Business Email Compromise Response Checklist for Small Businesses
[!CAUTION] Active Email Compromise or Financial Fraud? If your organization is undergoing an active Business Email Compromise (BEC) incident, or you have recently authorized a fraudulent wire transfer, call the THOR 24/7 Incident Response Hotline immediately at 312.529.0672 for urgent containment.
Business Email Compromise (BEC) is one of the most financially devastating cyber threats facing modern organizations. The Federal Bureau of Investigation (FBI) describes business email compromise as one of the most financially damaging online crimes, noting that it specifically exploits routine business reliance on email to conduct day-to-day transactions.
Microsoft also explains that BEC involves the sophisticated impersonation of trusted leaders, vendors, or partners to trick employees into sending money, routing payments, or sharing sensitive corporate data.
If your organization has suffered a BEC event, you must react immediately to lock down your tenant, isolate the attacker, and protect your capital. This guide provides a practical, step-by-step business email compromise response checklist for small businesses.
The BEC Emergency Response Checklist
Follow these steps immediately to respond to an active email account compromise response:
Step 1: Preserve Critical Evidence
Before you reset passwords or lock accounts, make sure you do not overwrite the logs that forensic investigators need to trace the breach.
- Do Not Delete the Mailbox: Deleting the mailbox deletes the evidence.
- Export Log Data: Extract the unified audit logs, sign-in logs, and mail transport logs.
- Save Headers: If the attacker sent phishing emails from the account, save the raw email headers (
.emlor.msgfiles) of the sent messages.
Step 2: Terminate Active Sessions & Lock the Account
You must kick the attacker out of the environment immediately to stop ongoing data reading.
- Revoke all active browser sessions, OAuth application tokens, and device bindings in your email console (e.g., Entra ID session revocation).
- Disable legacy authentication protocols (like POP3 or IMAP) which bypass modern MFA checks.
- Reset the account password to a strong, 16+ character passphrase.
- Review all registered Multi-Factor Authentication (MFA) devices and remove any unrecognized auth apps or backup phone numbers.
Step 3: Stop Financial Damage (Fraudulent Wire Recalls)
If you are dealing with a fraudulent wire transfer email compromise, speed is your absolute priority:
- Call Your Bank’s Fraud Department: Request a wire recall immediately. Do not send an email; speak with a live fraud representative.
- Utilize the FBI Financial Fraud Kill Chain (FFKC): If the wire was sent within the last 72 hours, is over $50,000, and went to a domestic U.S. bank, the FBI can coordinate with financial institutions to freeze the funds.
- File an IC3 Complaint: Submit all transaction details, account numbers, and IP addresses to the FBI’s Internet Crime Complaint Center at ic3.gov.
Step 4: Audit Rules, Forwarding, and App Permissions
Attackers set up silent backdoors to maintain access after credentials are changed.
- Inbox Rules: Check for rules that move incoming emails containing words like “invoice,” “wire,” or “hack” into the archive or deleted folders.
- Mail Forwarding: Verify that global forwarding is disabled or restricted to authorized domains.
- Enterprise Applications: Audit recent OAuth application authorizations. Revoke any apps that you did not explicitly authorize.
Step 5: Contact Your Cyber Insurance Carrier
Notify your insurance broker or carrier as soon as a financial loss or breach is suspected.
- Note: Engaging independent security providers before notifying your carrier can sometimes void coverage. Ensure you coordinate with your carrier or work with pre-approved incident response panels.
Step 6: Review Recent Vendor Payment Changes
If one PortCo or vendor account was compromised, the attacker may have modified invoices or payment details across other accounts.
- Cross-check recent requests for routing number or payment detail modifications.
- Always use a secondary, verified communication channel (like a phone call to a known number) to verbally confirm billing updates before authorizing payments.
Step 7: Monitor for Recurrence & Hardening
- Monitor sign-in logs for anomalous location connections or suspicious device configurations.
- Implement email validation protocols—specifically SPF, DKIM, and DMARC—to prevent external attackers from spoofing your domain name.
M365 vs. Workspace BEC Response
| Security Audit Area | Microsoft 365 (O365) Actions | Google Workspace Actions |
|---|---|---|
| Session Revocation | Revoke sessions in Microsoft Entra Admin Center. | Reset sign-in cookies in Google Admin Console. |
| Rules & Forwarding | Check Outlook Web App (OWA) Rules and Forwarding. | Check Gmail settings under Filters and Forwarding. |
| Log Review | Review the Unified Audit Log (UAL) via Purview. | Review the Email Log Search and Admin Audit Log. |
| App Consents | Audit Entra ID Enterprise Applications. | Audit API Controls under Security > API Controls. |
When to Bring in BEC Incident Response Experts
Conducting a baseline BEC incident response is a vital first step, but establishing how the breach occurred and ensuring the environment is safe requires professional digital forensics. Forensic specialists help you:
- Exfiltration Audits: Trace exactly what folders, spreadsheets, or folders the attacker opened or downloaded.
- Hardening Policies: Configure tenant security (blocking legacy protocols, enabling MFA number matching, configuring tenant limits).
- Legal & Regulatory Compliance: Verify if employee files containing tax info, health data, or passwords were exposed, requiring legal notification.
Secure Your Mailbox Integrity with THOR
If your organization has suffered an email account compromise or wire transfer fraud, the THOR Incident Response team provides rapid containment, forensic auditing, data analysis, and email security hardening.
Do you need assistance containing or investigating a suspected business email compromise? Call THOR Incident Response now to secure your system and protect your capital.