Business Email Compromise Checklist: How to Prevent BEC in Finance and Operations Teams

Overview

This guide gives you a working business email compromise checklist for day-to-day operations. It is written for teams that approve payments, manage vendors, process payroll, handle procurement, or support executive workflows.

BEC scam prevention is not only an email security problem. It sits at the intersection of inbox security, identity verification, payment controls, and team behavior. Attackers do not need malware or deep access if they can convince one busy employee to send funds, change account details, or disclose sensitive records.

Most email payment fraud attempts follow a familiar pattern:

• The attacker impersonates a trusted party such as an executive, vendor, law firm, customer, or internal employee.
• The message creates urgency, secrecy, or routine pressure.
• The request pushes the recipient to bypass a normal control: a callback, a second approval, a waiting period, or a known contact method.
• The attack often lands during periods of distraction, staffing changes, quarter-end pressure, travel, holidays, or platform migrations.

The most useful way to defend against BEC is to break the attack chain. You do that by making risky actions slower, more verifiable, and less dependent on a single email thread.

Use the checklist below as a pre-action review before any of the following:

• Sending funds or approving a wire
• Changing vendor payment details
• Changing payroll or employee bank information
• Releasing tax, HR, or identity documents
• Granting access to systems, mailboxes, or accounts
• Acting on “CEO urgent” requests outside normal workflow

If your team needs a companion process for message validation, see How to Verify a Suspicious Email Before You Click Anything. If the request involves invoices, also review Fake Invoice Scam Red Flags: How Businesses Can Spot Payment Fraud Early.

Checklist by scenario

Use these scenario-based checklists before acting. The goal is not to make every task slow. It is to identify the small set of requests that deserve extra friction.

1) Executive urgent payment request

This is one of the most common forms of finance team phishing. A message appears to come from a senior executive and asks for a confidential wire, gift card purchase, refund, or emergency vendor payment.

• Pause if the request depends on urgency, secrecy, or a change from normal process.
• Check the sender carefully: display name, full email address, reply-to address, and any slight domain misspelling.
• Do not reply directly to the message to verify it.
• Confirm the request using a known contact method already in your records, such as an internal directory number or verified chat account.
• Require a second approver for any out-of-band payment, even if the request appears to come from leadership.
• Check whether the executive is traveling, in meetings, or otherwise unavailable, since attackers often exploit those windows.
• Document the verification step in the ticket, ERP, or approval record.

If the request pressures the team to bypass policy “just this once,” treat that as a red flag rather than a business reason.

2) Vendor banking change request

The vendor impersonation scam is a classic BEC path because it targets a real relationship and a plausible transaction.

• Never change payment details based only on email.
• Validate the request with a callback to a known phone number from your vendor master data, not a number provided in the email.
• Ask for confirmation from an existing vendor contact, not only a new contact added in the same thread.
• Review whether the sender domain matches prior legitimate messages from the vendor.
• Check for subtle changes in invoice formatting, signature block, tone, or payment destination country.
• Apply a dual-control review for bank account changes and require a waiting period before the first payment to the new account.
• Notify procurement or vendor management so the change is visible outside AP.
• Flag first-time payments after account changes for manual review.

When possible, separate the team that updates vendor records from the team that releases payments. That single control can stop a large share of preventable losses.

3) Invoice attached to a normal-looking email

Some attacks look less like impersonation and more like routine accounts payable work.

• Verify that the invoice aligns with a real purchase order, contract, or approved work record.
• Check whether the amount, timing, and billing cadence match prior invoices.
• Look for changes in remittance instructions, account names, or beneficiary location.
• Review attachment names and file types carefully before opening.
• Use secure document workflows where possible instead of processing attachments directly from email.
• Escalate any invoice that arrives with a new sense of urgency, revised payment route, or pressure to ignore prior instructions.

For a deeper fraud screening process, pair this article with our fake invoice red flags guide.

4) Payroll or employee bank detail change

Payroll fraud is often treated as an HR issue, but it belongs in every BEC scam prevention program.

• Do not process bank changes solely from email, even if the email appears internal.
• Require login to a trusted employee self-service system or live verification through an established internal process.
• Apply extra scrutiny to changes submitted near payroll cutoff dates.
• Alert the employee through an independent channel that a change request was received.
• Review mailbox compromise indicators if the employee claims they did not send the request.

5) Request for tax forms, employee records, or sensitive documents

BEC is not always about payments. Attackers also target data that can support identity theft, tax fraud, or account takeover.

• Verify the requester through known internal channels.
• Confirm business need and least-privilege access before sending anything.
• Do not send sensitive files over an unverified email thread.
• Use approved secure transfer methods and log the release.
• Escalate requests involving bulk employee records, executive data, or unusual urgency.

6) Shared mailbox or accounts payable inbox workflow

Shared finance mailboxes can become a weak point if ownership is diffuse.

• Define who can approve, who can update records, and who can release funds.
• Remove stale delegations and review forwarding rules.
• Monitor for unusual auto-forwarding, hidden inbox rules, or unexplained archived messages.
• Require named accountability in the workflow, even when the mailbox is shared.
• Separate intake, verification, and payment release where possible.

7) Executive assistant or operations coordinator request chain

Attackers often target assistants because they sit close to approvals and calendar context.

• Establish clear rules for what assistants can initiate versus approve.
• Require executive confirmation through a separate channel for unusual financial requests.
• Do not rely on writing style as proof of identity.
• Watch for requests timed around travel, events, or board meetings.

