The Persistent Threat of Business Email Compromise: A Call to Strengthen Security Measures
Business email compromise (BEC) continues to be a formidable threat for organizations, even those that have implemented multi-factor authentication (MFA). Security professionals have frequently regarded MFA as a robust safeguard against email-related risks, yet real-world incidents reveal that reliance on this technology alone is insufficient. Attackers are increasingly targeting not just technical vulnerabilities but also human behaviors, procedural gaps, and operational blind spots that MFA cannot mitigate.
One glaring example of BEC vulnerabilities occurred in 2019 when Toyota Boshoku Corporation suffered a significant loss due to a fraudulent email listing an urgent transaction. An employee mistakenly transferred over $30 million following a cloned email from a third-party company, believing it was critical to ensuring the seamless operation of Toyota’s production line. Investigations indicated that the Toyota employee’s email had not been compromised; instead, the failure lay in the organizational processes that allowed such a lapse to occur. Similarly, in 2024, the engineering firm Arup was attacked through sophisticated techniques, including deepfake voices and videos, convincing a finance team member to authorize payments totaling approximately $25 million. Such cases illustrate that modern BEC attacks exploit trust, urgency, and established organizational practices rather than relying solely on technical breaches.
The Divide Between Security Controls and Business Risks
The recurring theme in these incidents underscores a vital gap — organizations often prioritize deploying advanced security technologies without adequately addressing the underlying human workflows and cultural practices that support them. The allure of shiny new endpoint detection and response (EDR) technologies might lead chief information officers (CIOs) to showcase these solutions as symbols of cyber resiliency. However, the effectiveness of these investments can diminish if they do not integrate seamlessly with essential business processes.
MFA might reduce certain risks, but it cannot substitute for robust process controls, consistent verification routines, and continuous security awareness training. This shortcoming is particularly critical as attackers have developed phishing kits capable of bypassing MFA, further highlighting operational blind spots deeply embedded in organizational workflows. Such deficiencies arise from a misguided emphasis on velocity and efficiency, often at the expense of essential verification mechanisms.
Designing Effective Approval Workflows
To mitigate the repercussions of BEC attacks, IT leaders must prioritize redesigning approval workflows. This involves categorizing high-risk requests—such as novel payment requests, adjustments to vendor banking details, or sudden demands from executives—requiring independent confirmation through known contact methods rather than relying on information appearing in unsolicited emails.
Organizations are encouraged to ask critical operational questions during the decision-making process. Is this request consistent with standard approval protocols? Is there a discrepancy in the communication channel or tone? Have previous transactions followed similar patterns? Such questions serve as ammunition against rushed decisions precipitated by perceived urgency or authority.
Organizations that simulate BEC scenarios, including urgent executive requests and supplier payment changes, can evaluate how staff handle pressure and uncertainty. These drills should replicate realistic business conditions, observing employee responses and identifying weaknesses in meticulous decision-making.
Integrating Friction and Alerts into Workflows
Another effective strategy involves introducing “friction” into critical processes. Simple yet effective protocols, such as mandatory pauses before executing substantial transfers or implementing automated alerts for unusual payment requests, create opportunities for verification while minimizing impulsive actions. Automation must be purpose-driven and tied to specific scenarios, ensuring that alerts focus on deviations that carry significant implications.
Moreover, establishing accountability at the leadership level for verification failures mitigates the tendency for responsibility to fall solely on frontline staff during stressful periods. Assigning ownership to finance leaders or cross-functional governance groups ensures systemic issues related to process failures are identified and addressed.
A Future-Focused Approach
Moving forward, it is essential for security leaders to reassess how BEC risks are managed. This includes not only maintaining technical safeguards like MFA and filtering but also fostering a culture where verification is routine, questions are welcomed, and authority is confirmed—not assumed. Organizations must shift their focus from merely tracking the number of blocked phishing attempts to evaluating how verification steps are integrated into everyday processes.
In conclusion, as cyber threats continue to evolve, the treatment of business workflows as integral components of security architecture will be crucial in combating BEC. The interplay of people, processes, and technology is vital in creating environments where mistakes can be mitigated, and risks effectively managed. Given that BEC exploits human decision-making tendencies, security initiatives must adapt to include comprehensive training and procedural refinements to ensure organizations remain resilient against this evolving threat landscape.