Business Email Compromise, known in the industry as BEC, is the most financially destructive category of cybercrime targeting businesses today. It doesn't rely on malware, encryption, or technical exploits against servers. It relies on access to a legitimate email account.
The FBI's Internet Crime Complaint Center reported that BEC accounted for $2.77 billion in reported losses in 2024, making it the highest-dollar cybercrime category for the tenth consecutive year. That figure represents only reported incidents. The actual number is significantly higher because many businesses never file a report, either due to embarrassment or because they don't realize the compromise originated from email.
Unlike ransomware, which announces itself immediately, BEC is designed to be invisible. An attacker who gains access to a mailbox doesn't want the victim to know. They want time to read conversations, understand relationships, learn payment patterns, and identify the right moment to insert themselves into a financial transaction.
How a Single Mailbox Gets Compromised
The entry point is almost always simpler than businesses expect. Most BEC attacks begin with credential phishing. An employee receives an email that appears to be from Microsoft, their bank, a vendor, or a colleague, containing a link to a login page that looks authentic. The employee enters their username and password, and the attacker now has working credentials. The Verizon 2025 Data Breach Investigations Report found that credential theft and phishing account for over 80% of initial access in BEC attacks.
Password reuse is the next most common path. An employee uses the same password for their business email and a personal account, the personal account gets compromised in an unrelated data breach, and the attacker tries those credentials against the business email system. Research from SpyCloud found that 94% of businesses have employee credentials exposed on the dark web from previous breaches, which means the supply of working passwords for attackers to test is effectively unlimited.
More sophisticated attacks don't even need the password. Adversary-in-the-middle techniques can steal authentication session tokens, allowing attackers to bypass multi-factor authentication entirely and access the mailbox as if they were the legitimate user. Older email protocols like IMAP and POP3, if still enabled on the tenant, often don't enforce MFA at all. An attacker with a valid username and password can authenticate directly through these legacy protocols, bypassing MFA controls that only protect the primary login interface.
Once inside, the attacker typically creates an inbox rule that forwards certain messages to an external address or hides messages from specific senders. This lets them monitor communications without the account owner noticing missing emails.
What Happens After Access
The damage from a compromised mailbox isn't the access itself. It's what the attacker does with that access over the days and weeks that follow.
The most common outcome is financial fraud. The attacker monitors email threads involving payments, invoices, or wire transfers, and at the right moment they insert themselves, often by replying to an existing thread from the compromised account with new payment instructions directing funds to an attacker-controlled account. Because the email comes from a legitimate address within an existing conversation, the recipient has no reason to question it. The average BEC wire fraud loss is $124,000 per incident according to the FBI's 2024 data. For law firms holding funds in trust, property managers collecting rent, or contractors managing project payments, a single redirected wire transfer can run well above that figure.
Financial fraud is rarely the only outcome. A business email account typically contains years of correspondence including client information, financial records, contracts, employee data, strategic discussions, and privileged communications. An attacker with mailbox access can search for and extract this information silently. For professional services firms, that exposure can trigger breach notification obligations, regulatory consequences, and client departure. The compromised account also becomes a tool for impersonation. The attacker sends requests to other employees, an email from the managing partner asking accounting to process an urgent wire, a message from the HR director requesting employee W-2 forms, a note from a project manager asking for the shared drive password. These requests succeed because they come from a trusted internal address. The same approach works against the firm's clients and vendors, who receive invoices with updated banking information or requests for sensitive documents under the guise of an ongoing matter.
Sophisticated attackers also work to maintain access. They establish forwarding rules, create app registrations tied to the account, or add alternate authentication methods. Even after the password is changed, these persistence mechanisms continue providing access until they're specifically identified and removed.
Why MFA Alone Doesn't Solve It
Multi-factor authentication is essential and dramatically reduces the risk of account compromise. It isn't impervious.
Microsoft's own data indicates that MFA blocks 99.9% of automated credential attacks. Targeted BEC campaigns, however, use techniques specifically designed to circumvent MFA. Adversary-in-the-middle phishing captures both the password and the MFA session token simultaneously, granting the attacker an authenticated session without ever needing to satisfy the second factor themselves. Microsoft reported that AiTM attacks increased over 146% in 2024, with most of that growth aimed at Microsoft 365 business email accounts. MFA fatigue attacks take a different approach, bombarding the user with push notifications until they approve one out of frustration or confusion. Social engineering tricks users into providing one-time codes by posing as IT support or security teams requesting verification.
