BEC Investigation Runbook | Security Guide

Understanding Business Email Compromise#

Business Email Compromise (BEC) represents one of the most financially damaging cyber threats facing organizations today. Unlike traditional malware attacks, BEC relies on social engineering and email fraud to manipulate employees into transferring funds or disclosing sensitive information.

Business Email Compromise (BEC)

Threat Landscape

• $2.7B+ in reported losses annually (FBI IC3)
• 300% increase in attacks since 2019
• Average loss per incident: $120,000
• 98% of attacks use email as primary vector
• Only 14% of transferred funds recovered

Attack Characteristics

• Highly targeted and researched
• Exploits organizational hierarchy
• Creates artificial urgency
• Minimal technical sophistication required
• Difficult to detect with traditional tools

⚠️

Time-Sensitive Response

The first 24-48 hours after a BEC attack are critical for fund recovery. Financial institutions can only recall wire transfers before they clear, typically within 24 hours for domestic transfers and 48-72 hours for international transfers. Immediate action dramatically increases recovery success rates.

Primary Attack Vectors

Account Compromise

Attackers gain unauthorized access to legitimate email accounts through phishing, password spraying, or credential stuffing to send fraudulent requests from trusted addresses.

Email Spoofing

Creating emails that appear to originate from trusted sources using look-alike domains, display name spoofing, or exploiting missing email authentication controls.

Domain Impersonation

Registering domains visually similar to legitimate organizations (typosquatting) to deceive recipients into believing communications are authentic.

Common BEC Attack Scenarios#

Understanding the most prevalent BEC attack patterns helps organizations recognize threats early and implement targeted defenses. Each scenario follows distinct social engineering tactics and organizational vulnerabilities.

CEO Fraud / Executive Impersonation

CEO Fraud

Typical Characteristics:

• Request sent outside normal business hours
• Urgent language creating time pressure
• Request for confidentiality or secrecy
• Unusual payment destination or beneficiary
• Communication pattern breaks from normal behavior

Example Scenario:

From: CEO@company-secure.com (spoofed domain)
Subject: URGENT - Confidential Wire Transfer

I'm in a meeting and need you to process an urgent wire transfer for an acquisition. Can you handle this discreetly? I'll send account details separately. This is time-sensitive and confidential.

Vendor Email Compromise

Attackers compromise legitimate vendor email accounts or create look-alike domains to redirect payments to fraudulent bank accounts. Often involves detailed invoice forgery.

Common Indicators:

• Sudden request to update payment account information
• Slight variations in vendor email domain
• • Changes in communication patterns or tone
• Requests to bypass normal change approval processes
• Bank accounts in unexpected jurisdictions

Vendor Communication Compromise

In 2023, 37% of BEC attacks involved compromised vendor relationships. Always verify banking changes through secondary communication channels (phone call to known contact).

Payroll Diversion

Attackers impersonate employees to request direct deposit changes, redirecting salaries to attacker-controlled accounts. Targets HR and payroll departments.

Attack Pattern:

• Email from compromised or spoofed employee account
• Request to update direct deposit information
• Often includes forged supporting documentation
• May cite personal emergency or life changes
• Detected only when employee reports missing paycheck

Attorney/Legal Impersonation

Attackers impersonate legal counsel or external attorneys to request confidential information or urgent payments related to litigation, M&A, or regulatory matters.

Red Flags:

• Unsolicited legal representation claims
• Requests for confidential financial information
• Pressure to act before legal team review
• Email domain doesn't match known law firm
• Attorney not registered with state bar association

Data Theft BEC

Rather than immediate financial fraud, attackers target HR and finance departments to steal sensitive employee data (W-2s, PII) for tax fraud or identity theft.

Target Information:

• W-2 forms and tax documents
• Employee personal information (SSN, DOB, addresses)
• Customer databases and contact lists
• Intellectual property and trade secrets
• M&A due diligence materials

⚠️

Regulatory Impact

Data theft BEC attacks may trigger breach notification requirements under GDPR, CCPA, or state laws. Document the incident thoroughly and consult legal counsel regarding disclosure obligations.

Detection Indicators and Warning Signs#

Early detection of BEC attempts requires a combination of technical monitoring, user awareness, and behavioral analysis. Understanding these indicators helps security teams and employees identify threats before financial damage occurs.

Detail Level

Essential Detection Indicators

1Email Header Anomalies

• Display Name Spoofing: Name matches executive but email address is external
• Look-alike Domains: company-inc.com vs company.inc.com
• Unusual Sender Domains: Free email providers (Gmail, Yahoo) for business communications
• Missing or Failed Authentication: SPF, DKIM, DMARC failures
• Reply-To Mismatch: Reply-To address differs from sender address

2Content and Language Red Flags

• Artificial Urgency: "URGENT", "Time-sensitive", "Immediate action required"
• Confidentiality Requests: "Don't discuss with anyone", "Keep this confidential"
• Unusual Language: Grammar errors, unexpected formality or informality
• Authority Invocation: "CEO approved", "Board directive", "Legal requirement"
• Process Circumvention: "Bypass normal procedures", "Exception this time"

3Financial Transaction Anomalies

• Unusual Amounts: Transfers just under approval thresholds
• New Beneficiaries: Payments to previously unknown vendors or accounts
• Destination Changes: Established vendor requests new bank account
• Geographic Anomalies: Domestic vendor suddenly has offshore account
• Timing Irregularities: Requests outside business hours or during executive travel

User Reporting is Critical

82% of successful BEC attacks are stopped by vigilant employees who report suspicious emails. Establish clear, easy-to-use reporting channels and celebrate employees who report potential threats.

Initial Response and Containment#

The first actions taken when BEC is suspected directly impact the success of fund recovery and scope limitation. This phase requires rapid, coordinated execution across IT, finance, and leadership teams.

❗

CRITICAL: Time-Sensitive Actions

Wire Transfer Timeline:

• 0-2 hours: Maximum recall window for same-bank domestic transfers
• 2-24 hours: Recall possible but success rate drops to 40%
• 24-48 hours: International transfers may still be intercepted
• 48+ hours: Recovery requires legal action and international cooperation

Every minute counts. Activate response immediately upon suspicion.

Activate Incident Response Team (0-15 minutes)

Immediately assemble core response team with authority to take containment actions:

Required Personnel

• IT Security / SOC Lead
• Email Administrator
• CFO or Finance Director
• Legal Counsel
• Treasury / Banking Contact
• HR (if payroll diversion suspected)

Initial Communication

• Use out-of-band communication (phone, SMS)
• Avoid email for sensitive incident details
• Establish secure collaboration channel
• Document all actions with timestamps
• Assign Incident Commander role

Incident Declaration Template

INCIDENT: BEC-2024-[number]

SEVERITY: [Critical/High/Medium]

TYPE: [CEO Fraud/Vendor Compromise/Payroll Diversion/Data Theft]

FINANCIAL IMPACT: $[amount if known]

COMMANDER: [name]

DECLARED: [timestamp]

Financial Containment (0-30 minutes)

❗

PRIORITY ONE: Stop Fund Transfer

If wire transfer has been initiated, contact your financial institution immediately by phone. Request wire recall before any other investigation steps.

