on a Microsoft business plan. Further references will be published in future for other email vendors such as Google. Microsoft recommends that you complete the tasks listed below that apply to your service plan.

  • Set up multi-factor authentication
  • Train your users
  • Use dedicated admin accounts
  • Raise the level of protection against malware in mail
  • Protect against ransomware
  • Stop auto-forwarding for email
  • Use Office Message Encryption
  • Protect your email from phishing attacks
  • Protect against malicious attachments and files with ATP Safe
    Attachments

Review

Once you have completed configuring the security in your email environment, review how secure you are by checking your Office 365 Secure Score. This tool assigns a score based on your regular activities and security settings. While you may not necessarily obtain the maximum score, Secure Score continually helps you to keep abreast of the changing threat landscape by protecting your environment. See “Introducing the Office 365 Secure Score”.

Another important area to review is Audit Log settings. If you suffer a business email compromise, audit logs are a critical source of evidence during a forensic examination. For  Microsoft environments, mailbox audit logging must be turned on for each user before activity will be recorded, see Enable mailbox auditing.

Respond

If you suspect that an email account has been compromised, act quickly as a live cyber-attack may be underway.  Common attack examples include email accounts being used to send Phishing attacks or SPAM. “Man in the Middle” is another common type of email attack, where a fraudster attempts to divert a payment into their own account.

Microsoft recommends the following response procedure.

  • Step 1 Reset the user’s password
  • Step 2 Remove suspicious email forwarding addresses
  • Step 3 Disable any suspicious inbox rules
  • Step 4 Unblock the user from sending mail
  • Step 5 Optional: Block the user account from signing-in
  • Step 6 Optional: Remove the suspected compromised account from all
    administrative role groups

A forensic examination will heavily rely on mailbox audit data to determine the extent of any compromise.  This data records which emails were accessed by the attacker, which enables you to inform affected parties that their information may have been breached.