Sign in Subscribe
Cybersecurity

Always Verify: Lessons from a Real Email Compromise

Business Email Compromise (BEC) is one of the fastest-growing threats, exploiting misplaced trust. Here’s what happened when two real inboxes were breached—and the critical lesson for every business: Always Verify.

Von Jackson

2 min read
Always Verify: Lessons from a Real Email Compromise

Last week, I helped a client recover from a Business Email Compromise (BEC). Just days later, I received a notice from another company warning me that their email system had also been breached.

Two separate events. One clear lesson: Always Verify.

The Incident

  • An attacker gained access to a legitimate mailbox.
  • Fraudulent emails were sent out that looked normal, using the company’s real domain and signature.
  • What was the trick? The emails claimed to contain an encrypted message—and required recipients to “log in” to view it.

That login page was the trap. Anyone who entered credentials unknowingly handed their username and password to the attacker.

Ironically, I received a similar warning notice from another business. Their inbox had been hijacked to send out fake project solicitations and document links and they were notifying the recipients to warn them.

This wasn’t spoofing—it was the real account, weaponized.

Why This Works (And Why It’s Dangerous)

BEC attacks succeed because:

  • Messages come from real company email addresses.
  • They reference familiar workflows—encrypted messages, invoices, bids.
  • They exploit trust and urgency, nudging users to log in quickly without thinking.


Even tech-savvy professionals can get. caught. That’s why trust, by itself, is no longer enough.


How to Respond and Prevent BEC

The answer is Always Verify:

✅ Verify unexpected requests. If an email asks you to log in, click a link, or change payment details—pause and confirm through another channel (phone, Teams, text).

✅ Enable MFA everywhere. Multi-Factor Authentication makes stolen passwords far less useful.

✅ Monitor login activity. Conditional access, sign-in alerts, and geolocation rules can flag anomalies.

✅ Educate your team. Teach employees that “encrypted”, or “secure” message prompts should always be verified with the sender via direct communication.

✅ Respond fast. If compromise occurs: reset passwords, revoke sessions, and notify contacts immediately.

Beyond Technology—A Business Mindset

The principle of Always Verify doesn’t stop at IT security:

  • Verify your data before making decisions.
  • Verify your partners before scaling commitments.
  • Verify your processes before automating them.

This mindset builds resilience across the entire business.

Closing Thoughts

BEC is one of the fastest-growing cyber threats. It doesn’t just exploit weak passwords—it exploits trust in normal business routines like logging in to check a “secure message.”


That’s why businesses must evolve from “trust by default” to “verification by design.”

👉 At Marcoby, we help companies adopt Zero Trust security frameworks that keep operations productive, secure, and scalable.

Get a free strategy to learn how Marcoby can help you protect your business →