Skip to content
Security, Simplified
Email Security Beginner 4 min read

The 'CEO Fraud' (BEC) Survival Guide

Business Email Compromise (BEC) costs businesses billions. How to spot when the 'Boss' emailing you for a wire transfer is actually a scammer.

What is Business Email Compromise?

You receive an email from the CEO. “Hi, I’m in a meeting and can’t talk. I need you to process a wire transfer for a new vendor immediately. It’s urgent. I’ll explain later.”

It looks like the CEO’s name. It might even be the CEO’s actual email address. But it’s a lie. This is Business Email Compromise (BEC).

In 2026, BEC isn’t just a “scam”—it’s a governance failure. Under NIST CSF 2.0, specifically the “Govern” function, cybersecurity is no longer just an IT problem; it is a core business risk that requires executive ownership. If your finance team sends money to a scammer, it is often because leadership failed to set the rules of engagement before the email arrived.

The Two Types of Attacks

1. Spoofing (The Fake Address)

The attacker registers yourcompany-management.com instead of yourcompany.com. They mimic your CEO’s display name. A tired employee glances at the name, misses the domain error, and pays the invoice.

2. Account Compromise (The Real Address)

The attacker has guessed or stolen the CEO’s password. They are inside the real email account. They read past emails to mimic tone (“Cheers,” “Sent from my iPhone”). They wait for a large invoice date, then interject with “updated banking details.”

Part 1: Locking the Doors (Technical Controls)

You cannot rely on willpower alone. You must use technology to block the attack vector.

1. Multi-Factor Authentication (MFA)

This is non-negotiable. Per the ACSC Essential Eight (2026), MFA is the primary defense against account compromise. If you do not have MFA enforced on every email account, you are leaving the front door open. It stops 99.9% of automated password attacks.

  • Action: Enforce MFA for all staff immediately. No exceptions for executives.

2. Watch for “Ghost” Forwarding Rules

Hackers often set up a hidden rule: “Forward all emails containing ‘Invoice’ to hacker@gmail.com and then delete the original.”

  • Action: Regularly audit your email server for suspicious forwarding rules. If you use Microsoft 365, check the “Alert Policies” for forwarding activity.

3. External Email Tags

Configure your email server to stamp a banner on incoming mail: [EXTERNAL] If an email says “Urgent - from the CEO” but carries the [EXTERNAL] tag, your staff knows instantly it is a spoof.

Part 2: The Human Firewall (Process Controls)

Technology fails. Humans are the last line of defense.

1. The “Voice Verification” Rule

This is the “Govern” function in action. Policy: “No funds over $500 (or any change in banking details) will be processed without voice verification.”

  • The Rule: If you get an email request for money, you must pick up the phone.
  • The Method: Call the requestor on a known internal number (not the number in the suspicious email signature).
  • The Culture: Leadership must praise staff for checking, not punish them for “slowing things down.”

2. Slow Down

BEC relies on panic. “Do it now!” “The deal will explode!” Train your staff that secrecy and urgency regarding money are massive red flags. Better to be slow and safe than fast and insolvent.

Part 3: The “Oh No” Moment (Response)

What if the money is gone?

1. Immediate Action (The “Golden Hour”)

  • Call your Bank: Immediately. Request a “SWIFT recall” or “payment reversal.” Minutes matter.
  • Call the Receiving Bank: If you know where the money went (from the IBAN/Account details), contact that bank’s fraud department directly.

2. Regulatory Reporting (The 72-Hour Rule)

Under the Privacy Act 1988 (2026 Reforms), if the breach involves personal data (which email compromises often do), strictly speaking, you may have a Notifiable Data Breach (NDB).

  • The Law: You generally have 72 hours to assess and potentially report the breach to the OAIC and affected individuals.
  • The Liability: Ignoring this clock can lead to severe penalties under the new 2026 tiered fine structure.

3. Call the Professionals

Do not try to “clean” the hacked computer yourself. You might destroy evidence needed for insurance or law enforcement. Disconnect the device from the network and call your incident response provider.