Immediate Banking Actions

Contact Sending Bank (Your Institution)
- Call treasury contact or fraud hotline immediately
- Reference specific wire transfer details (amount, date, reference number)
- Request immediate recall and account freeze
- Provide incident report number
- Request confirmation of recall attempt
Contact Receiving Bank (if known)
- Report fraudulent transfer to receiving institution
- Request beneficiary account freeze
- Provide law enforcement case number (if available)
Freeze Additional Accounts (if compromise suspected)
- Temporarily suspend online banking access for compromised users
- Place alerts on all corporate accounts
- Require dual approval for all outgoing wires

Wire Recall Communication Template

To: [Bank Treasury Fraud Department]

Subject: URGENT - Fraudulent Wire Transfer Recall Request

This is an urgent request to recall a fraudulent wire transfer resulting from business email compromise:

Company Name: [Your Company]
Account Number: [Account]
Wire Amount: $[Amount]
Wire Date/Time: [Date Time]
Reference Number: [Ref #]
Beneficiary Bank: [Bank Name]
Beneficiary Account: [Account if known]

We have filed a law enforcement report (IC3 #[number]). Please freeze all associated accounts and contact me immediately at [phone].

Account Containment (15-45 minutes)

Isolate compromised accounts to prevent further unauthorized access while preserving forensic evidence:

Forensic Preservation

Compromised Account Actions

Immediately Reset Password
- Force password change for compromised account
- Revoke all active sessions and tokens
- Disable account temporarily if investigation requires
- Document original password hash for forensics
Remove Suspicious Email Rules and Forwarding
- Check for auto-forwarding rules to external addresses
- Remove inbox rules that delete or move emails
- Document all rules before deletion (screenshot)
- Check for calendar sharing with external accounts
Preserve Mailbox for Forensics
- Create complete mailbox export/backup before changes
- Enable litigation hold to prevent auto-deletion
- Capture audit logs for last 90 days
- Document compromised account activities

⚠️

Preserve Evidence

Do not delete suspicious emails, rules, or forwarding configurations until forensic copies are created. Evidence preservation is critical for law enforcement investigation and insurance claims.

Communication Lockdown (30-60 minutes)

Prevent additional fraudulent communications while investigation proceeds:

Internal Notifications

Finance Department Alert
Immediately notify all finance staff to halt processing of any pending wire transfers or payment changes. Implement verbal verification for all payment requests until further notice.
Executive Team Notification
Inform C-suite that impersonation attack is in progress. Request they verify legitimacy of recent payment or data requests they may have made.
IT Help Desk Brief
Update help desk on incident details to field potential related reports. Provide guidance on identifying similar attempts.

External Communications

Vendor/Customer Notification (if applicable)
If attacker impersonated your organization to external parties, notify affected vendors/customers of potential fraudulent communications. Provide verification procedures.
Payment Processor Alert
Notify payment processors (payroll, AP systems) of potential compromise. Request enhanced verification on account changes.

⚠️Communication Best Practices During Incident

• Use phone calls for sensitive incident discussions
• Do not send incident details via potentially compromised email
• Verify recipient identity before sharing investigation updates
• Assume attacker may still have access to compromised account
• Use code words or incident numbers to verify legitimate communications

Initial Evidence Collection (30-90 minutes)

Gather critical evidence while systems are in known state:

Email Evidence

• Original fraudulent email (with full headers)
• Complete email thread/conversation
• Related emails to/from same sender
• User's sent items folder
• Deleted items (if available)

System Logs

• Email gateway logs (send/receive)
• Authentication logs (successful/failed)
• VPN connection logs
• Admin action audit logs
• Firewall/proxy logs

Financial Documentation

• Wire transfer authorizations
• Banking portal screenshots
• Payment approval workflows
• Account change requests
• Invoice copies (if applicable)

User Information

• Witness statements (who processed request)
• Timeline of user actions
• Verification attempts made
• Communication with "sender"
• Suspicion points that arose

Evidence Collection Checklist

□ Full email headers captured (not just visible content)

□ Screenshots of fraudulent requests with timestamps

□ Mailbox export created before account modifications

□ Authentication logs exported (30-90 day retention)

□ Email gateway logs captured

□ Banking documentation collected

□ Witness statements documented with timestamps

□ Chain of custody form initiated for all evidence

Email Forensics and Analysis#

Detailed email analysis reveals critical information about attacker techniques, infrastructure, and potential scope. Understanding email forensics enables accurate attribution, scope assessment, and evidence preservation for law enforcement.

Detail Level

Email Header Analysis Fundamentals

Email Headers

Accessing Email Headers

Microsoft Outlook / 365

Open the suspicious email
Click File → Properties
Find "Internet headers" section
Copy all header text

Gmail

Open the email
Click the three dots (⋮) menu
Select "Show original"
Copy "Original message" text

Critical Header Fields to Examine

From / Return-Path

What to check: Compare displayed "From" address with actual sending address in headers. Look for domain mismatches, typosquatting, or free email providers.

From: CEO <ceo@company-secure.com>
Return-Path: <attacker@gmail.com>

⚠️ Red flag: Display name is "CEO" but actual sending domain is gmail.com

Reply-To

What to check: If Reply-To differs from From address, replies will go to attacker-controlled account.

From: cfo@company.com
Reply-To: cfo.company@gmail.com

⚠️ Red flag: Replies redirected to external Gmail account

Received Headers (Mail Path)

What to check: Trace email path from origin to destination. Look for suspicious mail servers, geographic anomalies, or missing hops.

Received: from mail.suspicious-server.ru
  by company-mail.com with ESMTP
  for <cfo@company.com>
  Fri, 20 Dec 2024 03:22:15 -0800

⚠️ Red flag: Originated from Russian mail server at 3 AM local time

Authentication-Results

What to check: SPF, DKIM, and DMARC authentication status. Failed checks indicate spoofing or unauthorized sending.

Authentication-Results: company.com;
  spf=fail smtp.mailfrom=attacker.com;
  dkim=fail header.d=company.com;
  dmarc=fail (p=reject)

🚨 Critical: All authentication checks failed - definitive spoofing evidence

Email Header Analysis Tools

Free online tools for header analysis:

• MXToolbox Email Header Analyzer: Visualizes email path and flags issues
• Google Admin Toolbox Messageheader: Parses headers with delay analysis
• Microsoft Message Header Analyzer: Integrated Office 365 analysis

Scope Assessment and Impact Analysis#

Determining the full scope of a BEC incident is critical for effective response, appropriate notifications, and complete remediation. Scope assessment answers: What was accessed? What was compromised? How far did the attack spread?

Account Compromise Scope

• Which accounts were accessed?
• What privileges did they have?
• How long was access maintained?
• Were credentials shared/reused?

Data Access Scope

• What data was viewed/exfiltrated?
• Was PII/PHI/PCI accessed?
• Customer vs employee data?
• Intellectual property exposure?

Financial Impact Scope

• Total fraudulent transfers?
• Payroll diversions amount?
• Vendor payment redirections?
• Secondary fraud risks?

