← All Playbooks

Business Email Compromise Playbook

Response guide for BEC and email fraud incidents

Free
5 Phases
1

Phase 1: Detect

Confirm BEC Attack

Verify the business email compromise

  • Review the suspicious email headers and content
  • Check for signs of account compromise
  • Verify if any fraudulent transactions occurred
  • Identify affected email accounts

Assess Financial Impact

Determine if funds were transferred

  • Contact finance/accounting immediately
  • Review recent wire transfers and payments
  • Check for pending fraudulent transactions
  • Document all financial details

Need help executing this step? Our IR team responds in 4 hours.

2

Phase 2: Contain

Secure Affected Accounts

Prevent further unauthorized access

  • Reset passwords for compromised accounts
  • Enable MFA if not already enabled
  • Review and revoke suspicious OAuth applications
  • Check email forwarding rules for unauthorized entries

Stop Fraudulent Transactions

Attempt to recover funds

  • Contact bank immediately to halt/recall transfers
  • File report with FBI IC3 (ic3.gov)
  • Work with receiving banks to freeze funds
  • Document all recovery attempts

Need help executing this step? Our IR team responds in 4 hours.

3

Phase 3: Eradicate

Investigate Compromise Method

Determine how the account was compromised

  • Review sign-in logs for suspicious activity
  • Check for phishing emails that may have captured credentials
  • Review password spray attempts
  • Analyze any malware or malicious links clicked

Need help executing this step? Our IR team responds in 4 hours.

4

Phase 4: Recover

Restore Normal Operations

Return to secure email operations

  • Verify all malicious rules/forwarding removed
  • Confirm account security settings are correct
  • Communicate incident to affected parties
  • Implement additional email security controls

Need help executing this step? Our IR team responds in 4 hours.

5

Phase 5: Post-Incident

Prevention Measures

Implement controls to prevent future incidents

  • Implement/strengthen email authentication (DMARC, DKIM, SPF)
  • Train employees on BEC awareness
  • Establish verbal verification for financial transactions
  • Review and update email security policies

Need help executing this step? Our IR team responds in 4 hours.

Get Expert Incident Response Help

Don't handle incidents alone. Our certified IR team is available 24/7.

Business Email Compromise Playbook | Protectyr | Protectyr