Business Email Compromise Response

Compromised inbox? Fraudulent wire? Fast, fixed-scope incident response that finds what happened, evicts the attacker, and gets you back to business.

Active incident right now?

Email us with INCIDENT in the subject line for priority response — and if money has moved, call your bank first to request a wire recall.

🚨 Get Priority Response

The Most Common Breach You'll Actually Have

Business Email Compromise is the largest source of cybercrime losses in the United States — bigger than ransomware. An attacker gets into (or convincingly impersonates) a mailbox, watches payment conversations, and reroutes money. Most organizations discover it when a vendor calls asking where their payment went.

The good news: BEC response doesn't require an enterprise incident response machine. It requires someone who knows exactly where to look in Microsoft 365 and Google Workspace, what evidence to preserve, how to evict the attacker completely, and what your notification obligations are.

That's this engagement. Fast, fixed-scope, and focused on the questions that matter: how did they get in, what did they see, are they gone, and how do we make sure this doesn't happen again.

Signs You're Dealing With BEC

  • A vendor says they never received a payment you sent
  • A "banking change" request that turned out to be fake
  • Customers or vendors receiving strange emails from your staff
  • Mailbox rules you don't remember creating
  • Staff locked out of email, or sign-ins from unexpected locations
  • An invoice paid to the wrong account — discovered weeks later

What the Engagement Covers

Four questions, answered with evidence — not guesswork.

🔎
How Did They Get In?

Mailbox audit log and sign-in activity review to identify the initial access method — credential phishing, password spray, MFA fatigue, or session token theft — plus a review of OAuth application grants and third-party app authorizations.

📖
What Did They See and Touch?

Attacker activity timeline with estimated dwell time, inbox rule and mail forwarding audit, and a scope check for lateral movement into additional mailboxes, SharePoint, or OneDrive — the foundation for any notification decision.

🚪
Are They Fully Evicted?

Removal of malicious inbox rules, forwarding rules, and unauthorized OAuth grants, with credential reset and session revocation done in the right order — and verification the attacker is actually gone.

🛡️
Will It Happen Again?

Review of how the fraud was executed, then a working session with your finance team to harden outbound wire transfer and vendor banking-change verification procedures — closing the specific gaps that let this incident happen.

If Money Has Moved: The First 48 Hours

Recovery of fraudulent wires is a race. The steps below matter more than anything an investigator does later — start them before you even call us.

  1. 1
    Call your bank immediately

    Ask for the fraud department and request a wire recall. Every hour reduces the odds the funds are still reachable.

  2. 2
    File with the FBI's IC3

    Report at ic3.gov. Rapid reporting lets the FBI work with financial institutions to attempt to freeze funds before they disappear.

  3. 3
    Preserve everything

    Don't delete the fraudulent emails, don't wipe accounts, don't "clean up." The evidence determines what the attacker accessed — and your legal obligations.

  4. 4
    Get the attacker out — properly

    A password reset alone often isn't enough. Sessions, mailbox rules, app grants, and MFA methods all need review — that's where we come in.

What You'll Have When We're Done

  • Attacker activity timeline with estimated dwell time
  • Scope determination — mailboxes, SharePoint, and OneDrive
  • Verified attacker eviction across the email environment
  • Hardened wire transfer and banking-change verification procedure, built with your finance team
  • Written BEC investigation report for insurance and legal processes
  • Prioritized hardening plan to prevent recurrence

Haven't been hit yet?

The controls that stop BEC are well understood — training, payment verification procedures, and email hardening.

Payment Fraud Prevention →

After the Incident

Turn the Incident Into Readiness

A BEC incident is a stress test you didn't ask for — and it always reveals more than one gap. Organizations that treat the incident as a wake-up call come out stronger than they went in.

Cyber CPR is our structured readiness program: assess your fundamental controls, build a real incident response plan, and stress-test it with a tabletop exercise. It's the natural next step after any incident — and it means the next one gets handled from a playbook, not from panic.

Cyber CPR — Coaching, Preparation, Response

The readiness program that makes sure your next incident is a controlled event, not a crisis.

Learn About Cyber CPR

Frequently Asked Questions

We just discovered a fraudulent wire transfer. What should we do right now?

Call your bank immediately and ask them to attempt a recall of the wire — speed matters more than anything else in the first hours. Then file a complaint with the FBI's Internet Crime Complaint Center (IC3), which can engage financial institutions to attempt to freeze funds. Preserve everything: don't delete emails, don't reset accounts yet. Then get an investigator involved to determine how the attacker got in and whether they still have access.

How fast can you engage?

BEC engagements are deliberately scoped to move fast. Email us with INCIDENT in the subject line for priority response. Most investigations begin within one business day, and because BEC response doesn't require the infrastructure of a full ransomware engagement, initial findings typically come quickly.

Do we need a 24/7 incident response retainer for this?

No. Business email compromise is a different animal from ransomware — it rarely requires around-the-clock war rooms or six-figure retainers. It requires a focused investigation of your email environment, decisive attacker eviction, and hardening so it doesn't recur. That's a fixed-scope engagement, priced accordingly.

Can the stolen money be recovered?

Sometimes — and the odds depend almost entirely on speed. Wires reported to the bank and the FBI within the first 24–72 hours have meaningfully better recovery odds. After funds have been moved through mule accounts or converted, recovery becomes unlikely. This is why the first phone call matters more than the forensics.

We use Microsoft 365 / Google Workspace. Can you investigate that?

Yes — cloud email platforms are where nearly all BEC happens. We investigate sign-in logs, mailbox rules, OAuth app grants, forwarding configurations, and message traces in both Microsoft 365 and Google Workspace to establish how the attacker got in, what they accessed, and whether they're still there.

Ready to Get Started?

Let's discuss how Business Email Compromise Response can protect your organization.

Schedule a Free Consultation