Identify All Compromised Accounts

BEC attacks may involve multiple compromised accounts or lateral movement. Comprehensive account review is essential:

Primary Account Investigation

PowerShell: Analyze Login Patterns

# Get all login events for user in last 90 days
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) `
  -EndDate (Get-Date) `
  -UserIds compromised.user@company.com `
  -Operations UserLoggedIn `
  -ResultSize 5000 | Select-Object CreationDate, UserIds, `
  ClientIP, @{N="Status";E={$_.AuditData | ConvertFrom-Json | `
  Select-Object -ExpandProperty ResultStatus}}, `
  @{N="Location";E={$_.AuditData | ConvertFrom-Json | `
  Select-Object -ExpandProperty ClientInfoString}}

Anomaly Indicators:

• Logins from unusual geographic locations (use IP geolocation)
• Multiple failed logins followed by success (credential stuffing)
• Logins outside user's normal working hours
• Simultaneous logins from different countries (impossible travel)
• Logins from TOR exit nodes or VPN services
• User agent strings for unfamiliar devices/applications

Lateral Movement Detection

Check if attacker accessed other accounts after initial compromise:

PowerShell: Check for Admin Activity from Compromised Account

# Search for admin operations performed by compromised user
Search-UnifiedAuditLog -StartDate $CompromiseStartDate `
  -EndDate (Get-Date) `
  -UserIds compromised.user@company.com `
  -Operations Add-MailboxPermission,Add-RoleGroupMember, `
  Set-User,Reset-Password,New-InboxRule `
  -ResultSize 5000

⚠️

Privilege Escalation Risk

If compromised account had admin privileges, assume attacker could access any mailbox, create accounts, or modify security settings. Expand investigation to all admin-accessible resources.

Shared Credential Analysis

Check for password reuse across services:
If compromised password was reused for other corporate services (VPN, cloud apps, etc.), those accounts may also be compromised.
Review password manager access:
If user's password manager was accessed, all stored credentials are potentially exposed.
Check MFA bypass methods:
Review if attacker registered new MFA devices or used legacy authentication protocols that bypass MFA.

Assess Data Access and Exfiltration

Determine what sensitive information attacker accessed or exfiltrated. This drives regulatory notification requirements:

Data Exfiltration

Mailbox Content Analysis

PowerShell: Search for Sensitive Data Access

# Search mailbox for emails containing PII/sensitive data
$SensitiveKeywords = "SSN","social security","credit card", `
  "bank account","routing number","employee data","W-2","1099"

New-ComplianceSearch -Name "BEC-SensitiveData-Access" `
  -ExchangeLocation compromised.user@company.com `
  -ContentMatchQuery "($($SensitiveKeywords -join ' OR '))" `
  -AllowNotFoundExchangeLocationsEnabled $true

Start-ComplianceSearch -Identity "BEC-SensitiveData-Access"

# Review results
Get-ComplianceSearch "BEC-SensitiveData-Access" | `
  Select-Object Name, Status, Items, Size

Email Forwarding and Export Detection

Automatic Forwarding Analysis

• Check all forwarding rules (inbox rules, mailbox forwarding)
• Review forwarding destinations (external domains)
• Estimate volume of emails forwarded
• Determine timeframe of forwarding activity
• Assess content of forwarded emails

Manual Exfiltration Detection

• Search for bulk email exports to external addresses
• Check for unusual attachment downloads
• Review mailbox exports (PST creation)
• Analyze search queries in compromised mailbox
• Check for mass deletion after viewing

Regulatory Notification Triggers

If PII accessed/exfiltrated:

• GDPR: Notify supervisory authority within 72 hours
• CCPA: Notify California AG + affected individuals
• State breach laws: Varies by state (check requirements)
• HIPAA: If PHI involved, notify HHS within 60 days

If financial data accessed:

• PCI DSS: Notify payment brands and acquirer immediately
• GLBA: Financial institution notification requirements

Consult legal counsel immediately to determine notification obligations.

Map Attack Timeline and Persistence Mechanisms

Understanding complete attack timeline helps identify all compromise vectors and persistence mechanisms:

Initial Access Vector Identification

Phishing Investigation

• Search for credential phishing emails
• Check user's email for password reset requests
• Review link clicks in email gateway logs
• Check web proxy for phishing site visits

Credential Stuffing Analysis

• Review failed login attempts (volume, timing)
• Check breach databases for exposed credentials
• Analyze authentication source IPs
• Check for legacy auth protocol usage

Persistence Mechanism Review

Attackers establish persistence to maintain access even after password changes:

PowerShell: Check for Persistence Mechanisms

# Check for OAuth app consents (malicious apps)
Get-AzureADAuditSignInLogs -Filter "userPrincipalName eq `
  'user@company.com' and appDisplayName ne 'null'" | `
  Select-Object AppDisplayName, ConsentContext

# Check for mailbox delegates
Get-MailboxPermission -Identity user@company.com | `
  Where-Object {$_.User -ne "NT AUTHORITY\SELF"}

# Check for application impersonation rights
Get-ManagementRoleAssignment -RoleAssignee user@company.com | `
  Where-Object {$_.Role -like "*Impersonation*"}

Common Persistence Methods:

• Inbox Rules: Forward copies of all emails to attacker
• OAuth Tokens: Malicious apps with mailbox access permissions
• Mailbox Delegates: Additional users with full mailbox access
• MFA Bypass: Registered attacker-controlled MFA devices
• App Passwords: Legacy authentication tokens
• Hidden Accounts: Service accounts or shared mailboxes

⚠️

Remove All Persistence Before Enabling Account

Do not re-enable compromised account until ALL persistence mechanisms are identified and removed. Attackers commonly maintain multiple backdoors.

Assess Third-Party and Supply Chain Impact

BEC attacks often involve vendor impersonation or extend into business partner networks:

External Communication Review

Identify external recipients of fraudulent emails:
Search sent items for emails to external domains during compromise window. These organizations may have been targeted as secondary victims.
Vendor relationship impact:
If attacker impersonated your organization to vendors, they may have provided fraudulent payment instructions or requested sensitive data.
Customer communication compromise:
Review if customer-facing accounts were compromised. May result in customer data exposure or reputational damage.

Notification Template: Business Partners

Subject: Security Notice - Email Account Compromise

Dear [Partner Name],

We are writing to inform you that [Company Name] recently experienced a business email compromise incident affecting [affected account]. Our investigation determined that unauthorized parties may have sent emails from this account between [date range].

Please take the following actions:

Review any payment or account change requests received from our organization during this period
Verify legitimacy of recent wire transfers or banking changes through secondary communication channels
Contact us immediately at [verified contact] if you processed any suspicious requests
Do not trust email addresses alone - verify through phone calls to known contacts

We have secured our systems and implemented additional verification procedures. For any questions, please contact our security team at [contact information].

Financial Recovery and Fund Tracing#

Time is the enemy in BEC fund recovery. Success rates drop dramatically after the first 24-48 hours. This section covers immediate financial recovery actions, fund tracing procedures, and insurance claim processes.

❗

CRITICAL: Fund Recovery Timeline

0-24 Hours

70% recovery rate with immediate bank contact and law enforcement involvement

24-48 Hours

40% recovery rate - funds may have cleared but still traceable

48+ Hours

14% recovery rate - requires legal action and international cooperation

Act immediately - every hour counts in fund recovery.

Immediate Banking Notifications (0-2 hours)

Contact all financial institutions involved as soon as fraud is discovered:

Sending Bank (Your Institution)

Call treasury management or fraud department immediately
Do not rely on email alone. Use phone for immediate action. Have your account manager and fraud hotline numbers readily available.
Provide complete wire transfer details
- Account number funds were sent from
- Wire transfer amount
- Date and time of transfer
- Wire reference/confirmation number
- Beneficiary bank name and location
- Beneficiary account number (if known)
- Beneficiary name
Request immediate wire recall
Ask bank to initiate recall through SWIFT network or ACH reversal. Get confirmation that recall request was sent and reference number for tracking.
Request account freeze if compromise suspected
If you suspect attacker has online banking access, request temporary freeze on additional outgoing wires and ACH transfers.

