Lesson 1
How Business Email Compromise Actually Lands
Lesson Framing
The attacker path from password theft to invoice fraud is usually boring, fast, and operationally plausible.
Reading flow
Visual aids
Lesson Flight Path
Work this lesson as stages instead of one continuous document.
3 stages
1
Orient
Frame the lesson, key idea, and scenario before you start detail work.
2
Absorb
Work through the reading deck and supporting visual aids as separate idea blocks.
3
Prove
Mark the lesson complete once the material and checklist are genuinely worked.
Navigate This Lesson
Jump between the live blocks instead of working top to bottom as one page.
1 of 3 visible
Core Reading Deck
Move card by card instead of parsing one long slab. Each panel is a distinct idea in the lesson narrative.
6 reading cards
Reading flow
1
Business email compromise usually starts with access, not malware.
2
An attacker gets into a mailbox through credential reuse, phishing, or weak MFA.
3
Then they wait for timing.
4
They may:
- alter a live payment thread
- register a lookalike domain
- impersonate a...
5
The fraud works when the email looks routine enough that process gets skipped.
6
Treat the mailbox as an operational control plane, not just a communications tool.
How to use this section
Read one card at a time and stop after each shift in idea.
Use the scenario and decision cards after the reading, not before.
Treat the checklist as the operational extraction from the deck.
Card 1
Business email compromise usually starts with access, not malware.
Card 2
An attacker gets into a mailbox through credential reuse, phishing, or weak MFA. They read quietly. They learn how your team writes, who approves invoices, which suppliers are real, and when money tends to move.
Card 3
Then they wait for timing.
Card 4
They may:
- alter a live payment thread
- register a lookalike domain
- impersonate a senior approver from a compromised mailbox
- create urgency near month end or while someone is travelling
Card 5
The fraud works when the email looks routine enough that process gets skipped.
Card 6
Treat the mailbox as an operational control plane, not just a communications tool.
Field Notes
These are meant to punctuate the lesson, not disappear into it.
Attack path
Mailbox access is enough
The attacker often needs no malware at all once they can read history, timing, and approval patterns.
Mistake
Treating email as only communications
Operational approvals, invoice routing, and payment decisions make the inbox part of your control plane.