Business email compromise (BEC) still thrives even in organizations that have implemented multi-factor authentication (MFA). As security professionals, we tend to think that MFA is the silver bullet for email security, but real-world events suggest otherwise. Attackers exploit human behavior, exploit gaps and operational blind spots that MFA alone cannot address. In most modern BEC cases, there is no account technically speaking vulnerable at all, which puts this attack outside the security perimeter of MFA controls.
In 2019, Toyota Boshoku Corporation was attacked by BEC after an employee transferred more than $30m to fraudsters following a combined email from three.rd the group company urgently means the need for the work to be completed quickly so as not to delay Toyota’s production line. There was no indication that the Toyota employee’s email was compromised. Take also the Arup case of 2024 where attackers impersonated a senior executive using Deepfake voices and videos and convinced a member of the finance team to pay a sum of $25m. The compromise did not rely on stolen authentication but on carefully planned social engineering, timing and shortcuts in the financial group’s processes. Technical safeguards would have been strong, but human oversight proved to be the weakest link. In both cases, the failure occurred at the decision stage, not at the validation stage, exploiting trust, time and established, simple, approval processes.
Where security controls end and business risk begins
From experience, this situation is very common. Organizations often focus on rolling out security technology without addressing workflow and human culture. These often include shiny new EDR technologies that are used to check the boxes for audit and compliance objectives, and CIOs who are quick to sign off on them to show stakeholders that they are cyber resilient. This is not a failure of EDR itself, but how the investment in security is made. Endpoint and identity controls protect systems, but do not govern how financial authorizations, vendor changes or top-up requests are verified in practice.
MFA reduces risk but cannot replace the need for process controls, validation methods and ongoing awareness training especially as there are now AITM phishing kits that outnumber MFA in the wild. Exploited operational blind spots reside in business workflows where speed, trust and authority trump assurance, particularly in financial and procurement processes.
These blind spots exist because business processes are designed for speed and continuity, not validation. Finance teams are trained to keep work lines moving, and attackers have now taken note of this, using this advantage to their advantage by introducing urgency or request authority. If the request seems legitimate, time-sensitive and coming from someone with perceived authority, employees tend to follow familiar patterns rather than pausing to challenge the intent. This is not a technical failure, but a design process failure.
Practical steps for IT leaders include redesigning the authorization flow so that high-value sales require multi-step verification including out-of-band driving for verification, simulating BEC scenarios in real-world exercises to identify gaps in response and decision-making, embedding security awareness in daily routines using a small learning challenge and a challenge to renew test cases for non-standard challenges to challenge re-enablement. Successful attack scenarios can be shared with employees who distribute invoices, financial documents or are responsible for making decisions about money transfers.
Designing an authentication workflow that prevents BEC attacks
Redesigning the approval workflow means clearly defining what constitutes a high-risk request, such as first-time payments, changes to merchant bank details, unexpected payment requests from a supervisor or requests that exceed standard procedures. These requests should require independent verification using known contact information, not information provided in the email itself.
When reviewing and redesigning the approval flow, organizations must begin by asking critical, rigorous, operational questions in the decision-making environment. Is this request compatible with how payments are typically processed/authorized? Is the applicant a regular communication channel and voice? Has this merchant or account been paid before, and under similar circumstances? Does the email match the one on the sender’s company website without changes? Is there a different physical email response? Can a quick confirmation call be made? Parties should also ask what assumptions are made under time pressure, whether authority is assumed rather than verified, and who is responsible if a decision turns out to be wrong. These questions force employees to slow down, recognize deviations from normal behavior and treat unusual requests as potential security incidents rather than normal business operations.
BEC simulations go beyond phishing testing and must match real business situations, including executive emergency requests or supplier payment changes, allowing organizations to observe how employees react to stress and uncertainty. Functional simulation introduces urgency, impersonates handwritten emails and exploits real-world business situations such as end-of-quarter payments, supplier changes and times of the year when attackers like to strike such as festive periods and before holidays. Participants are monitored for how they confirm requests, or raise concerns and how quickly they are executed without confirmation. The result is not a pass or fail but can provide insight into which processes promote conscious compliance. This simulation allows organizations to refine authorization rules, strengthen escalation mechanisms and normalize authentication as part of daily operations.
Enabling should be formalized through policy, making it clear that pausing or escalating a suspicious request is expected behavior, not an impediment to productivity. Employees who report suspicious requests should also be encouraged and used as good role models in internal communications where possible.
Using conflicts and warnings in workflows
Insights from cross-border operations are that attackers use time pressure and management guesswork often seen in CEO/CFO themed fraud. Groups often follow clues from perceived authorities, which attackers receive from email flows and the urgency often attached to making large payments, which commits to important business needs. By implementing conflicts in critical workflows such as forced pauses in large transmissions or confusing automated alerts, organizations can reduce risk without disrupting productivity.
Active conflict does not mean indiscriminate grinding of a business or its process to a standstill. Mandatory pauses for large or unusual transfers create room for certainty and reduce unpredictable decisions and actions. During this pause, certain actions must take place, such as email/signature verification, verbiage, secondary authentication, independent verification or automatic checks against historical payment behavior as mentioned above.
Disruptive automated alerts are only useful if they focus on significant deviations and are tied to expectations for clear responses. Notifications should prioritize situations such as out-of-hours payment requests, changes in vendor default information or transfers outside of normal patterns. The ownership of BEC-related notices should remain with the teams that control financial decisions, such as financial operations, fraud risk sections or various payment risk groups that include security and business authority, rather than being sent exclusively to the noisy lines of the SOC.
To reduce false positives and, the concept of advanced monitoring of which is important accounts must also be presented. This is best done by sending content emails payment keywords of these risk groups to screen them before reaching the intended inboxes.
What should security leaders change now
BEC continues to be successful because human decision points are rarely treated as security-critical systems. MFA, email filtering and endpoint protection are still necessary, but they don’t control how people make decisions under pressure. Until financial and bureaucratic workflows are designed in the same rigorous way used in technical systems, attackers will continue to exploit the impact of human behavior on cybersecurity through social engineering and human weaknesses at the top of the heap.
In addition to this, there should also be clear ownership of BEC risk at the leadership level. If there is no single role responsible for the failure to ensure payment, the responsibility falls on front-line staff under pressure who are often liable for dismissal or prosecution following a successful BEC attack. Giving ownership to funding leadership, risk committees or various governance groups ensures that process failures are treated as systematic problems rather than individual errors.
Although equally important, leaders should measure success not only by the number of phishing emails, but by how often verification steps are followed, how many payment requests are challenged and how quickly suspicious transactions are stopped and reviewed.
In conclusion, security leaders who reduce BEC risk integrate people, processes and technology so that verification is the norm, skepticism is acceptable and authority is never taken without verification. In 2026 and beyond, business workflows must continue to be treated as a core component of the security architecture and not a peripheral component.
This article was published as part of the Foundry Expert Contributor Network.
Want to join?