Receiving Bank (Beneficiary Institution)

Contact fraud department directly
Search for receiving bank's fraud hotline. Identify yourself as victim of wire fraud and request immediate account freeze.
Provide fraud documentation
- Your company's wire transfer authorization
- Fraudulent email with headers
- Law enforcement case number (if available)
- Proof of your authority to request freeze
Request beneficiary account freeze
Ask receiving bank to place hold on beneficiary account to prevent withdrawal or transfer of fraudulent funds.

⚠️

International Transfers

For international wire transfers, receiving banks may be less cooperative without local law enforcement involvement. Contact FBI immediately for international BEC cases to leverage their international partnerships.

Bank Communication Script

"This is [Your Name] from [Company Name], account number [Account #]. We are victims of business email compromise fraud and need immediate assistance with wire recall."

Wire Details:

Amount: $[Amount]
Date: [Date and Time]
Reference: [Wire Reference Number]
Beneficiary Bank: [Bank Name and Location]
Beneficiary Account: [Account Number if known]

"We have filed an FBI IC3 report and local law enforcement is involved. Can you initiate immediate wire recall and provide me with recall confirmation number? We also request account freeze on additional outgoing transfers."

Follow-up: "Can you provide direct contact for your fraud team for status updates? What additional documentation do you need from us?"

Law Enforcement Coordination (0-4 hours)

Law enforcement involvement is critical for fund recovery. Banks are more cooperative with official case numbers:

FBI IC3 (Internet Crime Complaint Center)

File FBI IC3 Report Immediately

Go to ic3.gov and file online complaint
IC3 accepts reports 24/7. File immediately even if details are incomplete. You can supplement with additional information later.
Select "File a Complaint"
Choose appropriate complaint type - select "Business Email Compromise" category explicitly.
Complete all required fields
Provide as much detail as possible. Incomplete reports delay processing.
Save IC3 complaint number immediately
You will receive IC3 complaint number upon submission. This is critical for all future correspondence.
Request FBI RAT (Recovery Asset Team) involvement
For transfers over $50,000, explicitly request RAT intervention in your complaint. RAT can contact beneficiary banks within hours to freeze accounts.

FBI IC3: ic3.gov

File report under "Business Email Compromise" category. Include keyword "BEC" for proper routing to specialized units.

Local Law Enforcement Report

File report with local police or sheriff's department in addition to FBI:

• Provides additional case number for documentation
• Required by some insurance policies
• Creates official police record for legal proceedings
• May be required for international cooperation

Note: Local police may have limited BEC investigation capabilities but report is still valuable for documentation and insurance purposes.

International Law Enforcement (if applicable)

For international wire transfers, additional agencies may assist:

Interpol

Can coordinate with law enforcement in beneficiary country. Contact through FBI or local police.

Secret Service

Investigates financial crimes. May become involved in cases over $250,000.

FinCEN

Financial Crimes Enforcement Network. Can issue alerts to financial institutions.

Local FBI Field Office

Contact cyber crimes division for direct case management and RAT coordination.

Fund Tracing and Investigation (4-72 hours)

Work with financial institutions and law enforcement to trace fund movement:

SWIFT Tracking (International Wires)

SWIFT MT103 Message Flow

Your Bank: Originates MT103 SWIFT message with wire details

↓ SWIFT Network

Intermediary Banks: May route through correspondent banks

↓ SWIFT Network

Beneficiary Bank: Receives and processes wire to account

Request complete SWIFT message trail from your bank. This shows all intermediary banks and can reveal fund destination.

• SWIFT messages can be recalled if not yet credited to beneficiary account
• Intermediary banks can place holds if notified promptly
• Each bank in chain can be contacted to freeze funds
• FBI RAT has direct SWIFT contacts for expedited freezes

Domestic Wire Tracking (ACH/Fedwire)

Domestic wires move faster but have some recovery mechanisms:

Fedwire (same-day settlement):
Real-time gross settlement system. Recall must happen within hours before beneficiary withdraws funds. Contact receiving bank fraud department immediately.
ACH (2-3 day settlement):
Longer settlement window provides more time for recall. Your bank can submit ACH reversal request if fraud detected before settlement.

Secondary Beneficiary Accounts

Sophisticated attackers quickly move funds through multiple accounts:

Typical Money Movement Pattern

1. Initial wire to Business Account (appears legitimate)

2. Immediate transfer to Personal Account (within hours)

3. ATM withdrawals or cryptocurrency purchase (cash out)

4. International transfers to final destination

Work with FBI and receiving bank to identify downstream accounts. Each transfer provides new opportunity for freeze/recovery.

Insurance Claims and Financial Documentation

Proper documentation is essential for insurance recovery and potential legal action:

Cyber Insurance Claims

Cyber Insurance (Crime/Fraud Coverage)

Notify insurance carrier immediately
Most policies require notification within 24-72 hours of discovery. Late notification may result in claim denial.
Document all losses comprehensively
- Wire transfer amounts and dates
- Bank statements showing debits
- Wire confirmation receipts
- Any recovered amounts
- Investigation costs (forensics, legal fees)
- Business interruption losses
Preserve all evidence
Do not delete emails, logs, or documentation. Insurance adjusters will want to review original evidence.
Cooperate with insurance investigation
Insurers may conduct their own investigation. Provide requested documentation promptly and completely.

Common Insurance Policy Exclusions

Be aware of these potential coverage gaps:

• Failure to follow security procedures: If you didn't enforce documented payment verification processes
• Employee dishonesty: If fraud involved collusion with internal employees
• Lack of MFA: Some policies require multi-factor authentication for coverage
• Voluntary transfer: If employee "willingly" authorized transfer (even if deceived)
• Acts of war/terrorism: If attack is attributed to nation-state actors
• Consequential damages: Indirect business losses may not be covered

Tip: Review your cyber insurance policy NOW to understand coverage requirements. Implement required controls before an incident occurs.

Financial Loss Documentation Checklist

□ Wire transfer authorization forms (legitimate and fraudulent)

□ Bank statements showing debits

□ Wire confirmation receipts from bank

□ SWIFT/ACH transaction records

□ Email correspondence (fraudulent requests with headers)

□ Timeline of events with timestamps

□ Internal investigation report

□ Law enforcement case numbers (FBI IC3, local police)

□ Evidence of payment verification procedures

□ Screenshots of banking portals/fraudulent emails

□ Vendor contracts (if vendor impersonation)

□ Communication with banks (emails, call logs)

□ Documentation of recovery efforts and amounts

□ Forensic investigation reports

□ Legal consultation invoices

Tax Implications and Financial Reporting

Consult with accounting and tax advisors regarding BEC losses:

• Theft losses may be tax deductible (consult tax advisor)
• Recovered funds may have tax implications
• Financial statement disclosure requirements (public companies)
• SEC reporting obligations for material losses

Law Enforcement Reporting and Cooperation#

Effective law enforcement cooperation significantly increases fund recovery success rates and helps build cases against BEC networks. This section covers reporting procedures, evidence requirements, and ongoing collaboration best practices.

