What's Happening?
Business email compromise (BEC) continues to be a significant threat to organizations, even those that have implemented multi-factor authentication (MFA). Despite the common belief that MFA is a comprehensive solution for email security, attackers are
exploiting human behaviors and process gaps that MFA cannot address. In many BEC incidents, no account is technically compromised, placing these attacks outside the protection boundary of MFA controls. Notable cases include Toyota Boshoku Corporation in 2019, where an employee transferred over $30 million to scammers following a cloned email, and Arup in 2024, where attackers used deepfake technology to impersonate a senior manager and convinced a finance team member to make payments totaling $25 million. These incidents highlight that the failure often occurs at the decision point, not at the authentication layer, exploiting trust, timing, and established approval habits.
Why It's Important?
The persistence of BEC attacks despite MFA implementation underscores the critical need for organizations to address human factors in cybersecurity. While technical safeguards like MFA are essential, they are not sufficient on their own. The real-world impact of BEC attacks can be devastating, leading to significant financial losses and operational disruptions. Organizations must focus on improving human workflows and culture, ensuring that employees are trained to recognize and respond to suspicious requests. This includes formalizing policies that encourage pausing or escalating suspicious requests and using staff who report such requests as positive examples. By addressing these human-centric vulnerabilities, organizations can better protect themselves against sophisticated social engineering attacks that bypass technical controls.
What's Next?
Organizations are likely to increase their focus on integrating human-centric security measures alongside technical solutions. This may involve revising internal policies to emphasize the importance of verifying financial approvals and vendor changes through multiple channels. Additionally, there may be a push for more comprehensive training programs that educate employees on recognizing and responding to social engineering tactics. As awareness of these vulnerabilities grows, companies might also invest in technologies that can detect and mitigate deepfake content and other advanced impersonation techniques. The ongoing evolution of BEC tactics will require continuous adaptation and vigilance from both security professionals and organizational leadership.
