How to prevent business email compromise: a practical guide for finance teams
Apr 2026 · 7 min read
Business email compromise cost organizations $2.77 billion in 2024 alone. The lifetime total exceeds $55 billion. And yet only 32% of companies continuously validate vendor bank data, and only 22% of victims recover more than 75% of lost funds.
The problem isn’t that companies don’t care. It’s that the controls aren’t in place — or they’re bypassed under pressure. Here’s what actually works.
Why training alone isn’t enough
Security awareness training is essential. It builds the instinct to pause and question. But BEC attacks are designed specifically to override that instinct — using authority, urgency, and context that makes the request feel legitimate.
The attacker references a real vendor name, a real invoice number, a real deadline. The email comes from a domain that’s one character off. The employee has been trained, but this doesn’tlook like phishing. It looks like a real request from a real person.
Training raises the bar. Controls catch what gets over it.
The controls that actually prevent BEC losses
Out-of-band verification
Before processing any bank detail change or unusual payment request, verify via a different communication channel — call the vendor at a previously known phone number (not one from the suspicious email). This single control prevents the majority of BEC losses.
When to apply: Every bank detail change. Every first payment to a new vendor. Every wire over your threshold.
Dual authorization
No single person should be able to approve a payment, change vendor bank details, or override a hold. Two separate individuals must authorize. The person who receives the request cannot be the same person who approves it.
When to apply: All vendor master file changes. All wire transfers above threshold. All rush/urgent payment requests.
Mandatory hold period
Implement a 48-hour hold before processing payments to new or changed bank accounts. This defeats the attacker's urgency tactic and gives your team time to verify.
When to apply: First payment to new vendor. Any bank detail change. Any payment flagged as urgent by the requester.
Test payment verification
Send a small test payment ($1–10) to new accounts and have the vendor confirm receipt before processing the full amount. Fraudsters can't confirm receipt to a bank account they don't control.
When to apply: New vendor relationships. Bank detail changes. International payments.
Segregation of duties
The person who initiates a payment request should not be the same person who receives vendor invoices, manages the vendor master file, or has approval authority. Overlap creates exploit paths.
When to apply: Always. This is a structural control, not a per-transaction check.
Domain and sender monitoring
Continuously monitor for lookalike domains registered against your company name and your key vendors. Alert on emails from domains that are similar-but-not-identical to known senders.
When to apply: Ongoing. Especially important for companies with public vendor relationships.
The missing piece: knowing which controls to apply, and when
Most organizations know these controls exist. The gap is knowing which ones to enforce for a specific situation. A bank detail change from a known vendor requires different controls than an invoice from a new entity.
That’s what FraudDecoder maps. For every suspicious communication, it identifies the attack pattern, classifies the transaction type, and prescribes the specific controls that should be in place — grounded in ACFE methodology, delivered in seconds.
Stop guessing which controls to apply. Try FraudDecoder →