Business Email Compromise (BEC): How Houston Businesses Lose Millions and How to Stop It

BEC is not a brute-force technical attack. It's social engineering that exploits trust, urgency, and established business relationships. The attacker either compromises a real email account or creates a convincing impersonation — then inserts themselves into a legitimate financial transaction at exactly the right moment.

The 5 Types of BEC Attacks

• CEO Fraud: Attacker impersonates the CEO or executive and emails the finance team with an urgent wire transfer request. "I need you to process this payment before end of day — I'm in a meeting and can't talk, just handle it." The urgency and authority override normal verification procedures.
• Invoice Manipulation: Attacker compromises a vendor's email account (or creates a look-alike domain) and sends a legitimate-looking invoice with modified bank account details. The victim pays the real invoice amount to the attacker's account. This is devastating in construction, energy, and real estate where six- and seven-figure invoices are common.
• Account Compromise: Attacker gains access to an employee's actual Microsoft 365 or Google Workspace account — through phishing, credential stuffing, or token theft. They monitor email for weeks, learning payment workflows and vendor relationships, then strike at the perfect moment.
• Attorney Impersonation: Attacker impersonates outside counsel during a real estate closing, M&A transaction, or litigation settlement — redirecting funds to a fraudulent account during a time-sensitive transaction where delays aren't tolerated.
• Payroll Diversion: Attacker impersonates an employee and contacts HR or payroll requesting a direct deposit change. The next paycheck goes to the attacker's account. Often not discovered until the employee reports missing pay.

Why BEC Is So Effective

BEC doesn't require malware, doesn't trigger antivirus alerts, and doesn't exploit software vulnerabilities. The "vulnerability" is human trust. The emails are well-written, contextually accurate, and often reference real transactions, real vendors, and real project names that the attacker learned by monitoring the compromised inbox for weeks before acting.

AI has made BEC dramatically more dangerous. Attackers now use generative AI to analyze email writing patterns and generate messages that perfectly match the tone, vocabulary, and formatting of the person they're impersonating. Grammar errors and awkward phrasing — the traditional BEC red flags — are gone.

---

1. Urgency that bypasses process: "This needs to happen today" / "Don't discuss this with anyone" / "I'm unavailable by phone, just process it"
2. Changed payment details: A vendor you've paid 50 times suddenly provides new bank account information via email
3. Reply-to address mismatch: The display name says "John Smith, CEO" but the actual email address is [email protected] (zero instead of O)
4. First-time wire request via email: A request for wire transfer from someone who normally doesn't initiate payments
5. Pressure to avoid verification: "Don't call the vendor to confirm — I already verified" or "The CEO said to handle this quietly"
6. Timing exploitation: Requests sent late Friday afternoon, before holidays, or during known executive travel — when verification is hardest
7. Slight domain variations: @layerlogix.com vs @layerl0gix.com vs @layerlogix-inc.com — look-alike domains designed to pass a quick glance

---

Step 1: Implement Email Authentication (SPF, DKIM, DMARC)

These three DNS-based protocols prevent attackers from sending email that appears to come from your domain:

• SPF — Specifies which mail servers are authorized to send email from your domain
• DKIM — Cryptographically signs outbound email so recipients can verify it wasn't altered
• DMARC at p=reject — Tells receiving servers to reject email that fails SPF or DKIM. This is the critical step most Houston businesses skip — they set up SPF and DKIM but leave DMARC at p=none (monitoring only), which provides zero protection

With DMARC at p=reject, an attacker cannot send email that appears to come from your domain. Period.

Step 2: Deploy Phishing-Resistant MFA

If an attacker steals a password, MFA is your last line of defense against account compromise. But not all MFA is equal:

• SMS codes: Vulnerable to SIM-swapping — not recommended for high-value accounts
• Authenticator apps (TOTP): Better, but vulnerable to real-time phishing proxies (evilginx)
• FIDO2 hardware keys / passkeys: Immune to phishing — the authentication is cryptographically bound to the legitimate domain. This is the standard for executives, finance staff, and anyone who can authorize payments.

