Why Your SIEM Will Not Stop a BEC Attack
- 8 hours ago
- 5 min read
Business email compromise cost organizations 2.77 billion dollars in 2024 across 21,442 reported cases, second only to investment fraud and nearly 8.5 billion dollars over the last three years, according to the FBI's Internet Crime Complaint Center. Sixty three percent of organizations were targeted last year, per the AFP's 2025 Payments Fraud and Control Survey. Most of that loss never tripped a single SIEM alert.
That is the executive challenge boards keep getting wrong. Many still equate detection maturity with SIEM coverage, on the assumption that if logs are collected and correlated, fraud will surface before money moves. BEC does not work that way. It carries no malware, no exploit, and no payload, so there is nothing for a correlation rule to fire on. The weapon is a believable message, not code.
The strategic implication is straightforward. A BEC attack is a business email compromise problem before it is a security operations problem, and it needs to be governed as an identity and process failure, not patched as a tooling gap. That reframing is where this article starts.

Why This Threat Now Sits at the Board Level
The dollar figures alone justify board attention, but the shift behind them matters more. The World Economic Forum's Global Cybersecurity Outlook 2026 found that chief executives now rate cyber enabled fraud as their top concern, a marked shift away from ransomware as the default boardroom worry. Gartner's 2026 cybersecurity trends research explains why: human and machine identities have become the primary attack surface, which is exactly the layer a SIEM was never built to interpret.
Generative AI has made the problem faster to execute. IBM's 2025 Cost of a Data Breach Report found that phishing remains the leading initial attack vector at an average cost of 4.8 million dollars, and that generative tools have cut the time to write a convincing phishing email from as long as sixteen hours to about five minutes. These breaches take roughly 254 days on average to detect and contain, which is more than enough time for a wire to clear and disappear.
Why a SIEM Alone Cannot Stop a BEC Attack
A SIEM is a strong tool for what it was built to do: collect logs, correlate events, and surface anomalies. BEC is built to live in the blind spots between those events, and four specific gaps explain why.
There is no malware to catch
Most BEC carries no attachment, no exploit, and no payload. There is nothing for a rule to fire on, because the weapon is a believable message, not code.
The account looks trusted
Attackers use look alike domains or a mailbox they have quietly taken over. In the logs it reads as a valid user doing valid things, which is precisely the coverage gap Gartner's identity and access management predictions describe: fragmented identity environments across cloud, on premises, and SaaS create the blind spots attackers exploit at scale.
The alert arrives too late
A SIEM is reactive. By the time an event is ingested, correlated, and triaged, the wire has often already left, because BEC plays out in minutes, not the hours a security operations workflow assumes.
It sees telemetry, not intent
A SIEM does not read the message or understand that a request to change banking details is fraud. Impersonation lives above the log layer entirely, in judgment and process, not in events a machine can score.
The Governance Model That Actually Stops a BEC Attack
Every board conversation about business email compromise should answer four questions. What is the board's role? It sets the expectation that fraud defense is a governed program with a named owner, not a tool purchase reviewed once a year. What risks exist? Identity based impersonation, vendor and payment fraud, and the reputational and regulatory exposure that follows a wire that cannot be recovered. What metrics matter? Time to verify a banking change out of band, the percentage of privileged accounts on phishing resistant authentication consistent with NIST's highest assurance level, and mean time to contain a compromised mailbox. What oversight is required? Standing review, not annual review, since vendors, payment relationships, and staff access change constantly.
Answering those questions points toward a layered program, because BEC defeats single tools and no one control closes every door. Email and impersonation defense, through DMARC enforcement and behavioral inbound analysis, flags the pretext before it reaches an inbox. Identity protection, anchored in phishing resistant multi factor authentication, continuous monitoring for malicious inbox rules and impossible travel, and modern cloud services configured with least privilege, closes the account takeover path. A live, 24/7 managed detection and response capability correlates email, identity, and endpoint activity and contains a compromised account in minutes rather than alerting after the money has moved. Security awareness training teaches people to recognize the urgency cue and the spoofed sender, so the last line of defense holds when a message slips through every technical control. Financial verification controls, confirming every banking or payment change out of band on a known number, remain the single most effective check against a fraudulent wire.
A vCISO is what ties these layers into one accountable program rather than five disconnected vendors, and governance and process discipline is what keeps the program current as the business changes. This also touches the parts of the cybersecurity framework boards tend to skip: resilience and recovery depend on the same tested incident plan a BEC scenario requires, and cyber insurance underwriters are increasingly conditioning wire fraud coverage on documented out of band verification and phishing resistant authentication, which makes this a compliance and insurance question as much as a technical one.
What Executives Should Do Differently
The first move is to stop asking whether the SIEM is working and start asking whether anyone owns fraud prevention end to end. That question produces better answers than a tooling audit.
Confirm every banking or payment change requires out of band verification on a known number, with no exceptions for urgency.
Move privileged and finance related accounts to phishing resistant authentication rather than SMS or app based codes.
Ask whether email, identity, and endpoint telemetry are actually correlated by a live team, not just collected.
Run a tabletop exercise built around a BEC scenario rather than a malware scenario, since the two require different responses.
Name a single owner, ideally through IT consulting or a trust and security partner, who is accountable for the entire program rather than any single tool.
Final Thoughts
A SIEM will keep doing exactly what it was designed to do, and that is not a criticism of the tool. It is a reminder that a BEC attack is engineered to succeed precisely where log correlation stops and human trust begins. Boards that keep funding detection tooling without funding the identity, process, and verification layers around it will keep discovering that lesson the expensive way.
The organizations getting this right treat business email compromise as a governed, layered program with integrated risk management, a digital engineering strategy that keeps the program current, and a service level agreement behind every layer, not a checkbox on a security tool inventory. I write more about board level cybersecurity governance on JamesFKenefick.com, and the discipline that stops a BEC attack is the same discipline that protects any high trust, high value environment: verify out of band, govern identity first, and hold one person accountable for the whole program.




Comments