A controller at a small company in Tysons receives an email from the CEO: "I need you to process a wire transfer today. I am in meetings and cannot call, but this needs to go out before 3 PM. Here are the instructions." The email looks right — correct name, correct email address, correct tone. She processes the transfer. $87,000 gone. The CEO never sent that email.
This is business email compromise. It is the single most financially devastating cybercrime facing small businesses — not ransomware, not data breaches, not credit card theft. BEC. And it is happening to companies across Northern Virginia, Washington DC, and Maryland every single day.
How BEC Actually Works (It Is Not What You Think)
Business email compromise is not a spam blast. It is not a Nigerian prince email. It is a targeted, researched, patient attack that unfolds over weeks or months. Here is the typical anatomy of a BEC attack against a small business in Northern Virginia:
Stage 1: Reconnaissance (Weeks 1-4)
The attacker identifies your company through public sources — LinkedIn profiles showing your leadership team, your website listing services and vendors, court filings or property records showing transactions you handle, even your social media showing when the CEO is traveling.
Stage 2: Account Compromise (Day 1)
The attacker compromises a legitimate email account — usually through phishing, credential stuffing from a prior breach, or exploiting a weak password without MFA. They now have access to read every email in that mailbox.
Stage 3: Monitoring (Days 1-14)
This is what makes BEC different from everything else. The attacker sits quietly in the compromised mailbox, reading email threads. They learn payment patterns, vendor relationships, how the CEO communicates, who handles finances, what transactions are normal, and when large payments are expected.
Stage 4: The Strike
Armed with perfect contextual knowledge, the attacker sends a request that looks completely natural — a payment redirect that arrives when a real payment is expected, a wire instruction that references a real transaction, or a vendor invoice with "updated" banking details. The request is so well-crafted that the recipient has no reason to question it.
Local Pattern: In Northern Virginia, we see BEC attacks concentrated around real estate closings (title company impersonation), government contractor payments (prime contractor impersonation), and law firm trust disbursements. These high-value, time-sensitive transactions create perfect conditions for BEC — urgency, large amounts, and parties who may not know each other well enough to detect impersonation.
The Five-Layer Defense Against BEC
No single control stops BEC. The attack exploits trust, context, and timing — not technical vulnerabilities alone. Effective prevention requires layering technical controls, process controls, and human awareness together:
Layer 1: Stop Account Compromise (Technical)
If attackers cannot get into your email accounts, they cannot monitor your communications or send messages as you. This is your first line of defense:
- Multi-factor authentication on every email account — no exceptions for executives or long-tenured staff
- Conditional Access policies blocking sign-ins from risky locations, unmanaged devices, or legacy protocols
- Disable legacy authentication (IMAP, POP3, Basic Auth) which bypass MFA
- Deploy phishing-resistant MFA (FIDO2 keys or passkeys) for anyone who handles payments
- Monitor for credential exposure on dark web markets (Microsoft Entra ID Protection does this)
Layer 2: Detect Impersonation (Technical)
Even if your accounts are secure, attackers can impersonate you using lookalike domains or display name spoofing. Configure these protections in Microsoft 365 or Google Workspace:
- Anti-impersonation policies protecting all executive names and your company domains
- DMARC, DKIM, and SPF records properly configured (prevents others from sending email "from" your domain)
- External sender warnings displayed prominently on emails from outside your organization
- Lookalike domain detection alerting when emails arrive from domains similar to yours or your vendors
- Block automatic forwarding rules to external email addresses (attackers create these to maintain access)
Layer 3: Payment Verification Procedures (Process)
This is where most BEC attacks ultimately succeed or fail. Technical controls reduce the volume of attacks, but the ones that get through depend on whether your staff follows verification procedures:
- Verbal verification required for any payment change, new vendor setup, or wire transfer over $5,000
- Call the requester at a known phone number — not the number in the email
- Two-person approval for any wire transfer or ACH payment over $10,000
- Any "urgent" payment request triggers additional scrutiny, not less
- No payment instruction changes accepted via email alone — period
The Critical Rule: If someone emails you asking to change where money goes — different bank account, different wire instructions, updated ACH details — you pick up the phone and verify using a number you already have on file. Not the number in the email. Not a number from the email signature. A number you independently obtained. This single rule prevents more BEC losses than any technology.
Layer 4: Staff Awareness (Human)
Your team needs to recognize BEC tactics — not generic phishing awareness, but the specific patterns of BEC attacks:
- Urgency pressure — "This must go out today," "I am in meetings and cannot call," "The deal closes in 2 hours"
- Authority pressure — the request appears to come from the CEO, owner, or an attorney
- Secrecy instructions — "Keep this between us until it closes," "Do not discuss with others"
- Slight email anomalies — one letter different in the domain, different reply-to address, unusual greeting
- Breaking normal patterns — a vendor who always invoices net-30 suddenly needs immediate wire payment
Layer 5: Monitoring and Response (Operational)
- Monitor for new inbox rules created on executive mailboxes (attackers create rules to hide their activity)
- Alert on mailbox forwarding rule changes
- Review sign-in logs for executive accounts weekly
- Audit OAuth app consents — attackers grant themselves persistent access through app permissions
- Maintain a response playbook specifically for suspected BEC (bank contact procedures, evidence preservation steps)
What to Do If You Are Hit
Speed is everything. The FBI reports that wire recall success rates exceed 70% if action is taken within 24 hours — but drop below 20% after 48 hours. If you discover a BEC-related payment:
- Contact your bank immediately — request a wire recall or ACH reversal. Call the fraud department directly, not the general line.
- File an IC3 complaint at ic3.gov — check the "BEC" box and request activation of the FBI's Financial Fraud Kill Chain for transfers over $50,000.
- Reset all email credentials — the attacker likely still has access. Reset passwords, revoke all sessions, remove OAuth app consents, and review/delete any forwarding rules or inbox rules.
- Notify your cyber insurance carrier — most policies have 72-hour notification requirements.
- Preserve all evidence — do not delete the fraudulent emails. Screenshot inbox rules, forwarding settings, and sign-in logs before making changes.
- Notify affected parties — if the BEC involved impersonating your company to your clients or vendors, they need to know immediately to prevent further losses.
BEC Prevention Checklist for Small Businesses
- MFA enabled on all email accounts (no exceptions)
- Legacy authentication protocols disabled
- Anti-impersonation policies configured for all executive names
- DMARC policy set to "reject" (not just "monitor")
- External sender banner enabled
- Automatic forwarding to external domains blocked
- Written payment verification procedure documented and distributed
- Verbal verification required for payment changes over $5,000
- Two-person approval for wires over $10,000
- Quarterly BEC-specific awareness training for finance staff
- Inbox rule monitoring for executive mailboxes
- Bank fraud department contact info posted at every finance workstation
The Cost of Inaction
The average BEC loss for small businesses is $125,000 — often unrecoverable. For many small businesses in Northern Virginia, that represents months of operating capital. And unlike ransomware, there is no decryption key to buy. The money is simply gone, usually overseas within hours.
Implementing the layered defense described in this guide costs a fraction of a single successful BEC attack. MFA is free with most email platforms. Anti-impersonation policies are included in Microsoft 365 Business Premium. The most critical control — verbal verification procedures — costs nothing except the discipline to follow them every single time.