Step 3: Establish Wire Transfer Verification Procedures

This is the control that actually prevents the financial loss:

• Dual authorization: No wire transfer above a defined threshold (e.g., $5,000) is processed based on email alone. A second authorized person must approve.
• Out-of-band verification: Any request to change payment details must be verified by calling the requester at a known phone number — not the number provided in the email. Use a phone number from your records, not from the suspicious message.
• Callback verification for new vendors: First-time vendor payments require a phone call to the vendor's main office number (found independently, not from the invoice) to confirm banking details.
• Document the process: Written wire transfer procedures that every employee in finance, AP, and executive roles acknowledges annually. When procedures exist and are followed, BEC fails.

Step 4: Enable Mailbox Intelligence and Impersonation Protection

Microsoft Defender for Office 365 (included in Microsoft 365 Business Premium) provides:

• Impersonation protection: Flags emails that impersonate your CEO, CFO, or other specified executives — even from external look-alike domains
• Mailbox intelligence: Learns your organization's communication patterns and alerts when a sender/recipient combination is unusual
• Safe Links: Scans URLs at click-time to catch links that were safe when delivered but became malicious later
• Anti-phishing policies: Configurable sensitivity levels for impersonation detection

Step 5: Monitor for Inbox Rule Manipulation

When attackers compromise an email account, their first action is often creating inbox rules that hide their activity — forwarding all email to an external address, deleting security alerts, or moving replies to their messages into a hidden folder. These rules persist even after a password reset.

• Audit inbox rules across your tenant regularly: Get-Mailbox -ResultSize Unlimited | Get-InboxRule
• Alert on new forwarding rules created — this is a high-fidelity indicator of compromise
• After any account compromise, check for and remove malicious inbox rules before considering the account clean

Step 6: Implement Dark Web Monitoring

BEC often begins with stolen credentials — purchased from dark web credential markets for as little as $10 per account. Dark web monitoring alerts you when employee credentials appear in breach dumps, giving you time to force password resets and revoke sessions before attackers can use the stolen credentials to access your email environment.

---

If Money Has Already Been Sent

1. Contact your bank immediately — request a wire recall. Speed matters — the first 24-48 hours are critical before funds are moved to secondary accounts
2. File a complaint with the FBI's IC3 at ic3.gov — the FBI's Recovery Asset Team has recovered hundreds of millions in fraudulent wire transfers when reported quickly
3. Notify your cyber insurance carrier — many policies cover BEC losses, but timely notification is required
4. Preserve all evidence — do not delete the fraudulent emails. Forward them (as attachments, not inline) to your IT security team or MSP

If You Caught It Before Payment

1. Do not reply to the suspicious email
2. Report the email to your IT team or MSP immediately
3. Verify the request through an independent communication channel (phone call to a known number)
4. If the email came from an internal account, that account may be compromised — initiate password reset and session revocation

---

• Energy: Large vendor payments, joint venture transactions, and land acquisition deals create high-value targets along the Ship Channel and Energy Corridor
• Real Estate: Wire transfers during closings are the #1 BEC target in Houston — title companies, brokerages, and buyers/sellers are all vulnerable
• Construction: Subcontractor invoices, material purchases, and progress payments create multiple BEC opportunities on every project
• Legal: Trust account transfers, settlement payments, and client funds make law firms prime targets — especially during M&A and real estate closings
• Healthcare: Insurance payments, vendor invoices, and payroll for large medical practices create BEC exposure across the Texas Medical Center and affiliated clinics

---

LayerLogix provides BEC prevention services for businesses across Greater Houston — email authentication (DMARC at enforcement), phishing-resistant MFA deployment, Microsoft 365 security hardening, dark web monitoring, and employee security awareness training focused specifically on BEC scenarios.

Get a BEC risk assessment. We'll review your email authentication configuration, identify accounts without MFA, and assess your wire transfer procedures — before an attacker finds the gaps first. Call 713-571-2390.

Related: Cybersecurity Services | Dark Web Monitoring | Microsoft 365 Security Hardening | DMARC Compliance