Playbook 2

Business email compromise on the office

The quieter precursor: a compromised office mailbox, malicious forwarding rules harvesting wire threads and K-1s, a spoofed custodian notice, or fake “updated wire instructions” mid-deal.

The hard truth

By the time the fraudulent wire request arrives, the attacker has usually been reading your mail for weeks.

The first hour

  1. 1

    Force a password reset and revoke all active sessions on the affected mailbox.

  2. 2

    Audit inbox and forwarding rules — attackers hide auto-forwarding and auto-delete rules to intercept threads.

  3. 3

    Check sent items and deleted items for messages you didn't send.

  4. 4

    Alert anyone the mailbox recently corresponded with about wires or banking details.

  5. 5

    Notify the custodian and any counterparty mid-deal that instructions from you may be compromised.

Stop the next one

  • MFA on every office mailbox — hardware keys for the finance team.
  • SPF, DKIM, and DMARC configured on all office domains.
  • A standing mailbox-rule audit to catch malicious forwarding early.
  • A deal-time verification decision tree: “Is this really the fund administrator?”

Questions we hear