A Strategic Response to Business Email Compromise: Key Insights for School District Leaders

New email notification

It’s not getting any easier. In fact, “for K-12 schools, cyber incidents are so prevalent that, on average, there is more than one incident per school day.”[1]

While high-profile cyber threats like ransomware and data breaches often capture public attention, Business Email Compromise (BEC) quietly remains one of the most prevalent and financially damaging threats. This form of cybercrime, often overshadowed by its more dramatic counterparts, was the subject of the Auditor of State’s (AOS) most recent bulletin

Before getting to the specifics of the Auditor’s expectations, however, let’s review the basics.

What is Business Email Compromise?

BEC is a sophisticated type of phishing attack that commonly, though not exclusively, targets individuals who manage financial transactions and sensitive information within organizations. By impersonating senior officials or trusted vendors, cybercriminals manipulate employees into authorizing money transfers, providing system access, or releasing confidential data. The efficacy of BEC lies in its deception: the emails are crafted to look legitimate, often using information gleaned from detailed reconnaissance.  The rise of artificially engineered videos, photographs, and voice signatures will only further the potential for deception. 

The Mechanics of BEC Attacks

Understanding how BEC operates is crucial for prevention. Early iterations of BEC involved simple email spoofing—impersonating a high-ranking official or executive to request urgent wire transfers to fraudulent accounts. However, as awareness has grown, BEC tactics have evolved. Today's attacks might involve compromising actual email accounts, fabricating vendor invoices, or mimicking legal requests.

These scams exploit the routine use of email in business processes and the inherent trust employees place in their superiors and colleagues. By inserting themselves into legitimate email threads, attackers create scenarios where urgent financial actions seem entirely reasonable, thus bypassing the usual scrutiny.

Insights from the Auditor's Bulletin on BEC

The Ohio Auditor of State's (AOS) recent bulletin emphasizes the rising concern over BEC schemes.  In an effort to combat the losses that often follow, the Auditor offers “clear standards and expectations for Ohio governments and public employees.”  The failure to follow such guidance “may result in an AOS finding when a loss occurs, and the employee is considered liable as a result of negligence or performing duties without reasonable care.”

The bulletin highlights several real-life scenarios where entities were duped into sending large sums of money to fraudulent accounts, all because of emails that looked deceptively legitimate.  In one instance, a school district failed to independently verify the payment instructions that were received and in another, “vendor verification protocols” were not followed.

The AOS goes on to suggest ways to identify and re-direct BEC schemes, including paying close attention to the name of the employee or vendor, being cautious of unexpected emails or invoices, and being particularly mindful of emails that create a sense of urgency. 

Proactive Measures to Combat BEC

Given the sophistication and potential impact of BEC attacks, school districts must adopt a multi-faceted approach. The AOS suggests a handful of ways to prevent BEC that we’ve distilled here:

  • Education and Awareness Training: Regularly train staff on the hallmarks of BEC—such as sudden requests for fund transfers or sensitive information—and empower employees to act with caution.
  • Robust Verification Processes: Implement strict protocols for verifying the authenticity of requests involving financial transactions or data access. This might include multi-person approval processes or requiring in-person or telephone confirmations (using a trusted, known number) for changes in vendor payment details or substantial financial requests.
  • Enhanced Security Measures: Utilize advanced email security solutions that include two-factor authentication, secure email gateways, and anti-phishing protections. These technologies help to identify and block malicious emails before they reach end users. Consider taking advantage of your financial institution’s positive pay services, as well. 
  • Incident Response Plan: Develop and maintain an effective incident response plan that outlines specific actions to be taken in the event of a BEC or other cybersecurity incident. This plan should include immediate measures to contain and mitigate damage, as well as strategies for recovery and communication with stakeholders.


Business Email Compromise represents a significant and sophisticated threat to the financial stability and operational integrity of school districts. The expectation from the Auditor of State is that Districts and District personnel have a multifaceted framework in place to reduce the risk of financial loss and to address it if, or when, it happens.  More to the point, the Auditor is putting governments and employees on notice – act with care when evaluating requests for payment re-directs.    

[1] https://www.cisa.gov/K12Cybersecurity

Related Attorneys

Media Contact

Subscribe to Receive Updates
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.