Business Email Compromise Signs Every Office Manager Should Know
An email that looks normal can still be a trap. The tone feels familiar, the signature looks right, and the request sounds simple. "Can you wire this today?" "Please update our bank details." That's how business email compromise (BEC) slips past smart people.
Office managers sit right in the middle of payments, vendors, calendars, and exec requests. That makes you a prime target. The good news is you don't need to be a security expert to catch most BEC attempts. You need a few practical habits, a quick checklist, and a clear way to verify money requests.
Below are the signs to watch for, a printable red-flag checklist, a verification script your team can follow, and a first-hour action plan if something looks wrong.
Why BEC hits office managers first (and how it usually starts)
Business email compromise is not a "virus problem" as much as a trust problem. Attackers either impersonate someone you know (CEO, vendor, attorney, payroll) or break into a real mailbox and wait. Then they send a message at the exact moment it will feel routine.
Common starting points include:
- A fake login page that steals Microsoft 365 passwords
- A "reply-to" trick that quietly routes replies to the attacker
- A vendor email domain that's one character off (think
.coinstead of.com) - A mailbox rule that auto-forwards invoice conversations outside the company
Here's the scary part: BEC emails often contain correct details. An attacker might copy language from past threads, include the real vendor address in the CC line, or reference a real project. That's why "it sounds like them" is not a control.
If your business runs on Microsoft 365, locking down email access and sign-ins matters as much as training. Managed help with authentication, mailbox protections, and safer sharing can reduce exposure (see Managed Office 365 support and security ).
A quick office example: you're busy, the owner is in meetings, and a message arrives that says, "I need this handled quietly before 2 PM." That urgency is the hook. The payment is the prize.
The BEC signs you can spot in under a minute
BEC attempts often look like normal work, just slightly "off." Instead of hunting for one magic clue, watch for clusters of small warnings.
Start with the message itself. Does it push urgency or secrecy? Does it ask you to bypass your usual process "just this once"? Attackers love exception handling because it skips the safety rails.
Next, look at the request type. The highest-risk requests are:
- New or changed bank account details for a vendor
- A rush wire, ACH, or "manual payment"
- Gift card purchases or "send me the codes"
- Updating payroll direct deposit information
- Changing where invoices should be emailed
Then check the identity signals. A display name can be faked in seconds. What matters is the actual address, the reply-to field, and whether the email thread behaves normally. If replies suddenly go to a different address, treat it as a break in trust.
Finally, consider what's happening around the email. BEC often comes with account takeover clues, like missing messages, unexpected "read" status, or inbox rules you didn't create. If you have monitoring in place, alerts about unusual logins or suspicious device activity can help you catch this earlier (see 24x7 network monitoring solutions ).
Two quick scenarios to make it real:
- Vendor switch : "We changed banks. Use the attached form for all future payments." You pay, then the real vendor calls asking why they're past due.
- Exec impersonation : "I'm tied up. Wire $18,740 to finalize the deposit." It's timed for a busy morning when you won't want to interrupt anyone.
If an email changes where money goes, don't verify it by email. Use a known, saved phone number and a second approver.
Printable-style checklist: BEC red flags to keep by your desk
Use this as a quick screen before you process payments, bank changes, or sensitive requests.
| BEC red flag | Quick check and safe response |
|---|---|
| Urgent deadline, pressure to act now | Pause, follow the verification script before doing anything |
| "Keep this confidential" or "don't tell anyone" | Treat as suspicious, loop in your manager and finance approver |
| Bank account change for a vendor | Verify using a known phone number from your vendor file |
| New payment method (wire instead of check, crypto, gift cards) | Stop and escalate, this is a classic fraud pattern |
| Reply-to address doesn't match sender | Don't reply, start a fresh email to a trusted address |
| Slight domain misspelling (extra letter, different TLD) | Compare against past invoices, don't use contact info in the email |
| Attachment asks you to "enable content" or "sign in to view" | Don't open, forward to IT for review |
| Payment instructions only in PDF | Cross-check against vendor master record, confirm by phone |
| Unusual tone for the sender (too formal, too brief) | Verify out of band, especially if money is involved |
| You're asked to bypass the normal approval flow | Stick to policy, require two-person approval |
| Login prompts after clicking a file link | Close it, report it, reset passwords if you entered credentials |
| You notice new inbox rules or auto-forwarding | Treat as possible account takeover, contact IT immediately |
The takeaway: treat process changes like a locked door. Anyone can knock. Only verified people get in.
A step-by-step verification script for payment or account-change requests
When you're busy, you need words you can reuse. This script keeps it simple and consistent, even when the request "sounds legit."
- Stop and label it
- "This request changes payment details, so I need to verify it by phone."
- Use a known number, not the email
- Pull the vendor or exec phone number from your internal directory, vendor master file, contract, or prior saved contact.
- Don't use phone numbers listed in the suspicious email or attachment.
- Do the call-back
- "Hi, I'm confirming a payment or bank detail change request we received by email. Did you send it?"
- If they say "yes," continue: "Please read back the last four digits of the prior account we have on file (or confirm the last invoice number and amount)."
- Require two-person approval
- One person verifies, a second person approves.
- If you're the only person available, wait. Don't "self-approve" under pressure.
- Document the verification
- Note who you spoke to, the number used, the time, and what they confirmed.
- Save the record in your ticketing system or finance notes.
- Send a clean confirmation
- Start a new email (don't reply) to the trusted address already on file.
- "Per our phone call at [time], we will process payment using [method] to the verified account."
A helpful rule: any request that reroutes money should trigger the same routine, even if it's the CEO.
If you suspect BEC: first-hour incident action plan
Speed matters. In the first hour, your goal is to stop money movement, preserve evidence, and close the door the attacker used.
- Stop the payment
- If it's a wire or ACH, contact your bank immediately and ask for a recall or hold.
- If it's a check, place a stop payment.
- Notify internal stakeholders
- Tell your finance lead, owner, and IT support right away.
- Keep details factual: who requested, what amount, what account, what time.
- Preserve the email evidence
- Don't delete the message.
- Save the email and capture full headers if your IT team requests them.
- Secure the mailbox
- Reset the account password and revoke sessions (IT can help).
- Turn on MFA if it's not enabled.
- Check for mailbox rules and forwarding
- Look for new auto-forwarding addresses, hidden inbox rules, or deleted-item movement rules.
- Remove anything you didn't create, then document what you found.
- Scan the endpoint
- Have IT check the computer used to open links or attachments.
- If credentials were typed into a fake login page, treat it as compromised.
- Warn the vendor or impacted party
- Call the vendor using a known number and let them know about the attempted fraud.
- Ask them to watch for similar messages sent to others.
If you want a local team that can help tighten email controls and respond fast when something goes sideways, start with Managed IT services expertise.
Conclusion
Business email compromise works because it borrows trust and adds pressure. Once you know the signs, most BEC emails start to look less "urgent" and more "off." Keep the checklist close, use the verification script every time money or accounts change, and treat exceptions as a risk, not a favor. What's one payment step your office could standardize this week so nobody has to guess under stress?