Enterprise e-mail compromise (BEC) remains to be thriving even in organizations which have applied multi-factor authentication (MFA). As safety professionals, we frequently assume that MFA is the silver bullet for e-mail safety, however real-world incidents counsel in any other case. Attackers exploit human behaviors, course of gaps and operational blind spots that MFA alone can’t handle. In lots of trendy BEC instances, no account is technically compromised in any respect, which locations these assaults outdoors the safety boundary of MFA controls.
In 2019, Toyota Boshoku Company fell to a BEC assault with an worker transferring over $30m to scammers following a cloned e-mail from a 3rd occasion firm with urgency citing the necessity for the transaction to be accomplished urgently in order to not decelerate Toyota’s manufacturing line. There was no indication that the Toyota worker’s e-mail had been compromised. Take additionally the 2024 case of Arup the place attackers impersonated a senior supervisor utilizing Deepfake voices and movies and satisfied a member of the finance group to make funds totaling $25m. The compromise didn’t depend on stolen credentials however on rigorously orchestrated social engineering, timing and the finance group’s procedural shortcuts. The technical safeguards might have been robust, however human oversight proved to be the weakest hyperlink. In each instances, the failure occurred on the determination level, not on the authentication layer, exploiting belief, timing and established, handy, approval habits.
The place safety controls finish and enterprise danger begins
From expertise, this situation is all too frequent. Organizations usually deal with deploying safety expertise with out addressing human workflows and tradition. This usually contains shiny new EDR expertise that are used to test packing containers for audit and compliance functions, and which CIOs are fast to log out on to point out stakeholders they’re cyber resilient. This isn’t a failure of EDR itself, however of how safety investments are scoped. Endpoint and identification controls defend methods, however they don’t govern how monetary approvals, vendor modifications or govt requests are validated in apply.
MFA reduces danger however can’t substitute the necessity for course of controls, verification routines and steady consciousness coaching particularly as there at the moment are AITM phishing kits which bypass MFA within the wild. The operational blind spots being exploited sit in enterprise workflows the place velocity, belief and authority override verification, notably in finance and procurement processes.
These blind spots exist as a result of enterprise processes are optimized for velocity and continuity, not verification. Finance groups are educated to maintain operational traces transferring, and attackers who’ve now taken cognizance of this, use this benefit to their very own benefit by introducing urgency or invoking authority. When a request seems respectable, time-sensitive and from somebody with perceived authority, workers usually observe acquainted patterns somewhat than pause to problem intent. This isn’t a failure of expertise, however a failure of course of design.
Sensible steps for IT leaders embrace redesigning approval workflows in order that high-value transactions require multi-step verification together with out-of-band name to verify, simulating BEC eventualities in life like workout routines to establish gaps in response and decision-making, embedding safety consciousness into each day routines utilizing micro-learning and actual incident opinions, and empowering groups to problem uncommon requests with out worry of reprisal. Cases of profitable assaults will also be shared with workers who distribute invoices, monetary paperwork or oversee making choices concerning transfers
Designing approval workflows that thwart BEC assaults
Redesigning approval workflows means explicitly defining what constitutes a high-risk request, similar to first-time funds, modifications to vendor banking particulars, sudden cost requests from an govt or requests that bypass normal procedures. These requests ought to require unbiased verification utilizing identified contact particulars, not data offered within the e-mail itself.
When reviewing and redesigning approval workflows, organizations ought to start by asking salient, exhausting, operational questions on the decision-making level. Does this request align with how funds are usually initiated/permitted? Is the requester the everyday communication channel and tone? Has this vendor or account been paid earlier than, and beneath comparable circumstances? Does the e-mail tally with the one on the sender’s firm web site with out alterations? Is there a special reply-to e-mail seen? Can a fast name to verify be made? Groups must also ask what assumptions are being made beneath time stress, whether or not authority is being inferred somewhat than verified, and who’s accountable if the choice seems to be fallacious. These questions pressure workers to decelerate, acknowledge deviations from regular conduct and deal with uncommon requests as potential safety occasions somewhat than routine enterprise duties.