Why Report to Law Enforcement

• Fund Recovery: FBI RAT can freeze accounts within hours
• Insurance Requirements: Most policies require police reports
• Pattern Recognition: Helps identify organized BEC rings
• Legal Action: Enables prosecution and civil remedies
• International Cooperation: Access to Interpol and foreign agencies

Key Agencies for BEC Reporting

• FBI IC3: Primary federal reporting portal (ic3.gov)
• FBI RAT: Recovery Asset Team for fund recovery
• Local Police: Documentation and insurance requirements
• Secret Service: Large-scale financial fraud cases
• State AG: Consumer protection and state prosecution

Detail Level

Essential Reporting Requirements

FBI IC3 Report (Immediate - Within 24 Hours)

File comprehensive Internet Crime Complaint with FBI as first step:

How to File IC3 Report

Visit ic3.gov
Available 24/7 for immediate reporting. Do not wait for business hours.
Select "File a Complaint"
Choose appropriate complaint type - select "Business Email Compromise" category explicitly.
Complete all required fields
Provide as much detail as possible. Incomplete reports delay processing.
Save complaint number immediately
You'll receive IC3 complaint number upon submission. This is critical for all future correspondence.

Critical Information to Include

Financial Details

• Total loss amount
• Wire transfer dates and amounts
• Your bank account information
• Beneficiary bank name and location
• Beneficiary account number (if known)
• Wire reference numbers

Attacker Information

• Email addresses used by attacker
• Spoofed domains or look-alikes
• IP addresses (from email headers)
• Phone numbers (if any)
• Timeline of attack events
• Attack methodology used

FBI RAT (Recovery Asset Team) Request

For losses over $50,000, explicitly request FBI RAT intervention in your IC3 complaint:

Template Language:

"Due to the significant financial loss of $[amount], we request immediate FBI Recovery Asset Team (RAT) involvement. Wire transfer was sent [date/time] and funds may still be recoverable if beneficiary account is frozen promptly. Please prioritize this case for RAT review."

Local Law Enforcement Report (Within 24-48 Hours)

File report with local police or sheriff's department for documentation:

Why File Local Police Report

• Insurance requirement: Most cyber insurance policies require official police report
• State prosecution: Creates option for state-level charges in addition to federal
• Civil litigation: Police report strengthens civil case against attackers
• Documentation: Official record of crime for business and regulatory purposes

What to Bring to Police Station

□ Fraudulent emails printed with full headers
□ Wire transfer authorization documentation
□ Bank statements showing debits
□ Timeline of events document
□ FBI IC3 complaint number
□ Internal investigation summary
□ Your corporate identification and authorization to file

⚠️

Local Police Limitations

Local police departments typically lack resources and jurisdiction for complex BEC investigations. The report serves primarily as documentation rather than active investigation. For investigation and recovery, FBI is primary resource.

Follow-Up and Case Status Monitoring

Maintain regular contact with law enforcement for case updates:

FBI Field Office Contact

After filing IC3 report, contact your local FBI field office cyber crimes division:

Find your local FBI field office at fbi.gov/contact-us/field-offices
Ask to speak with cyber crimes division or BEC task force
Provide IC3 complaint number and request case status
Ask for direct agent contact for ongoing coordination
Provide any additional evidence collected since IC3 filing

Case Status Check Template

"I filed FBI IC3 complaint #[number] on [date] for business email compromise with $[amount] in losses. I'm calling to check on case status and provide additional evidence if needed."

Questions to ask:

Has the case been assigned to an agent?
Can you provide direct agent contact for ongoing coordination?
Is FBI RAT working on fund recovery?
What additional information would be helpful for the investigation?
Should I continue coordinating directly with beneficiary bank?

Remediation and Account Recovery#

After containing the immediate threat and initiating fund recovery, comprehensive remediation ensures attackers cannot regain access and prevents similar attacks in the future. This phase focuses on secure account recovery, removing persistence mechanisms, and restoring normal operations.

⚠️

Do Not Rush Account Recovery

Premature account recovery before removing all persistence mechanisms gives attackers continued access. Complete full investigation and remediation before re-enabling compromised accounts.

Complete Persistence Mechanism Removal

Attackers establish multiple persistence mechanisms to maintain access. All must be identified and removed:

Email Rules and Forwarding Removal

PowerShell: Remove All Forwarding and Suspicious Rules

# Remove all inbox rules for compromised user
Get-InboxRule -Mailbox user@company.com | Remove-InboxRule -Confirm:$false

# Remove mailbox forwarding
Set-Mailbox -Identity user@company.com `
  -ForwardingAddress $null `
  -ForwardingSMTPAddress $null `
  -DeliverToMailboxAndForward $false

# Verify removal
Get-InboxRule -Mailbox user@company.com
Get-Mailbox user@company.com | Select ForwardingAddress, ForwardingSMTPAddress

OAuth Application and Consent Removal

OAuth Consent

PowerShell: Review and Remove OAuth Grants

# List all OAuth consents for user
Get-AzureADUser -ObjectId user@company.com | `
  Get-AzureADUserOAuth2PermissionGrant | `
  Format-List ClientId, ConsentType, PrincipalId, ResourceId, Scope

# Remove suspicious OAuth grant
Remove-AzureADUserOAuth2PermissionGrant -ObjectId [ConsentId]

# Review enterprise applications with mailbox access
Get-AzureADServicePrincipal -All $true | `
  Where-Object {$_.Oauth2Permissions.Value -like "*Mail*"}

Red Flags for Malicious OAuth Apps

• Apps with broad permissions (Mail.ReadWrite, Mail.Send, Files.ReadWrite.All)
• Apps registered recently (during compromise window)
• Apps with generic names ("Mail Manager", "Productivity Tool")
• Apps from unknown publishers or unverified sources
• Apps user doesn't recognize installing

Mailbox Delegation and Permission Removal

PowerShell: Remove Mailbox Delegates

# List all mailbox permissions
Get-MailboxPermission -Identity user@company.com | `
  Where-Object {$_.User -ne "NT AUTHORITY\SELF"}

# Remove unauthorized delegation
Remove-MailboxPermission -Identity user@company.com `
  -User suspicious.user@company.com `
  -AccessRights FullAccess -Confirm:$false

# Check for Send-As permissions
Get-RecipientPermission user@company.com | `
  Where-Object {$_.Trustee -ne "NT AUTHORITY\SELF"}

MFA Device and App Password Cleanup

MFA Device Review

• Review all registered MFA devices for user
• Remove any devices user doesn't recognize
• Check for attacker-registered authenticator apps
• Verify phone numbers for SMS-based MFA
• Require user to re-register MFA from scratch

App Password Revocation

• Revoke all application-specific passwords
• Disable legacy authentication protocols (if possible)
• Check for SMTP/IMAP/POP3 access tokens
• Review API keys and service account credentials
• Force re-authentication on all devices

⚠️

Verification Before Account Re-enablement

Before re-enabling compromised account, verify ALL of the following:

□ All inbox rules removed (verified with Get-InboxRule)

□ All forwarding addresses removed (verified with Get-Mailbox)

□ All OAuth app consents reviewed and suspicious ones removed

□ All mailbox delegations verified as legitimate

□ All MFA devices belong to legitimate user

□ All app passwords and API keys revoked

□ Password reset to strong, unique password

□ No suspicious authentication logs in past 24 hours

Secure Account Recovery

Re-enable compromised accounts following secure recovery procedures:

Password Reset Procedure

Admin-initiated password reset (do not use self-service)
IT should reset password directly to prevent attacker intercept of reset emails.
Generate strong, unique password
- Minimum 16 characters (recommend 20+)
- Mix of uppercase, lowercase, numbers, symbols
- Not based on personal information or dictionary words
- Never reused from other accounts
- Use password manager for generation and storage
Deliver password securely to user
Use phone call, SMS, or in-person delivery. Never send via email to potentially compromised inbox.
Require immediate password change at first login
Set temporary password that user must change on first sign-in to password only they know.

