Business Email Compromise Isn’t Always About Ransom — There Are Other Ways to Get Money

When most businesses think about cybercrime, they think about ransomware.

Locked files.
Shut down systems.
A ransom note demanding cryptocurrency.

But not every attack ends with encryption. And increasingly, that’s intentional. Some attackers don’t need to lock your files to get paid; they just need access to your email.

The Incident That Didn’t Look Like Ransomware

We recently heard of a local business that experienced a sophisticated email compromise.

They had multi-factor authentication (MFA) enabled.
They had security tools in place.
They were doing what most businesses are told to do.

But an employee fell victim to a highly convincing phishing attack. This wasn’t a basic “enter your password” scam. It was a modern man-in-the-middle attack designed to capture more than credentials.

The attacker likely stole a session token.

A session token is what keeps you logged into Microsoft 365 or other cloud services after you complete MFA. If an attacker captures that token in real time, they don’t need your password — and they don’t need your MFA code again. They’re not breaking in - they’re inheriting an already authenticated session. 

And once inside, they didn’t deploy ransomware.
They watched.

Quiet Access. No Alarms.

Instead of making noise, the attacker created a mailbox forwarding rule. Copies of emails were silently sent to an external address.

From the employee’s perspective, everything worked normally.

No password change prompts.
No locked accounts.
No antivirus alerts.
Just business as usual.

Behind the scenes, the attacker monitored financial conversations. They learned payment cycles. They observed vendor relationships. They studied internal communication styles. They were patient.

The Real Objective: Money Without Encryption

When the right moment came, the attacker inserted themselves into a legitimate payment conversation. Because they were inside a real mailbox, the emails looked authentic.

No spoofed domains.
No obvious red flags.
No broken formatting.

Just updated wiring instructions.

The employee, thinking they were talking to a co-worker, sent the wire transfer that was requested. But the real co-worker didn't know anything about the transfer. It was only after the money left the account leadership realised what had happened.

Silver lining? No ransomware was ever deployed. But that was never the goal.

Why BEC Is Becoming More Common

Ransomware is loud. It forces immediate response. Business Email Compromise (BEC) is quiet — and often just as financially damaging. From an attacker’s perspective, BEC has advantages:

• No system-wide disruption
• No instant forensic investigation
• No dramatic ransom demand
• Faster monetization

If they can move money without detonating encryption, they reduce risk while maximizing payout.

The end goal isn’t always ransom;  It’s revenue.

“But We Have MFA…”

So did they. 

Multi-factor authentication remains critical and dramatically reduces risk. But it is not invincible. Modern phishing kits (often crafted with the use of AI) are specifically designed to:

• Capture session tokens
• Proxy login sessions in real time
• Trick users into approving authentication prompts
• Maintain access even after password changes

Security today isn’t just about blocking login attempts. It’s about monitoring what happens after login. If no one is watching for abnormal behavior, a compromised session can look completely legitimate.

The Early Warning Signs Most Businesses Miss

In incidents like this, there are usually subtle indicators:

• New or modified mailbox forwarding rules
• Sign-ins from unusual geographic locations
• Impossible travel activity
• Changes to authentication sessions
• Abnormal email behavior

These are not things most organizations review daily - but your IT partner should.

How We Approach This at TotalCare IT

We don’t just focus on malware. We focus on compromise detection. Our updated approach to these new threats includes:

• Monitoring for suspicious mailbox rule creation
• Reviewing abnormal login patterns and token behavior
• Enforcing conditional access policies
• Blocking risky sign-ins
• Investigating impossible travel activity
• Protecting financial workflows through layered controls
• Responding immediately to anomalies

Because preventing Business Email Compromise isn’t about stopping spam; It’s about identifying when trust has been hijacked.

Not every cyberattack ends with a ransom note. Some end with a bank confirmation.

Business Email Compromise is effective because it doesn’t rely on dramatic disruption. It relies on patience, access, and timing. And sometimes, the most dangerous breach is the one that looks like a normal workday. The goal isn’t always encryption. Sometimes, it’s simply getting paid.