Business email compromise (BEC) is still thriving even in organizations that have implemented multi-factor authentication (MFA). As security professionals, we often assume that MFA is the silver bullet for email security, but real-world incidents suggest otherwise. Attackers exploit human behaviors, process gaps and operational blind spots that MFA alone cannot address. In many modern BEC cases, no account is technically compromised at all, which places these attacks outside the protection boundary of MFA controls.
In 2019, Toyota Boshoku Corporation fell to a BEC attack with an employee transferring over $30m to scammers following a cloned email from a 3rd party company with urgency citing the need for the transaction to be completed urgently so as not to slow down Toyota’s production line. There was no indication that the Toyota employee’s email had been compromised. Take also the 2024 case of Arup where attackers impersonated a senior manager using Deepfake voices and videos and convinced a member of the finance team to make payments totaling $25m. The compromise did not rely on stolen credentials but on carefully orchestrated social engineering, timing and the finance team’s procedural shortcuts. The technical safeguards could have been strong, but human oversight proved to be the weakest link. In both cases, the failure occurred at the decision point, not at the authentication layer, exploiting trust, timing and established, convenient, approval habits.
Where security controls end and business risk begins
From experience, this scenario is all too common. Organizations often focus on deploying security technology without addressing human workflows and culture. This often includes shiny new EDR technology which are used to check boxes for audit and compliance purposes, and which CIOs are quick to sign off on to show stakeholders they are cyber resilient. This is not a failure of EDR itself, but of how security investments are scoped. Endpoint and identity controls protect systems, but they do not govern how financial approvals, vendor changes or executive requests are validated in practice.
MFA reduces risk but cannot replace the need for process controls, verification routines and continuous awareness training especially as there are now AITM phishing kits which bypass MFA in the wild. The operational blind spots being exploited sit in business workflows where speed, trust and authority override verification, particularly in finance and procurement processes.
These blind spots exist because business processes are optimized for speed and continuity, not verification. Finance teams are trained to keep operational lines moving, and attackers who have now taken cognizance of this, use this advantage to their own advantage by introducing urgency or invoking authority. When a request appears legitimate, time-sensitive and from someone with perceived authority, employees often follow familiar patterns rather than pause to challenge intent. This is not a failure of technology, but a failure of process design.
Practical steps for IT leaders include redesigning approval workflows so that high-value transactions require multi-step verification including out-of-band call to confirm, simulating BEC scenarios in realistic exercises to identify gaps in response and decision-making, embedding security awareness into daily routines using micro-learning and real incident reviews, and empowering teams to challenge unusual requests without fear of reprisal. Instances of successful attacks can also be shared with employees who distribute invoices, financial documents or oversee making decisions regarding transfers
Designing approval workflows that thwart BEC attacks
Redesigning approval workflows means explicitly defining what constitutes a high-risk request, such as first-time payments, changes to vendor banking details, sudden payment requests from an executive or requests that bypass standard procedures. These requests should require independent verification using known contact details, not information provided in the email itself.
When reviewing and redesigning approval workflows, organizations should begin by asking salient, hard, operational questions at the decision-making point. Does this request align with how payments are normally initiated/approved? Is the requester the typical communication channel and tone? Has this vendor or account been paid before, and under similar circumstances? Does the email tally with the one on the sender’s company website without alterations? Is there a different reply-to email visible? Can a quick call to confirm be made? Teams should also ask what assumptions are being made under time pressure, whether authority is being inferred rather than verified, and who is accountable if the decision turns out to be wrong. These questions force employees to slow down, recognize deviations from normal behavior and treat unusual requests as potential security events rather than routine business tasks.
Simulating BEC transcends phishing tests and should mirror real business scenarios, including urgent executive requests or supplier payment changes, allowing organizations to observe how staff respond to pressure and ambiguity. Effective simulations introduce urgency, impersonate authority figures with typosquatted emails and exploit realistic business contexts such as end-of-quarter payments, supplier changes and times of the year when attackers like to strike such as festive periods and before holidays. Participants are observed on how they verify requests, whether they escalate concerns and how quickly they move to execution without confirmation. The outcome is not a pass or fail score but can provide insight into where processes encourage compliance over caution. These simulations allow organizations to refine approval rules, reinforce escalation paths and normalize verification as part of everyday operations.
Empowerment must be formalized through policy, making it clear that pausing or escalating a suspicious request is expected behavior, not an obstacle to productivity. Staff who report suspicious requests also should be encouraged and used as good examples in internal communications where possible.
Using friction and alerts in workflows
Insights from cross-border operations is that attackers exploit time pressure and executive assumptions often seen in CEO/CFO themed fraud. Teams often follow cues from perceived authority, scoped by attackers from email flows and urgency often attached to making large payments, tying them to critical business needs. By implementing friction in critical workflows such as mandatory pauses for large transfers or automated anomaly alerts, organizations can reduce risk without hampering productivity
Effective friction does not mean indiscriminately grinding the business or its process to a halt. Mandatory pauses for large or unusual transfers create space for verification and reduce impulsive decisions and actions. During these pauses, specific actions should occur, such as email/signature checks, verbiage, secondary approval, independent confirmation or automated checks against historical payment behavior as stated above.
Automated anomaly alerts are only useful when they focus on deviations that matter and are tied to clear response expectations. Alerts should prioritize scenarios such as out-of-hours payment requests, changes to established vendor details or transfers that fall outside normal patterns. Ownership of BEC-related alerts should sit with teams that control financial decisions, such as finance operations, fraud risk units or cross-functional payment risk groups that combine security and business authority, rather than being routed exclusively to noisy SOC queues.
To reduce false positives also, the concept of enhanced monitoring for priority accounts should also be introduced. This can be made better by routing emails containing specific payment keywords to these risk groups to evaluate before landing in the intended inboxes.
What security leaders should change now
BEC continues to succeed because human decision points are rarely treated as security-critical systems. MFA, email filtering and endpoint protections remain necessary, but they do not control how people make decisions under pressure. Until financial and executive workflows are designed with the same rigor applied to technical systems, attackers will continue to exploit the impact of human behavior on cybersecurity with social engineering and human weaknesses at the top of the pile.
Added to this, there should also be clear ownership of BEC risk at the leadership level. If no single role is accountable for payment verification failures, responsibility defaults to frontline staff under pressure who often bear the brunt of being sacked or prosecuted following successful BEC attacks. Assigning ownership to finance leadership, risk committees or cross-functional governance groups ensures that process failures are treated as systemic issues rather than individual mistakes.
Although equally important, leaders should not measure success solely by the number of blocked phishing emails, but by how often verification steps are followed, how many payment requests are challenged and how quickly suspicious transactions are paused and reviewed.
In conclusion, security leaders who reduce BEC risk align people, processes and technology so that verification becomes routine, hesitation is acceptable and authority is never assumed without confirmation. In 2026 and beyond, business workflows should continue to be treated as a core part of the security architecture and not a peripheral component.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