8) Mailbox compromise suspected after a strange request

Sometimes the email is not spoofed at all. It comes from a real compromised account.

• Call the sender using a known number before taking action.
• Check for prior legitimate thread history being reused in an unusual way.
• Look for changed tone, odd timing, new payment details, or requests to move off platform.
• Escalate to security to review login history, MFA changes, forwarding rules, and recent mailbox behavior.
• Freeze related payment changes until the account is confirmed clean.

What to double-check

Before approving any high-risk request, run through these cross-scenario checks. This is the part of the checklist worth printing, bookmarking, or embedding into your workflow tool.

Identity checks

• Is the sender address exactly correct, not just the display name?
• Does the reply-to address differ from the visible sender?
• Has the domain changed by one character, an extra word, or a lookalike pattern?
• Are you verifying through a known-good channel rather than the one used in the request?

Transaction checks

• Does the request match an approved purchase, contract, invoice schedule, or payroll process?
• Is there a first-time account, unusual beneficiary, or unexpected international route?
• Is the payment amount just below a review threshold or otherwise structured to avoid attention?
• Has the banking information changed recently?

Behavior checks

• Is the message urging immediate action or secrecy?
• Is the requester asking you to bypass a normal control?
• Does the request arrive outside normal hours or during a period of distraction?
• Is the tone unusually terse, generic, or inconsistent with prior communication?

Mailbox and system checks

• Has the internal user recently reset credentials, changed MFA, or reported device issues?
• Are there signs of mailbox tampering, such as forwarding rules or hidden deletions?
• Are approval logs complete, or did the request appear outside the usual system?

Control checks

• Was there independent verification by someone who is not the request originator?
• Was the change reviewed by a second person?
• Is there a short hold period for bank-detail changes before payment release?
• Have you documented the verification outcome?

If any of these checks fail, stop the transaction and escalate. A delay is usually easier to repair than a misdirected payment.

Common mistakes

Many teams already know what BEC is. The problem is not awareness alone. It is operational drift. The same avoidable mistakes show up again and again.

1) Treating email as identity proof

Email is a communication channel, not a trust decision by itself. Even a real mailbox can be compromised. The control that matters is independent verification.

2) Letting urgency outrank process

Quarter-end pressure, executive travel, and customer deadlines can tempt teams to skip callbacks or second approvals. Attackers rely on that exact tradeoff. If urgency is real, verification still needs to happen.

3) Using contact details from the suspicious message

A callback to the number inside the email is not true verification. Use the vendor master file, your ERP, your internal directory, or a known prior contract record.

4) Putting too much trust in writing style

Teams often say, “It sounded like them.” That is not a control. Attackers can copy prior threads, signatures, and phrasing. Focus on process signals, not familiarity.

5) Allowing one person to change and pay

When the same person can update vendor data and release funds, a single deceptive message can complete the fraud path. Basic separation of duties remains one of the strongest defenses.

6) Ignoring low-volume anomalies

BEC often starts small: a single changed field, a slightly different domain, a short follow-up asking to “use this account for today.” Small irregularities deserve attention when money or sensitive records are involved.

7) Forgetting shared mailboxes and assistants

Controls often focus on executives and finance directors, while assistants, coordinators, and shared inboxes carry the real workflow burden. Include them in reviews, training, and approval design.

8) Failing to connect email risk to incident response

If a suspicious request may have come from a compromised internal account, do not treat it as a simple payment exception. Security, identity, and finance teams need a linked response path. For adjacent account hardening ideas, this piece on login friction and access tradeoffs is a useful companion read.

When to revisit

This checklist works best when it is treated as a living control, not a one-time awareness document. Revisit it whenever your underlying workflow changes or when pressure on the business changes.

At minimum, review your BEC checklist in these moments:

• Before seasonal planning cycles: holidays, year-end close, bonus periods, tax seasons, procurement surges, and staffing transitions can all increase fraud exposure.
• When workflows or tools change: ERP migrations, new AP automation, vendor portal rollout, payroll platform changes, ticketing changes, or identity stack changes can open new gaps.
• When approval thresholds change: any update to who can approve, how much they can approve, or how exceptions are handled should trigger a checklist review.
• When vendors or banking relationships change: mergers, legal entity changes, new subsidiaries, and urgent supplier onboarding all raise impersonation risk.
• After any near miss or actual incident: update the checklist with the exact failure point, not just a broad reminder to be careful.

To keep this practical, assign an owner and a cadence:

• Name one accountable owner in finance operations or security governance.
• Keep the checklist embedded in the place work happens: ERP notes, AP runbooks, procurement SOPs, or ticket templates.
• Run short tabletop reviews using recent suspicious messages or payment-change examples.
• Track exceptions granted to policy and review whether they created unnecessary risk.
• Make callback verification and dual approval measurable controls, not informal advice.

A good final step is to create a one-page “stop and verify” version for frontline staff. Include only the actions they need in the moment:

1. Do not approve or pay from email alone.
2. Verify using a known-good contact method.
3. Require dual approval for payment or bank-detail changes.
4. Document what was checked.
5. Escalate if anything feels rushed, unusual, or inconsistent.

That small operational habit does more to prevent BEC than a long annual reminder. The attacks will keep changing, but the core defense remains steady: separate identity from email, separate changes from payments, and make high-risk actions provable before they become irreversible.

For related verification workflows, you may also want to review our phone number scam lookup guide and current text scam trends to watch, especially if attackers begin shifting from email to calls or SMS as part of a blended impersonation campaign.