Human-centric failures: Why BEC continues to work despite MFA
Summary
Business email compromise (BEC, a scam where attackers trick employees into sending money by impersonating trusted contacts) continues to succeed even when organizations use MFA (multi-factor authentication, a security method requiring multiple forms of ID to access accounts) because attackers exploit human behavior and business processes rather than stealing credentials. Real attacks like the Toyota case (where an employee transferred $30 million based on a fake urgent email) and the Arup case (where deepfake technology impersonated a manager) show that the weakest point is often the human decision-maker approving payments, not the technical security controls.
Solution / Mitigation
The source explicitly recommends: (1) redesigning approval workflows so high-value transactions require multi-step verification including out-of-band calls (verification methods using a separate communication channel, like a phone call to confirm an email request); (2) simulating BEC scenarios in realistic exercises to identify gaps in response and decision-making; (3) embedding security awareness into daily routines using micro-learning and real incident reviews; (4) empowering teams to challenge unusual requests without fear of reprisal; (5) sharing instances of successful attacks with employees who distribute invoices and oversee financial decisions; and (6) explicitly defining what constitutes high-risk requests, such as first-time payments, changes to vendor banking details, sudden payment requests from executives, or requests that bypass standard procedures.
Classification
Original source: https://www.csoonline.com/article/4165638/human-centric-failures-why-bec-continues-to-work-despite-mfa.html
First tracked: May 1, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 95%