Founder, Cairn Intelligence. Cybersecurity researcher specialising in threat intelligence and OSINT investigation. Published CVE researcher (CVE-2025-9548). BSc Digital Security & Forensics, Glasgow Caledonian University.

3 minute read

Business email compromise (BEC) is one of the most financially damaging cyber threats facing small businesses today. Unlike ransomware, it is often silent — attackers sit inside a compromised email account for weeks or months, reading conversations, learning how your business operates, and waiting for the right moment to redirect a payment or impersonate you.

The warning signs are not always obvious. Here are five things that should prompt an immediate investigation.

1. Emails you did not send are appearing in your Sent folder

This is the clearest indicator. If you see emails in your Sent folder that you do not recognise — particularly ones involving invoices, payment instructions, or requests to change bank details — your account has likely been accessed by someone else.

Some attackers are careful enough to delete sent emails immediately to avoid detection. If a contact tells you they received an email from you that you never sent, treat it as a confirmed compromise and act immediately.

2. Your contacts are receiving unexpected emails from you

If a colleague, client, or supplier contacts you to ask about an email you apparently sent — requesting a payment, asking them to click a link, or requesting sensitive information — your account is either compromised or being spoofed.

The difference matters. A spoofed email comes from an address that looks like yours but is not. A compromised account means the attacker is actually logged in and sending from your real inbox. Both are serious, but a compromised account requires immediate password change and account review.

3. Your inbox rules have changed without your knowledge

This is one of the most common and least noticed signs of BEC. Attackers who gain access to an email account frequently create inbox rules to:

  • Automatically forward all incoming email to an external address
  • Delete specific emails (such as security alerts or password reset notifications) before you see them
  • Mark emails as read so you do not notice new messages

Check your inbox rules now. If you see rules you did not create — particularly any that forward emails externally or delete messages automatically — your account has been accessed.

4. You are being logged out unexpectedly or receiving login alerts

Most email platforms send notifications when your account is accessed from a new device or location. If you are receiving these alerts and the login was not you, an attacker has your credentials.

Similarly, if you find yourself unexpectedly logged out of your email, it may be because someone else has changed your password or triggered a session reset.

Enable login notifications on your email account if you have not already done so. For Microsoft 365 and Google Workspace accounts, review your sign-in activity log regularly — it shows every device and location that has accessed your account.

5. Contacts report receiving invoice or payment requests you did not send

Invoice fraud is the most financially damaging form of BEC. An attacker who has been monitoring your inbox knows which suppliers you pay, how much, and when. They intercept the conversation at the right moment and send updated bank details — either from your compromised account or by spoofing it.

If a supplier or client calls to confirm a payment request or unusual bank detail change, treat it as suspicious until verified by phone using a number you already have on record. Never verify a payment change by replying to the same email thread — the attacker controls it.

What to do if you suspect a compromise

  1. Change your password immediately — use a strong, unique password not used anywhere else
  2. Enable multi-factor authentication — this prevents an attacker from logging back in even if they have your password
  3. Check and delete any inbox rules you did not create
  4. Review your sign-in activity for unrecognised locations or devices
  5. Notify your IT provider or security contact — if sensitive client data or financial transactions were involved, you may have a legal obligation to report it
  6. Warn your contacts — let clients and suppliers know your account may have been compromised so they can verify any recent payment requests

How Cairn Intelligence can help

Cairn Intelligence provides threat intelligence and exposure assessments to businesses that want to understand their risk before an incident occurs. If you are concerned about your current exposure — including whether your business email domains are being spoofed or your credentials have appeared in known data breaches — get in touch.

A free pilot engagement is available with no commitment. Contact us at cairnintelligence.com or email sam@cairnintelligence.com.

Cairn Intelligence — cairnintelligence.com — Published threat intelligence research at reports.cairnintelligence.com

Updated:

You May Also Enjoy