A 30-Minute Business Email Compromise Response Playbook

Business Email Compromise rarely looks dramatic at first. It usually arrives as a normal-looking message: a supplier asks for a banking change, an executive requests an urgent EFT, or a project manager approves a last-minute payment before close of business. By the time someone asks, “was that email real?”, the money may already be moving.

That is why the first 30 minutes matter. The goal is not to write a perfect incident report. The goal is to stop the loss, preserve evidence, and prevent a second hit.

Minute 0 to 10: contain the risk

Start with a simple rule: treat the email as hostile until it is verified.

In the first ten minutes, do four things:

1. Freeze the transaction. If a payment has not yet been released, stop it immediately.
2. Call the requester on a known number. Never reply to the suspicious thread to verify it.
3. Warn finance and operations. Attackers often send the same pretext to multiple people.
4. Preserve the original message. Do not delete it. Save headers, attachments, and timestamps.

The biggest early mistake is handling the issue quietly between two people. BEC attacks work because they create social pressure and isolation. Break that pattern fast.

Minute 10 to 20: verify the scope

Once the payment is paused, work out what actually happened.

Ask these questions:

• Did the message come from your real domain, a lookalike domain, or a compromised mailbox?
• Did anyone action the banking change or payment request?
• Was the same instruction sent to procurement, bookkeeping, or branch teams?
• Did the attacker ask to move the conversation off the normal process?

If the message claimed to be from your own domain, check your email authentication posture immediately:

• Does your domain have an SPF record?
• Is DKIM enabled for the mailbox or sending platform involved?
• Is DMARC in monitoring, quarantine, or reject mode?

A domain at p=reject is harder to spoof successfully. A domain with no DMARC policy gives attackers more room to imitate trusted addresses.

Minute 20 to 30: block repeat attempts

The first fraudulent email is often the start, not the end.

Use the next ten minutes to reduce repeat exposure:

• Block the sender or lookalike domain at the mail gateway.
• Search mailboxes for the same subject line, sender, or reply-to address.
• Flag the destination bank account internally so nobody processes it later.
• Reset credentials if there is any sign a real mailbox was compromised.
• Capture the mail headers for later analysis.

If a real user account was abused, move beyond message review immediately:

• revoke active sessions
• rotate the password
• enforce MFA if it was missing
• review forwarding rules and mailbox delegates

Forwarding rules are a common persistence trick. An attacker may leave them behind so they can keep monitoring conversations after the visible incident is over.

What finance teams should standardise before an incident

The cleanest BEC response is the one you barely need because the payment never clears. A few boring controls remove most of the attacker’s leverage:

1. Bank changes must never be approved by email alone

A supplier banking change should require out-of-band verification using an existing contact and a second approver.

2. Urgency must not bypass process

“Need this paid in the next 15 minutes” is not a valid control override. If the process breaks under pressure, the process is not real.

3. Mailbox ownership must be explicit

Every shared mailbox used for billing, procurement, and accounts should have a named business owner and a named technical owner.

4. Domain protection must be maintained

DMARC is not a one-time DNS project. Every new sender, CRM, finance tool, and website form changes your attack surface.

What to preserve for the post-incident review

Even if no money moved, keep evidence while it is fresh:

• original email with full headers
• attachment hashes if attachments were present
• destination account details provided by the attacker
• affected users and timestamps
• screenshots of mailbox rules or login anomalies
• a list of systems that sent warnings or blocked activity

This speeds up both internal review and any external reporting requirements.

Where DMARC fits into the response

DMARC does not stop every BEC scenario. If an attacker compromises a real mailbox, authentication can still pass. But DMARC is still one of the highest-leverage controls because it blocks the cheaper and more common form of attack: direct spoofing of your domain.

A practical response posture looks like this:

• SPF and DKIM configured for all legitimate senders
• DMARC at p=none only while you are still discovering senders
• movement to p=quarantine, then p=reject, once legitimate traffic is clean
• monitoring so new tools do not silently break alignment

Without monitoring, teams often discover new senders only after deliverability drops or a spoofing campaign succeeds.

A simple BEC tabletop checklist

Run this once with finance and IT before you need it:

1. Who can pause payments?
2. Who verifies supplier banking changes?
3. Who can search the mail platform for related messages?
4. Who can block a sender or domain at the mail gateway?
5. Who owns SPF, DKIM, and DMARC changes?
6. Where are message headers and login logs preserved?

If those answers are unclear, your incident response plan is still theoretical.

Final takeaway

The first 30 minutes of a BEC event are about control, not certainty. Stop the transaction. Verify the instruction outside email. Warn the rest of the business. Preserve evidence. Then fix the authentication and process gaps that made the attempt plausible in the first place.

If you want to reduce the chance of the next spoofed invoice email ever reaching the inbox, start by checking your domain’s current posture with our free tools and make sure DMARC is moving toward enforcement, not sitting permanently in monitoring mode.