Simulating BEC transcends phishing exams and may mirror actual enterprise eventualities, together with pressing govt requests or provider cost modifications, permitting organizations to watch how workers reply to stress and ambiguity. Efficient simulations introduce urgency, impersonate authority figures with typosquatted emails and exploit life like enterprise contexts similar to end-of-quarter funds, provider modifications and occasions of the 12 months when attackers prefer to strike similar to festive durations and earlier than holidays. Contributors are noticed on how they confirm requests, whether or not they escalate considerations and the way shortly they transfer to execution with out affirmation. The result will not be a cross or fail rating however can present perception into the place processes encourage compliance over warning. These simulations permit organizations to refine approval guidelines, reinforce escalation paths and normalize verification as a part of on a regular basis operations.
Empowerment should be formalized by way of coverage, making it clear that pausing or escalating a suspicious request is anticipated conduct, not an impediment to productiveness. Employees who report suspicious requests additionally must be inspired and used pretty much as good examples in inner communications the place potential.
Utilizing friction and alerts in workflows
Insights from cross-border operations is that attackers exploit time stress and govt assumptions usually seen in CEO/CFO themed fraud. Groups usually observe cues from perceived authority, scoped by attackers from e-mail flows and urgency usually connected to creating giant funds, tying them to important enterprise wants. By implementing friction in important workflows similar to obligatory pauses for giant transfers or automated anomaly alerts, organizations can cut back danger with out hampering productiveness
Efficient friction doesn’t imply indiscriminately grinding the enterprise or its course of to a halt. Necessary pauses for giant or uncommon transfers create house for verification and cut back impulsive choices and actions. Throughout these pauses, particular actions ought to happen, similar to e-mail/signature checks, verbiage, secondary approval, unbiased affirmation or automated checks towards historic cost conduct as acknowledged above.
Automated anomaly alerts are solely helpful once they deal with deviations that matter and are tied to clear response expectations. Alerts ought to prioritize eventualities similar to out-of-hours cost requests, modifications to established vendor particulars or transfers that fall outdoors regular patterns. Possession of BEC-related alerts ought to sit with groups that management monetary choices, similar to finance operations, fraud danger items or cross-functional cost danger teams that mix safety and enterprise authority, somewhat than being routed solely to noisy SOC queues.
To scale back false positives additionally, the idea of enhanced monitoring for precedence accounts must also be launched. This may be made higher by routing emails containing particular cost key phrases to those danger teams to judge earlier than touchdown within the supposed inboxes.
What safety leaders ought to change now
BEC continues to succeed as a result of human determination factors are hardly ever handled as security-critical methods. MFA, e-mail filtering and endpoint protections stay needed, however they don’t management how folks make choices beneath stress. Till monetary and govt workflows are designed with the identical rigor utilized to technical methods, attackers will proceed to take advantage of the affect of human conduct on cybersecurity with social engineering and human weaknesses on the high of the pile.
Added to this, there must also be clear possession of BEC danger on the management stage. If no single function is accountable for cost verification failures, accountability defaults to frontline workers beneath stress who usually bear the brunt of being sacked or prosecuted following profitable BEC assaults. Assigning possession to finance management, danger committees or cross-functional governance teams ensures that course of failures are handled as systemic points somewhat than particular person errors.
Though equally vital, leaders mustn’t measure success solely by the variety of blocked phishing emails, however by how usually verification steps are adopted, what number of cost requests are challenged and the way shortly suspicious transactions are paused and reviewed.
In conclusion, safety leaders who cut back BEC danger align folks, processes and expertise in order that verification turns into routine, hesitation is suitable and authority is rarely assumed with out affirmation. In 2026 and past, enterprise workflows ought to proceed to be handled as a core a part of the safety structure and never a peripheral element.
This text is revealed as a part of the Foundry Knowledgeable Contributor Community.
Need to be part of?
