Business email compromise is not the flashiest type of cyberattack, but it is consistently one of the most financially damaging. The FBI reports billions of dollars in losses every year, and small businesses are frequent targets.
The part that makes it especially dangerous: it often goes undetected for weeks or months.
An attacker gets into a business email account, usually through a stolen password or a phishing attack. Instead of doing anything obvious, they sit quietly and read. They learn how the business operates, who the clients are, what payment processes look like. Then they act.
Common attacks include intercepting a payment conversation and sending updated wire transfer instructions to a client or vendor. Emailing a bank directly to redirect payroll. Or impersonating the owner to pressure an employee into making a quick transfer. By the time anyone notices, the money is usually gone and difficult to recover.
Emails in your Sent folder that you do not remember sending. Login alerts from unfamiliar locations or devices. Email forwarding rules you did not create. Attackers often set these up to watch your inbox without staying logged in. Clients asking about messages you never sent. Unusual password reset emails from accounts you use.
In Microsoft 365, go to your account security settings and review active sessions and recent sign-in history. Check your email rules and forwarding settings. If anything looks unfamiliar, treat it as compromised.
In Gmail, scroll to the bottom of your inbox and click "Details" next to "Last account activity" to see recent logins from other locations or devices.
Change your password immediately from a clean device. Enable multi-factor authentication if it is not already on. Delete any forwarding rules or filters you did not create. Check your Sent and Drafts folders carefully. Alert your bank and any vendors who may have received suspicious payment instructions. Then call your IT provider to assess the full scope of what happened.
Multi-factor authentication is the best prevention available. It stops the vast majority of email account takeovers before they start. If your team does not have it enabled yet, that is the most important thing to fix today. Our cybersecurity services include MFA setup as part of every engagement, or reach out to get it taken care of.