I’ll paraphrase the article while keeping the HTML structure intact and maintaining the original language (English).
Business email compromise (BEC) continues to flourish even within organizations that have rolled out multi-factor authentication (MFA). As security professionals, we tend to treat MFA as the ultimate solution for email protection, yet real-world breaches tell a different story. Attackers take advantage of human tendencies, procedural weaknesses, and operational gaps that MFA by itself simply cannot cover. In numerous contemporary BEC incidents, no account is actually compromised, which means these attacks fall entirely outside the scope of MFA defenses.
In 2019, Toyota Boshoku Corporation became a victim of a BEC scheme when an employee wired more than $30m to fraudsters after receiving a spoofed email from an external partner. The message conveyed a sense of urgency, claiming the payment had to go through immediately to avoid disrupting Toyota’s production schedule. There was no evidence that the employee’s email account had been breached. Consider also the 2024 Arup incident, where criminals impersonated a senior executive using deepfake audio and video, persuading a finance team member to authorize payments amounting to $25m. The attack did not depend on stolen login credentials but on meticulously planned social engineering, precise timing, and the finance team’s tendency to take procedural shortcuts. The technical defenses may have been robust, but human judgment turned out to be the most vulnerable point. In both situations, the breakdown happened at the moment of decision-making, not at the authentication stage, taking advantage of trust, timing, and well-established approval habits.
Where security controls end and business risk begins
From hands-on experience, this pattern is remarkably common. Organizations frequently pour resources into security technology while neglecting the human workflows and cultural factors that surround it. This often involves flashy new EDR solutions deployed primarily to satisfy audit and compliance checkboxes, with CIOs eager to approve them to demonstrate cyber resilience to stakeholders. The issue is not with EDR as a technology, but with how security investments are defined and scoped. Endpoint and identity protections secure systems, but they do not dictate how financial approvals, vendor modifications, or executive directives are actually validated in day-to-day practice.
MFA lowers risk but cannot substitute for solid process controls, verification procedures, and ongoing awareness training, especially given that adversary-in-the-middle (AITM) phishing kits capable of circumventing MFA are now widely available. The operational gaps being exploited reside in business workflows where speed, trust, and perceived authority take precedence over verification, particularly within finance and procurement operations.
These gaps persist because business processes are built for efficiency and continuity, not for verification. Finance teams are conditioned to keep operations running smoothly, and attackers who have recognized this tendency exploit it by injecting urgency or invoking senior authority. When a request looks legitimate, appears time-sensitive, and seems to come from someone with apparent authority, employees tend to follow established routines rather than stop to question the intent. This is not a technological shortcoming, but a flaw in process design.
Actionable steps for IT leaders include restructuring approval workflows so that high-value transactions demand multi-step verification, including an out-of-band phone call for confirmation; running BEC simulation exercises based on realistic scenarios to uncover weaknesses in response and decision-making; weaving security awareness into everyday routines through micro-learning modules and post-incident reviews; and giving teams the confidence to question unusual requests without worrying about negative consequences. Examples of successful attacks can also be circulated among employees who handle invoices, financial documents, or oversee transfer decisions.
Designing approval workflows that thwart BEC attacks
Restructuring approval workflows involves clearly defining what qualifies as a high-risk request, such as first-time payments, modifications to vendor banking information, unexpected payment demands from an executive, or requests that sidestep standard protocols. These requests should trigger independent verification using pre-existing contact details, not the information supplied within the email itself.
When evaluating and restructuring approval workflows, organizations should start by posing tough, practical questions at the decision-making stage. Does this request match the normal way payments are initiated and approved? Is the requester using the usual communication channel and tone? Has this vendor or account been paid before under comparable conditions? Does the email address match the one listed on the sender’s company website without any variations? Is there a different reply-to address showing? Can a quick verification call be placed? Teams should also examine what assumptions are being made under time pressure, whether authority is being assumed rather than confirmed, and who bears responsibility if the decision proves to be incorrect. These questions compel employees to slow down, spot deviations from standard behavior, and treat unusual requests as potential security incidents rather than routine business matters.