MFA Re-registration

Require users to re-register MFA from scratch after compromise:

PowerShell: Force MFA Re-registration

# Remove all MFA methods for user
Get-MsolUser -UserPrincipalName user@company.com | `
  Set-MsolUser -StrongAuthenticationMethods @()

# For Azure AD / Entra ID
Remove-AzureADUserAuthenticationMethod `
  -ObjectId [UserId] -AuthenticationMethodId [MethodId]

# Require re-registration at next sign-in
Set-MsolUser -UserPrincipalName user@company.com `
  -StrongAuthenticationRequirements @{RelyingParty="*"; State="Enforced"}

MFA Registration Best Practices

• Perform MFA registration in-person or over video call to verify identity
• Register multiple MFA methods (authenticator app + phone number backup)
• Prefer authenticator apps (Microsoft Authenticator, Google Authenticator) over SMS
• Document registered MFA devices for future verification
• Educate user on protecting MFA devices and recognizing MFA fatigue attacks

Session and Token Revocation

PowerShell: Revoke All Active Sessions

# Revoke all refresh tokens (forces re-authentication)
Revoke-AzureADUserAllRefreshToken -ObjectId user@company.com

# For all users if widespread compromise suspected
Get-AzureADUser -All $true | `
Revoke-AzureADUserAllRefreshToken

# Verify active sessions cleared
Get-AzureADAuditSignInLogs -Filter "userPrincipalName eq `
'user@company.com'" -Top 10

This forces all devices and applications to re-authenticate, ensuring attacker sessions are terminated.

Account Re-enablement Checklist

□ All persistence mechanisms removed and verified

□ Password reset to strong, unique credential

□ MFA re-registered with verified user identity

□ All active sessions and tokens revoked

□ User educated on compromise and prevention

□ Monitoring alerts configured for account activity

□ 48-hour enhanced monitoring period planned

□ User knows to report any suspicious activity immediately

Organization-Wide Credential Reset (If Necessary)

For widespread compromise or credential exposure, organization-wide password reset may be required:

Mass Password Reset

When to Consider Mass Reset

Widespread credential exposure: Company credentials found in major breach database
Domain controller compromise: Attackers gained access to Active Directory or password hashes
Lateral movement detected: Multiple accounts compromised with unclear scope
Persistent re-compromise: Accounts continue to be compromised after individual resets

Mass Password Reset Planning

Critical Planning Steps

Executive communication and approval
Mass reset significantly disrupts operations. Requires C-level buy-in and clear communication plan.
User communication strategy
Multi-channel notification (email, SMS, Slack, phone) explaining why, when, and how reset will occur.
IT help desk preparation
Expect high volume of support requests. Staff adequately and prepare FAQs.
Phased rollout vs simultaneous
Consider department-by-department reset to manage help desk load vs immediate security benefit.
Service account handling
Identify service accounts that can't auto-reset. Plan manual coordination with application owners.

⚠️

Mass Reset Impact

Organization-wide password reset is highly disruptive. Users will be signed out of all applications, mobile devices need reconfiguration, and help desk will be overwhelmed. Only pursue when security risk justifies business impact.

Post-Recovery Monitoring

Implement enhanced monitoring for 30-90 days post-recovery to detect re-compromise attempts:

Enhanced Alert Configuration

Account Activity Alerts

• Login from new location or device
• Failed authentication attempts (5+ in 1 hour)
• After-hours account activity
• Password change or MFA modification
• Privilege escalation or role changes

Email Activity Alerts

• New inbox rule creation
• Email forwarding address added
• Mass email deletion
• Unusual recipient patterns
• OAuth app consent grants

Daily Review Procedures

Security team should review the following daily for 30 days post-incident:

• Authentication logs for previously compromised accounts
• Inbox rules and forwarding configurations
• OAuth app consents and API permissions
• Outbound wire transfer requests (finance team coordination)
• External email traffic patterns
• User-reported suspicious emails (increased vigilance)

Post-Recovery Success Metrics

Track these metrics to confirm successful remediation:

• Days since last suspicious activity: Target 30+ days with no alerts
• User reporting rate: Increased employee vigilance (more reports = good)
• Email authentication pass rate: Should be >99% for internal emails
• Failed authentication attempts: Should drop to baseline levels
• Inbox rule count: Stable or decreasing (no new suspicious rules)
• OAuth app additions: All new apps verified and legitimate

Preventive Controls Implementation#

The most effective BEC defense combines technical controls, process improvements, and user education. This section covers comprehensive preventive measures organized by control category and difficulty level.

Detail Level

Essential Email Security Controls

Email Authentication Enforcement (SPF, DKIM, DMARC)

Email Authentication Stack

SPF Implementation

Sender Policy Framework prevents attackers from sending spoofed emails claiming to be from your domain:

SPF DNS Record Example

v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.0/24 `
include:_spf.google.com include:spf.protection.outlook.com `
-all

Explanation: Authorizes specific IP ranges and email providers. "-all" means reject emails from unauthorized servers.

Implementation Steps

Identify all legitimate email sending sources (mail servers, SaaS, marketing tools)
Create SPF record with all authorized sources
Publish SPF record as TXT record on your domain
Test with SPF validation tools (mxtoolbox.com/spf.aspx)
Start with "~all" (soft fail) for testing, then move to "-all" (hard fail)

DKIM Implementation

DomainKeys Identified Mail adds cryptographic signatures proving email authenticity:

DKIM DNS Record Example

selector1._domainkey.company.com TXT
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Explanation: Public key published in DNS. Mail server signs outbound emails with private key. Recipients verify signature.

Implementation Steps

Generate DKIM key pair (2048-bit RSA minimum) on mail server
Publish public key as TXT record with selector (e.g., selector1._domainkey)
Configure mail server to sign outbound emails with private key
Test by sending email and checking headers for DKIM-Signature
Rotate keys annually for security

DMARC Implementation

Domain-based Message Authentication, Reporting, and Conformance enforces SPF/DKIM and provides visibility:

DMARC DNS Record Example (Staged Rollout)

Phase 1: Monitoring (p=none)

v=DMARC1; p=none; rua=mailto:dmarc@company.com; pct=100;

Phase 2: Quarantine (p=quarantine)

v=DMARC1; p=quarantine; rua=mailto:dmarc@company.com; pct=100; sp=quarantine;

Phase 3: Reject (p=reject)

v=DMARC1; p=reject; rua=mailto:dmarc@company.com; pct=100; sp=reject;

Staged Implementation Approach

Phase 1 (p=none): Monitor for 30 days, review aggregate reports to identify legitimate sending sources
Fix SPF/DKIM issues: Address any legitimate emails failing authentication
Phase 2 (p=quarantine): Failed emails sent to spam folder, monitor for false positives
Phase 3 (p=reject): Failed emails rejected outright, maximum protection

DMARC Aggregate Reports

DMARC aggregate reports (RUA) provide valuable visibility into who is sending email on your behalf. Review reports weekly during implementation to identify unauthorized senders or configuration issues.

