# Business Email Compromise (BEC): First 24 Hours

**Use this Playbook when you observe:** suspicious mailbox logins, forwarding rules to unknown addresses, fraudulent wire instructions, MFA fatigue alerts, or vendor complaints about unusual emails from your domain.

![First 24 Hours: BEC playbook—email compromise response checklist.](https://www.attainium.net/images/blog/Business%20Email%20Compromise%20BEC.jpg)

---

## First 24 Hours Timeline

### T+0–15 minutes

- Secure the tenant: reset compromised credentials, revoke sessions/tokens, rotate API keys, and app passwords.
- Switch communication to a trusted out-of-band channel (phone bridge, secure chat not federated to compromised SSO).

### T+15–60 minutes

- Audit mailbox: look for forwarding rules, delegation, OAuth apps, or suspicious inbox activity.
- Trace fraudulent threads, identify affected partners/vendors, and place immediate holds on pending wire transfers.
- Engage breach counsel for privilege, sanctions, and notification requirements.

### T+1–4 hours

- Notify impacted vendors/partners quickly; coordinate with banks for potential wire recall.
- Issue internal staff guidance: warning signs of follow-on phishing, how to report suspicious activity, and when to pause transactions.
- Force credential rotations across affected accounts, especially finance-facing mailboxes.

### T+4–24 hours

- Confirm scope: Was the compromise limited to one mailbox or tenant-wide?
- Prepare regulator or customer notifications if data access involves sensitive content (PII/PHI/PCI).
- Stand up workstreams: Forensics, Legal, Finance, Technology, Comms.

---

## Do / Don’t

- **Do:** Freeze financial transactions, notify vendors, engage counsel, and preserve mailbox audit logs.
- **Don’t:** Delete mailbox artifacts, assume compromise is isolated, or notify customers before scoping the breach.

---

## Evidence to Preserve

- Mailbox audit logs and sign-in activity.
- Forwarding/redirect rules, OAuth consents, and third-party app connections.
- Email headers from fraudulent threads.
- Financial records of attempted or completed transfers.

---

## Communications Stub

*Internal (executive/staff):* “We have identified unauthorized access to one or more mailboxes. Containment actions are in progress. Please pause all wire transfers and payment approvals until cleared.”

*External (partner/vendor):* “We are investigating a compromise of one of our mailboxes that may have sent fraudulent payment instructions. Please verify any instructions received in the past 24 hours by phone before acting.”

---

## Metrics &amp; Decision Gates

- Wire transfers frozen and confirmed by Finance?
- Mailbox forwarding and OAuth connections fully audited?
- Vendors/partners notified within contractually required windows?
- Law enforcement or regulators notified if triggers met?

---

## Related First 24 Hours Playbooks

Use these coordinated playbooks to manage the first 24 hours across common cyber incidents:

- [Cyber Incident Hub: First 24 Hours Overview](https://www.attainium.net/resources-articles/first-24-hours-cyber-incident-checklist)
- [Ransomware: First 24 Hours](https://www.attainium.net/resources-articles/cyber-incident-hub/first-24-hours-ransomware)
- [Business Email Compromise (BEC): First 24 Hours](https://www.attainium.net/resources-articles/cyber-incident-hub/first-24-hours-bec)
- [Data Theft / Privacy: First 24 Hours](https://www.attainium.net/resources-articles/cyber-incident-hub/first-24-hours-data-theft)

---

## Business Email Compromise (BEC) FAQs

**What is Business Email Compromise (BEC)?**

- Business Email Compromise (BEC) is when an attacker gains access to or convincingly impersonates a trusted email account to trick people into sending money, sharing sensitive information, or changing payment instructions.

**What is the first thing we should do if we suspect BEC?**

- Immediately secure the account and tenant: reset the user’s password, revoke active sessions, enforce or verify MFA, and review recent sign-ins and mailbox rules. At the same time, start preserving logs and key evidence for your investigation and forensics.

**How do we know whether the attacker accessed more than one mailbox?**

- Review email, identity, and audit logs for unusual sign-ins, mail rule changes, and admin activity across the tenant. Look for logins from new locations, devices, or IP ranges, and check for forwarding rules to external addresses or suspicious shared mailbox access.

**What if a fraudulent wire transfer or payment has already been sent?**

- Contact your bank and the receiving bank immediately to request a recall or freeze of the transfer, then notify legal and law enforcement as appropriate. Time is critical; you should also preserve all related emails, chat messages, and payment records for the investigation.

**Should we notify customers, vendors, or partners after a BEC incident?**

- Yes, if there is a reasonable chance they received fraudulent messages or payment instructions. Clear, timely notices help prevent further losses and protect relationships. Work with legal and communications to align on who needs to be notified and what they should do next.

**Do we need to report BEC to law enforcement?**

- In most cases, yes. Many organizations report BEC incidents to law enforcement or national cybercrime reporting centers, especially when money or sensitive information is involved. Your legal or breach counsel can guide which agencies to contact and how to document the case.

**What tenant-level hardening steps help prevent future BEC incidents?**

- Enforce MFA for all users, restrict legacy authentication, monitor risky sign-ins, limit admin accounts, and review external forwarding rules regularly. Implement alerting for new inbox rules, changes to payment-related contacts, and unusual sign-in patterns.

**How can tabletop exercises help us prepare for BEC?**

- A BEC tabletop exercise lets leadership, finance, IT, and communications walk through a realistic scenario: spotting red flags, escalating quickly, freezing payments, notifying affected parties, and coordinating with banks and law enforcement. It is a low-risk way to test your playbooks and tighten decision-making before a real incident.

---

Let’s discuss your next step in Cyber Resilience or Business Continuity.

**What would you like to discuss?**

   Business Continuity Planning

  Cyber Incident Response

  Tabletop Exercises

  Something else

 Last Name