Simulating BEC goes beyond standard phishing tests and should reflect genuine business situations, such as urgent executive directives or supplier payment modifications, enabling organizations to see how personnel react under pressure and uncertainty. Well-designed simulations incorporate urgency, mimic authority figures using typosquatted email addresses, and leverage realistic business contexts like end-of-quarter payments, vendor transitions, and peak attack periods such as holiday seasons and pre-vacation windows. Observers track how participants verify requests, whether they raise concerns through proper channels, and how rapidly they proceed to execution without confirmation. The goal is not a simple pass or fail grade but rather an understanding of where processes favor compliance over caution. These exercises help organizations fine-tune approval rules, strengthen escalation procedures, and make verification a natural part of daily operations.
Empowerment needs to be codified in policy, making it explicit that pausing or escalating a questionable request is the expected response, not a hindrance to productivity. Employees who flag suspicious requests should be recognized and highlighted as positive examples in internal communications whenever possible.
Using friction and alerts in workflows
Lessons from cross-border operations reveal that attackers capitalize on time pressure and executive assumptions commonly seen in CEO/CFO fraud schemes. Teams frequently respond to signals from perceived authority, shaped by attackers through email patterns and urgency often tied to large payments linked to critical business objectives. By introducing friction into critical workflows, such as mandatory hold periods for large transfers or automated anomaly notifications, organizations can mitigate risk without stifling productivity.
Well-designed friction does not mean arbitrarily bringing business operations to a standstill. Mandatory hold periods for large or atypical transfers create room for verification and curb impulsive decision-making. During these pauses, specific steps should take place, such as email and signature validation, language review, secondary approval, independent confirmation, or automated checks.
Here is the paraphrased version:
against the historical payment patterns described earlier.
Automated anomaly alerts deliver value only when they highlight meaningful deviations and come with defined response protocols. Alerts should flag scenarios that are genuinely concerning—such as payment requests submitted outside normal business hours, modifications to vendor banking details, or transfers that diverge from established patterns. BEC-related alerts should be owned by teams that hold decision-making authority over payments, such as finance operations departments, fraud risk units, or dedicated payment risk groups that bring together security expertise and business oversight, rather than being funneled into already-overloaded SOC ticket queues.
To further cut down on false positives, organizations should introduce the practice of enhanced monitoring for priority accounts. This approach can be strengthened by intercepting emails that contain specific payment-related keywords and routing them to these dedicated risk teams for evaluation before they ever reach the intended recipients’ inboxes.
What security leaders should prioritize now
BEC attacks keep succeeding because human decision-making moments are rarely treated with the same security priority as technical systems. Multi-factor authentication, email filtering tools, and endpoint protection remain essential, but they do nothing to address how people react under pressure. Until financial approval and executive workflows are designed with the same discipline and rigor applied to technical infrastructure, threat actors will continue to exploit the human element through social engineering—leveraging human vulnerability as their most effective attack vector.
Equally critical is establishing clear ownership of BEC risk at the senior leadership level. When no specific role or body is accountable for payment verification failures, the burden inevitably falls on frontline employees who are operating under pressure—and who frequently face termination or even criminal prosecution when a BEC attack succeeds. Assigning formal accountability to Finance leadership, enterprise risk committees, or cross-functional governance bodies ensures that process breakdowns are addressed as organizational weaknesses rather than blamed on individual staff members.
Just as importantly, leaders should avoid measuring success purely by the volume of phishing emails intercepted. Instead, they should track whether verification procedures are consistently followed, how frequently payment requests are questioned or challenged, and how rapidly suspicious transactions are flagged and put on hold for further review.
To summarize, security leaders who genuinely reduce BEC risk bring people, processes, and technology into alignment so that verification becomes habitual pausing to double-check is encouraged rather than discouraged, and authority is never accepted at face value without proper confirmation. Looking ahead to 2026 and beyond, business workflows must be treated as a foundational element of the security architecture—not as an afterthought layered on top of it.
This article is published as part of the Foundry Expert Contributor Network.
Interested in joining?