External Email Warnings

Automatically prepend warning banners to all external emails to increase recipient awareness:

Example Warning Banner

⚠️ EXTERNAL EMAIL

This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Implementation (Office 365 Example)

1. Exchange Admin Center → Mail flow → Rules

2. Create new rule: "Apply disclaimer to external emails"

3. Condition: Sender is located → Outside the organization

4. Action: Prepend disclaimer with HTML warning banner

5. Exceptions: Trusted partners, automated systems

Multi-Factor Authentication (MFA) Enforcement

Require MFA for all users, especially high-risk roles:

Priority MFA Enforcement

• Executives and C-suite (CEO fraud targets)
• Finance and accounting staff
• HR and payroll departments
• IT administrators
• Customer-facing support staff

MFA Method Recommendations

• Best: Hardware security keys (FIDO2)
• Good: Authenticator apps (Microsoft, Google)
• Acceptable: SMS/phone call (better than nothing)
• Avoid: Email-based OTP (vulnerable to compromise)

⚠️

MFA Fatigue Attacks

Attackers exploit MFA by sending repeated push notifications until user accidentally approves. Educate users to deny unexpected MFA prompts and report to IT immediately.

User Security Awareness Training#

Employees are both the first line of defense and the primary target in BEC attacks. Effective security awareness training transforms users from vulnerability into your strongest security control.

Training Impact

82%

of BEC attacks stopped by vigilant employees who reported suspicious emails

Phishing Resilience

70%

reduction in successful phishing after 12 months of continuous training

Reporting Rate

15x

increase in suspicious email reports after effective training program launch

Comprehensive Training Program Structure

Initial Security Awareness Training (Required for All Employees)

Foundation training covering BEC basics, red flags, and reporting procedures:

Core Training Topics (45-60 minutes)

What is BEC: Real-world examples, attack types, financial impact to organization
Common Red Flags: Urgency, unusual requests, display name vs actual sender, language anomalies
Email Header Basics: How to view headers, what to look for (From, Reply-To, Authentication-Results)
Verification Procedures: Out-of-band verification, using known phone numbers, never trusting email alone
Reporting Process: How to report suspicious emails, what happens after reporting, celebrating reporters
Consequences: Personal and organizational impact of successful BEC attacks

Interactive Training Exercises

Hands-on activities reinforce concepts better than lecture alone:

Spot the BEC: Show 10 emails (5 legitimate, 5 BEC attempts), have users identify which are suspicious and why
Header Analysis Practice: Provide sample email headers, guide users through identifying spoofing indicators
Verification Role Play: Practice calling to verify unusual requests using provided scenarios
Reporting Simulation: Walk through reporting process using company's actual reporting tools

Knowledge Assessment

10-question quiz to verify understanding (80% passing score):

Sample Quiz Questions

Which of the following is the BEST way to verify an unusual wire transfer request from your CEO? (Answer: Call CEO at known phone number)
True or False: If an email passes spam filters, it is safe to trust. (Answer: False)
What should you do if you receive an email from a vendor requesting banking information changes? (Answer: Verify through independent channel)
Which email header field shows who actually sent the email? (Answer: Return-Path or Authentication-Results)

Role-Based Specialized Training

High-risk roles receive additional targeted training:

Finance & Accounting (90 minutes)

Topics:
• Wire transfer fraud scenarios and case studies
• Vendor impersonation detection
• Invoice fraud red flags (altered invoices, new accounts)
• Dual approval workflows and separation of duties
• Banking change verification procedures
• Pressure tactics and how to resist urgency
Exercise: Analyze recent BEC attempts targeting finance

HR & Payroll (60 minutes)

Topics:
• Payroll diversion schemes
• Employee impersonation detection
• W-2 phishing campaigns (tax season focus)
• Direct deposit change verification
• PII protection and data exfiltration risks
• Handling requests for employee data
Exercise: Practice verifying employee identity for banking changes

Executives & C-Suite (60 minutes)

Topics:
• Why executives are targeted (CEO fraud)
• Email account compromise indicators
• Social engineering research tactics attackers use
• Protecting sensitive communications
• Travel-related attack risks
• Setting security culture from the top
Exercise: Review actual impersonation attempts using their names

IT & Security (120 minutes)

Topics:
• Advanced email forensics and header analysis
• BEC investigation procedures
• Email authentication (SPF, DKIM, DMARC) implementation
• OAuth abuse and persistence mechanisms
• Incident response coordination
• User education and awareness campaigns
Exercise: Tabletop exercise - respond to simulated BEC incident

Ongoing Phishing Simulations

Regular simulated phishing tests maintain awareness and measure program effectiveness:

Simulation Program Structure

Frequency: Bi-weekly to monthly simulations (randomized timing per user)
Difficulty Progression: Start with obvious phishing, gradually increase sophistication
Scenario Variety: CEO fraud, vendor impersonation, payroll diversion, IT support scams
Immediate Education: Users who click receive just-in-time training explaining what they missed
Positive Reinforcement: Users who report simulations receive commendation

Simulation Best Practices

Do's

✓ Vary difficulty and attack types
✓ Align scenarios with real threats
✓ Provide educational value, not just testing
✓ Celebrate users who report
✓ Track trends and adjust training
✓ Use as metric, not punishment

Don'ts

✗ Punish users who fail simulations
✗ Use trick questions or unrealistic scenarios
✗ Send simulations during critical work periods
✗ Shame users publicly for failures
✗ Run simulations without prior awareness program
✗ Ignore repeat clickers (provide additional support)

Phishing Simulation Platforms

KnowBe4

Comprehensive security awareness platform with extensive phishing template library and training content.

Cofense PhishMe

User-reported phishing with simulations. Strong integration with email security tools.

Proofpoint Security Awareness

Integrated with Proofpoint email security. Uses real threats for simulation templates.

Continuous Awareness Campaigns

Keep security top-of-mind through regular communications and reinforcement:

Campaign Ideas and Tactics

Monthly Security Newsletter

• Recent BEC attempts blocked (anonymized examples)
• Threat landscape updates and new scam types
• Security tips and best practices
• Recognition for employees who reported threats
• Upcoming training sessions and events

Physical Awareness Materials

• Posters in break rooms and high-traffic areas
• Desk placards with red flag reminders
• Mouse pads with verification procedures
• Stickers for monitors ("Verify before you wire")
• Digital signage with rotating security tips

Gamification and Incentives

• "Security Champion" recognition program
• Department leaderboards (phishing resistance)
• Rewards for reporting legitimate threats
• Annual security awareness awards
• Prize drawings for training completion

Event-Based Campaigns

• Cybersecurity Awareness Month (October)
• Tax season W-2 phishing awareness (Jan-Apr)
• Holiday shopping scam alerts (Nov-Dec)
• Back-to-school phishing (Aug-Sep)
• Incident post-mortems (after BEC attempts)

Positive Security Culture

Frame security as helping employees protect themselves, not just the company. Emphasize that BEC attackers also target personal emails and finances. When employees see personal benefit, engagement increases dramatically.

