Human-centric failures: Why BEC continues to work despite MFA
Summary
Business Email Compromise (BEC) attacks continue to be effective despite the widespread implementation of Multi-Factor Authentication (MFA). Attackers exploit human behavior, process gaps, and operational vulnerabilities rather than solely relying on technical account compromises. Real-world examples, such as the Toyota Boshoku and Arup incidents, highlight that these attacks often succeed through social engineering and procedural shortcuts, bypassing authentication layers.
IFF Assessment
The article describes how sophisticated social engineering and human factor exploits are bypassing technical controls like MFA, leading to successful BEC attacks and financial losses, which is bad news for defenders.
Defender Context
This article underscores the persistent threat of BEC attacks, emphasizing that technical controls alone are insufficient. Defenders must focus on strengthening process controls, implementing robust verification routines, and providing continuous human-centric awareness training to address the vulnerabilities exploited by attackers. Organizations should re-evaluate their security investments to ensure they cover not just technical safeguards but also the human element and established business workflows.