Cybersecurity: Navigating Business Email Compromise - acainternational.org

FBI data reveals a rise in email-based fraud. Learn the verification protocols and technical fortifications needed to protect your firm’s assets from increasingly sophisticated AI-driven attacks. 02/20/2026 1:00 P.M. Business Email Compromise (BEC) remains a top risk in the cybercrime landscape. According to recent federal statistics, the FBI’s Internet Crime Complaint Center (IC3) recorded over 21,000 incidents in 2024 alone. These attacks resulted in $2.77 billion in annual losses, contributing to a staggering $55 billion decade-long drain on the global economy. Based on the latest 2025 year-end data and 2026 projections from the FBI and industry analysts, annual incidents are expected to increase to approximately 28,000 in 2026 — a significant rise compared with 2024. The New York Department of Financial Services (NYDFS) included an overview of BEC risks in its recent cybersecurity alerts, which also included an urgent phishing alert for regulated entities and a warning about voice phishing attacks targeting IT help desks. How the Breach Happens A BEC attack occurs when a threat actor infiltrates a corporate email account to monitor communications and impersonate the owner. By leveraging sophisticated social engineering — and increasingly, AI-driven deepfakes — attackers deceive employees into authorizing fraudulent payments or leaking sensitive data. Notably, traditional security measures are no longer a key protection against these cybercrimes. Many breaches now bypass multi-factor authentication (MFA) by using stolen session tokens or exploiting weak authentication protocols. Hardening Your Perimeter While the threat is evolving, the risk can be significantly mitigated through a dual-track strategy of technical controls and a culture of skepticism: Technical Fortification: Implement advanced email filtering and real-time monitoring for anomalous login activity. Automated external sender banners remain a simple yet effective first line of defense. The Human Firewall: Regular, high-fidelity phishing simulations are essential. Staff must be trained to recognize the urgent tone of an executive or vendor impersonator and to scrutinize links that request credential entry. Verification Protocols: Establish a mandatory “Out-of-Band” verification policy. Any request to change payment instructions or initiate a high-value wire must be confirmed via a trusted, pre-existing phone number — never by replying to the email in question. ACA Cybersecurity & Risk Forum To stay ahead of evolving cybersecurity threats, attend ACA International’s Cybersecurity & Risk Forum, held virtually March 3–5. Whether you’re responsible for safeguarding systems or leading organizational strategy, the virtual forum is designed to help organizations protect sensitive data, reduce risk, and respond effectively to incidents. In the weeks leading up to the Cybersecurity & Risk Forum, ACA will spotlight individual sessions from education tracks, offering a closer look at the topics, speakers, and takeaways attendees can expect. Register for the Cybersecurity & Risk Forum. Learn more on cybersecurity protections in these resources from ACA: ACA Daily article: NY DFS Issues Urgent Phishing Alert for Regulated Entities ACA Daily article: New BBB Insights on Debt Scams and Business Security ACA Daily article: NYDFS Alert: ‘Vishing’ Attacks Targeting IT Help Desks on the Rise ACA Huddle recording: Prevent the Breach: How to Avoid Data Privacy and Cyber Claims Remember, subscribe to ACA Daily and Member Alerts under your My ACA Assistant profile when logged in to acainternational.org.