Measuring Training Effectiveness

Quantitative Metrics

Phishing Click Rate: % of users who click simulated phishing links
Target: <5% after 12 months, <10% baseline
Phishing Report Rate: % of simulations reported by users
Target: >60% reporting rate
Training Completion: % of required training completed on time
Target: >95% completion within 30 days
Repeat Offenders: % of users who fail multiple simulations
Target: <3% repeat failures, provide additional support

Qualitative Indicators

User-Reported Threats: Increase in employees reporting real phishing
Good sign: 10-20 reports per week for 500-person company
Near-Miss Interceptions: Finance staff verifying suspicious requests
Track how many BEC attempts stopped by verification
Security Culture: Employees proactively discussing security
Measure through surveys and feedback
Incident Trends: Reduction in successful BEC attacks
Ultimate measure: Zero successful BEC incidents

Post-Incident Analysis and Continuous Improvement#

Every BEC incident, whether successful or prevented, provides valuable learning opportunities. Structured post-incident analysis identifies root causes, validates controls, and drives continuous security improvements.

Conduct Post-Incident Review Meeting

Within 1 week of incident resolution, convene key stakeholders for structured review:

Required Participants

• IT Security / Incident Response Lead
• Finance / Accounting (if wire transfer involved)
• HR (if employee data or payroll involved)
• Legal Counsel
• Executive Sponsor (CFO, CIO, or CISO)
• Affected Department Managers
• External Forensic Investigators (if engaged)

Post-Incident Review Agenda (90 minutes)

Incident Timeline Review (15 min): Walk through complete timeline from initial compromise to resolution
Attack Vector Analysis (15 min): How did attackers gain access? What vulnerabilities were exploited?
Control Failures (20 min): Which existing controls failed? Which controls didn't exist?
Response Effectiveness (15 min): What went well in response? What could be improved?
Financial and Business Impact (10 min): Total losses, recovery amounts, business disruption
Root Cause Identification (15 min): 5 Whys or similar methodology to identify underlying causes

Blameless Post-Mortems

Focus on systemic failures and process improvements, not individual blame. Employees who made mistakes should participate without fear of punishment. Psychological safety encourages honest analysis and reporting.

Root Cause Analysis

Use structured methodology to identify underlying causes, not just symptoms:

5 Whys Technique

Example 5 Whys Analysis - CEO Fraud BEC

Problem:

Finance manager transferred $85,000 to fraudulent account based on email from "CEO"

Why 1: Why did finance manager transfer funds?

Email appeared to come from CEO requesting urgent wire transfer

Why 2: Why did the email appear legitimate?

Display name matched CEO and email requested normal-seeming business transaction

Why 3: Why didn't finance manager verify with CEO?

Email emphasized urgency and confidentiality, manager didn't want to question CEO

Why 4: Why wasn't there a verification process requiring dual approval?

No formal policy requiring verbal verification or dual approval for wire transfers under $100K

Why 5: Why didn't existing security training prevent this?

ROOT CAUSE: Security awareness training was annual generic cybersecurity course with no BEC-specific content or phishing simulations. Finance team received no role-based training on wire transfer fraud.

Alternative Analysis: Fishbone Diagram

Ishikawa (fishbone) diagram organizes causes into categories:

People: Lack of BEC awareness, no verification training, fear of questioning authority

Process: No dual approval policy, missing verification requirements, unclear escalation path

Technology: No external email warnings, missing DMARC enforcement, no AI-based BEC detection

Policy: Outdated payment procedures, no wire transfer limits, insufficient training requirements

Develop Remediation Plan

Create actionable remediation plan with owners, timelines, and success criteria:

Remediation Plan Template

Control Gap	Remediation Action	Owner	Timeline	Success Criteria
No wire transfer verification policy	Implement dual approval and verbal verification for transfers >$5K	CFO	2 weeks	Policy documented, staff trained, 100% compliance
Missing BEC training	Deploy role-based BEC training for finance, HR, executives	CISO	1 month	>95% completion, passing quiz scores
No external email warnings	Configure email gateway to prepend external email banners	IT Security	1 week	100% external emails tagged, user survey shows awareness
Weak DMARC policy	Implement DMARC p=reject after monitoring period	IT Security	3 months	DMARC reports show 100% pass rate, p=reject enforced
No phishing simulations	Launch monthly phishing simulation program	CISO	1 month	Simulations running, <10% click rate after 6 months

Prioritization Framework

Prioritize remediation actions using risk-based approach:

Critical (0-2 weeks)

Immediate risk mitigation. Controls that directly prevent recurrence of this attack type.

High (1-3 months)

Important improvements that significantly reduce BEC risk or improve detection.

Medium (3-6 months)

Defense-in-depth enhancements and process optimizations.

Document and Share Lessons Learned

Create comprehensive incident report and share lessons across organization:

Incident Report Structure

Executive Summary (1 page)

• Incident type, date, and duration
• Financial and business impact
• Root cause summary
• Key remediation actions
• Timeline for improvements

Detailed Timeline (2-3 pages)

• Complete attack and response timeline with timestamps
• Key decision points and actions taken
• Screenshots and evidence (sanitized)

Technical Analysis (3-5 pages)

• Attack vector and methodology
• Email forensics findings
• Compromised systems and data
• Persistence mechanisms found

Root Cause Analysis (1-2 pages)

• 5 Whys or fishbone analysis results
• Contributing factors and control gaps
• Systemic issues identified

Remediation Plan (2-3 pages)

• Prioritized action items with owners and timelines
• Resource requirements and budget impact
• Success metrics and validation plan

Knowledge Sharing

Internal Communication: Share sanitized case study with staff to increase awareness
Training Integration: Use real incident as training example (with identifying details removed)
Industry Sharing: Consider sharing anonymized TTPs with industry groups (FS-ISAC, sector ISACs)
Law Enforcement: Provide detailed report to FBI to support broader BEC investigations

Learning from Near Misses

Don't wait for successful attacks to conduct reviews. When employees report and verify suspicious requests, document these "near misses" to validate controls and identify emerging attack patterns.

Track Metrics and Continuous Improvement

Monitor long-term trends to measure program maturity and identify areas for ongoing improvement:

Leading Indicators (Predict Future Risk)

• Phishing simulation click rates (target: <5%)
• Employee reporting rate (target: >60%)
• Training completion rates (target: >95%)
• External email warnings effectiveness (user survey)
• DMARC compliance rate (target: 100% pass)
• Control validation test results

Lagging Indicators (Measure Actual Impact)

• Successful BEC incidents (target: 0)
• Financial losses from fraud (target: $0)
• Account compromises detected (trend down)
• Time to detect compromise (trend down)
• Time to remediate incidents (trend down)
• Insurance claim frequency

Quarterly Security Review

Conduct quarterly executive briefing on BEC risk posture:

• Trend analysis of key metrics (improving or declining?)
• BEC attempts blocked by controls (demonstrate ROI)
• Emerging threat landscape updates
• Control effectiveness validation results
• Remediation plan progress updates
• Budget and resource recommendations

Continuous Improvement Cycle

Measure→Analyze→Improve→Validate→Repeat

Security is a continuous process, not a one-time project. Regularly reassess risk, update controls, and adapt to evolving BEC tactics.