advanced

Business Email Compromise (BEC) Response

Response procedures for BEC attacks including wire fraud attempts and executive impersonation.

2-4 hours initial, ongoing5 steps10 checklist items

Summary

Guide for handling BEC incidents from detection through financial recovery attempts and legal engagement.

Step-by-Step Procedure

Immediate Assessment

Determine the type and status of BEC attack.

Actions

Was money transferred? If so, how much and when?

Is the email account actually compromised or spoofed?

Identify all parties involved in the communication

Preserve all related email communications

Financial Response

Attempt to halt or recover fraudulent transfers.

Actions

Contact your bank immediately to halt transfer

File IC3 complaint for wire recall assistance

Engage receiving bank through your bank

Document all financial recovery attempts

Account Security

Secure compromised or targeted accounts.

Actions

Reset passwords and MFA for any compromised accounts

Review all inbox rules and forwarding settings

Check for OAuth app grants

Audit recent email activity

Investigation

Understand how the attack occurred.

Actions

Analyze email headers for spoofing vs compromise

Review authentication logs

Identify initial compromise vector

Check for similar attempts across organization

Legal and Regulatory

Address legal and compliance requirements.

Actions

Engage legal counsel

File law enforcement report

Assess notification requirements

Preserve evidence for potential litigation

Completion Checklist

Financial transfer status determined

Bank notified for halt/recall

IC3 complaint filed

Affected accounts secured

Email rules and forwards cleaned

Attack vector identified

Legal counsel engaged

Law enforcement report filed

Internal communications sent

Incident documented

Evidence to Collect

All BEC emails with full headers
Wire transfer documentation
Bank communication records
Authentication logs
IC3 complaint number
Law enforcement report number

Communication Templates

Bank notification letter
Law enforcement report template
Internal notification to finance team
Vendor/customer notification (if applicable)

Join our community to discuss playbooks and share incident response experiences.

Step-by-Step Procedure

Immediate Assessment

Determine the type and status of BEC attack.

Actions

Was money transferred? If so, how much and when?

Is the email account actually compromised or spoofed?

Identify all parties involved in the communication

Preserve all related email communications

Financial Response

Attempt to halt or recover fraudulent transfers.

Actions

Contact your bank immediately to halt transfer

File IC3 complaint for wire recall assistance

Engage receiving bank through your bank

Document all financial recovery attempts

Account Security

Secure compromised or targeted accounts.

Actions

Reset passwords and MFA for any compromised accounts

Review all inbox rules and forwarding settings

Check for OAuth app grants

Audit recent email activity

Investigation

Understand how the attack occurred.

Actions

Analyze email headers for spoofing vs compromise

Review authentication logs

Identify initial compromise vector

Check for similar attempts across organization

Legal and Regulatory

Address legal and compliance requirements.

Actions

Engage legal counsel

File law enforcement report

Assess notification requirements

Preserve evidence for potential litigation