None of this means MFA shouldn't be enabled. It absolutely should. The point is that organizations treating MFA as the complete solution to email security are missing the layers that catch what MFA cannot: monitoring for suspicious login behavior, flagging impossible-travel logins, detecting newly created inbox rules, and alerting on unusual mail forwarding.
The Damage Beyond Dollars
Financial loss from fraudulent transfers gets the attention, but the downstream consequences of a mailbox compromise often exceed the immediate theft. When clients receive fraudulent emails from your legitimate account, or when their confidential information is exposed because your mailbox was compromised, the trust that defines professional relationships evaporates. For law firms, accounting practices, and financial advisors, that trust is the entire business. Research shows that 65% of consumers lose trust in a business after a breach, and professional services firms report measurable client departure following email-related incidents.
The professional liability exposure is also significant. An attorney whose email was compromised, resulting in client funds being misdirected, faces potential malpractice claims. A CPA whose account exposed client tax records faces regulatory inquiry. The firm's errors and omissions insurance may or may not cover the loss depending on what security measures were in place at the time.
Regulatory consequences follow on top of that. Under state breach notification laws, unauthorized access to an email account containing personal information triggers notification obligations. Under ABA Model Rule 1.6 for attorneys, HIPAA for healthcare-adjacent firms, and various financial regulations, the failure to adequately protect communications creates compliance exposure independent of whether data was actually misused. And once a compromise is discovered, the operational disruption is substantial. Forensic investigation to determine scope, forced password resets across the organization, review of all email rules and app registrations, notification to potentially affected clients and vendors, and the management time consumed by incident response can stretch the response effort across weeks.
What Protection Actually Looks Like
Preventing mailbox compromise requires layered controls working together rather than any single silver bullet. The foundation is enforced MFA, ideally using phishing-resistant methods. Push notifications and SMS codes are better than nothing, but they're vulnerable to modern attacks in ways that hardware security keys and passkeys are not.
Beyond MFA, conditional access policies restrict login to managed devices, known locations, or compliant systems, so an attacker with valid credentials trying to log in from an unfamiliar device or location gets blocked regardless of whether they have the password and the MFA token. Mail flow monitoring catches the configurations attackers establish first, including newly created inbox rules, forwarding setups, and delegate access additions. Impossible travel detection alerts when an account authenticates from two geographic locations within a timeframe that makes physical travel impossible. Disabling legacy protocols like IMAP, POP3, and SMTP authentication for accounts that don't require them eliminates a common MFA bypass path.
Security awareness training rounds out the technical controls. Regular, realistic phishing simulations teach employees to recognize credential theft attempts before they click. And underneath all of it sits an incident response plan, a documented playbook for what happens when a compromise is suspected: who to call, what to check, how to contain the damage, and how to communicate with affected parties.
The Gap Between What Most Firms Have and What They Need
Most small and mid-sized businesses have enabled MFA and consider email security handled. Without monitoring, conditional access, and the detection layers described above, a compromised account can operate for weeks before anyone notices. The median dwell time for BEC attacks, meaning the time between initial access and discovery, is 28 to 33 days according to multiple industry sources. That's a month of an attacker reading every email, monitoring every transaction, and waiting for the optimal moment to strike.
A managed IT provider handling email security implements the full stack: MFA enforcement, conditional access, mail flow monitoring, impossible travel alerts, and ongoing review of account behavior. When something anomalous occurs, it's flagged and investigated in hours rather than discovered weeks later during a financial reconciliation.
If you're not sure what protections are currently active on your email environment, or whether anyone is monitoring for the indicators of compromise described above, a Network Discovery will map your current state and identify where exposure exists.
Ready to take the next step? Contact the Connecting Point team today to discuss your organization's needs.
Fill out our Network Discovery Form to get started!
970.356.7224 | www.CPcolorado.com | sales@CPcolorado.com
Connecting Point is a trusted IT solutions provider based in Greeley, Colorado, helping businesses across Northern Colorado and beyond navigate technology decisions with confidence.
