Cybersecurity: Mitigating the Risks of Business Email Compromise Attacks

by John Jenkins

June 24, 2026

Business email compromise (BEC) attacks are a big and growing problem – in 2024 alone, BEC attacks accounted for 73% of all cyber incidents. This recent Debevoise blog highlights some of the common forms these attacks take, including senior executive fraud, vendor payment redirection, M&A transaction interception, and payroll and benefits diversion. It also discusses steps companies can take to mitigate their BEC risks. Here’s an excerpt from that discussion:

BEC schemes exploit technical weaknesses, fragmented payment workflows, and human trust, making prevention a multifaceted challenge. While no defense is entirely foolproof, companies can meaningfully reduce their exposure to BEC attacks by adopting layered safeguards that address system access, payment controls, vendor management, and employee behavior, including:

– Implementing phishing-resistant multifactor authentication (“MFA”) across all accounts. Require MFA for email, financial systems, remote access, and vendor portals; where feasible, prioritize phishing-resistant methods such as security keys, passkeys, or other cryptographic-based authentication, and require step-up authentication for new devices, mailbox-forwarding rules, and payment-administration changes.

– Establishing robust verification protocols for financial transactions. Use previously verified contact information (in particular, phone numbers) for any request to change payment instructions, authorize wire transfers, update vendor bank details, or reset financial-portal credentials; do not rely on contact information supplied in the same message requesting the change. For sensitive transactions, consider a video call to verify.

Other mitigation strategies identified in the blog include mandatory waiting periods for account changes that affect authentication or payment, social engineering awareness training for employees, using technical controls to detect suspicious activity, and requiring multiple authorizations for high-risk transactions.