All Insights
CybersecurityMay 28, 20262 min read

Business Email Compromise: The Quiet Threat Draining Small Businesses

CF
Connor Fitzgerald
U.S. Air Force Veteran · CEH

Most people picture a breach as something loud: locked screens, ransom notes, alarms. Business Email Compromise is the opposite. It's quiet. An attacker gets into a mailbox with a valid password, sits there reading email for days or weeks, learns how your business talks about money, and then waits for the right invoice to redirect.

By the time anyone notices, the wire transfer has already cleared.

How it actually happens

There's rarely any malware involved. The chain usually looks like this:

  • A phishing email harvests a username and password, often through a fake Microsoft 365 login page.
  • The attacker logs in — frequently from a rented server overseas — and the login looks ordinary because the credentials are real.
  • They create hidden inbox rules that auto-delete or auto-file specific messages, so the real owner never sees the replies.
  • They watch. When a genuine invoice or payment thread appears, they step in, change the bank details, and let the conversation continue as if nothing changed.

The hidden rules are the part most owners never discover on their own. In one investigation we ran for a construction client, the attacker had planted twelve separate inbox rules to keep the victim blind to the fraud while it played out.

Anatomy of a Business Email Compromise

How the attack unfolds in red — and where it gets stopped in cyan.

  1. 01

    Phishing email

    A fake Microsoft login page harvests a password.

  2. 02

    Account takeover

    The attacker signs in with the real, stolen password.

  3. 03

    Hidden inbox rules

    Replies auto-delete, so the owner never sees them.

  4. 04

    Invoice swapped

    Bank details are quietly changed on a real invoice.

  5. 05

    Wire redirected

    The payment lands in the attacker's account.

Why small businesses get hit

It isn't that you're a bigger target than a Fortune 500. It's that you're a softer one. Large organizations enforce multi-factor authentication, watch their sign-in logs, and have someone paid to notice. A smaller business running on default Microsoft 365 settings usually has none of that switched on, even though the tools to do it are already included in the license you pay for every month.

What protects you

The good news: for all the damage it does, BEC is one of the most preventable serious threats out there. In rough order of impact:

  1. Enforce multi-factor authentication on every account. This single control stops the majority of credential-based logins cold.
  2. Turn on Conditional Access to block sign-ins from regions you never operate in and from anonymized networks.
  3. Alert on inbox-rule creation. New mail-forwarding or auto-delete rules should generate a notification, not pass silently.
  4. Verify payment changes out of band. Any request to change banking details gets confirmed by a phone call to a known number — never by replying to the email.

If you think it's already happening

Don't just reset the password and move on — that tips off the attacker without removing their access. The mailbox needs to be examined properly: hidden rules removed, active sessions revoked, sign-in logs reviewed, and the full timeline reconstructed so you know exactly what was exposed. That's forensic work, and doing it halfway often leaves a door open.

If you're staring at a suspicious payment right now, the fastest thing you can do is pick up the phone. We'll help you figure out what happened and shut it down, no sales pitch attached.

Business Email CompromiseEmail SecurityIncident Response
Start With a Free 30-Minute Conversation

NO PRESSURE.
JUST A PLAN.

Cybersecurity gap, IT problem, or just not sure where to begin? We'll listen first, recommend second, and only propose what actually serves you.

connor@tremodi.com