Business Email Compromise: What to Do in the First 24 Hours

1. Recognize the Warning Signs

Business email compromise often begins quietly. The first clue may be a vendor question, missing reply, strange message, or user reporting that email does not look right.

Common Warning Signs

Warning signs may include missing emails, unexpected messages from the user account, vendor payment changes, replies that never arrive, suspicious folders, unexpected multi-factor authentication prompts, customers receiving unusual messages, or Microsoft security alerts.

Take Vague Reports Seriously

Users may not know how to describe the issue. “My email is acting weird” may be the first sign of a real compromise.

Preserve Observations

Record what was noticed, when it was noticed, who reported it, and whether any customers or vendors were affected. Preserve suspicious messages and avoid deleting potential evidence before technical review.

2. Involve the Right People Quickly

Internal Contacts

Depending on the situation, this may include ownership, management, accounting, HR, legal counsel, cyber insurance contacts, and the organization’s authorized IT or security provider.

External Contacts

If money was transferred, contact the bank immediately. If vendors or customers received fraudulent messages, notification may be needed. If sensitive information may have been exposed, legal counsel should help evaluate obligations.

Keep a Response Log

Track what happened, who was contacted, what decisions were made, and what changes were performed by authorized personnel.

3. Containment Should Be Coordinated With Preservation

Why Coordination Matters

Rules, forwarding settings, sign-in history, suspicious applications, and message records may help determine what happened. If those details are removed or changed without documentation, reconstruction may be harder.

Who Should Perform Technical Actions

Privileged technical actions should be performed by an authorized administrator or provider. Business users should not request or perform privileged administrative functions themselves.

Document Before Cleanup Where Practical

When possible, document suspicious rules, forwarding addresses, unusual folders, suspicious messages, sign-in concerns, and impacted recipients before cleanup is completed.

4. Evidence That Usually Matters

Mailbox Evidence

Relevant mailbox evidence may include suspicious messages, sent messages, deleted messages, message headers, unusual folders, hidden replies, forwarding, and inbox rules.

Account Access Evidence

Relevant access evidence may include sign-in history, unusual locations, unfamiliar devices, repeated failed attempts, successful suspicious logins, multi-factor authentication activity, and related account changes.

Business Impact Evidence

Relevant business evidence may include vendor communications, payment change requests, wire transfer records, customer notifications, internal approvals, and records of any money or data exposure.

5. Determine the Possible Exposure

Exposure Window

The exposure window helps determine what messages may have been seen, what attachments may have been exposed, whether vendors or customers were contacted, and whether further review is needed.

Similar Activity

A single compromised account may not be the only issue. Other employees may have received the same phishing message, clicked the same link, or been targeted by the same attacker.

Shared Mailboxes

Shared mailboxes for accounting, billing, HR, support, or general information may be especially important because attackers often target accounts that can influence payments or vendor communications.

6. After the Immediate Incident

Security Review

An authorized provider can review authentication practices, mailbox forwarding monitoring, alerting, account privileges, phishing exposure, and cyber insurance requirements.

Evidence Summary

A written summary can help management, insurance, legal counsel, and affected parties understand what happened, what was reviewed, what was contained, and what remains unknown.

Lessons Learned

The best post-incident improvements are practical: better user awareness, improved alerting, stronger account controls, better logging, and clearer internal reporting procedures.