Auditing Your BEC Playbook for Physical Extortion: A Practical Guide

Why physical threats change the BEC response model

Most BEC playbooks assume three things: isolate the mailbox, stop the payment, notify finance. That stops being enough once the attacker starts naming people, offices, or travel plans.

The practical shift is that the incident is no longer just fraud. It becomes a safety issue, a legal issue, and a continuity issue at the same time. If your response plan treats every hostile email as an IT problem, people will improvise the moment the message crosses that line.

What “physical extortion” means in practice

In this context, physical extortion means an attacker uses stolen email access or BEC-style leverage to pressure the organization with threats of violence, stalking, or in-person harm. The aim is still money or access, but the pressure point changes.

The escalation path from email compromise to coercion

I usually see the same chain:

1. A mailbox is compromised through phishing, token theft, or password reuse.
2. The attacker learns internal roles, payment flows, travel, and personal details.
3. They send a convincing invoice fraud, payroll diversion, or executive impersonation.
4. If the account is shut down or the demand is ignored, they escalate the tone.
5. They start threatening a person, a site, or a family member to force action.

That escalation matters because the response can no longer be limited to message preservation and account recovery.

Why money and access are no longer the only pressure points

BEC already works because people want to avoid embarrassment and financial loss. Physical threats add fear. That can push staff to bypass controls, ignore policy, or pay quickly just to make the message stop.

Build a response playbook that assumes offline risk

Triage the threat as a safety issue, not just an IT incident

Your first triage question is not “Which account was hit?” It is “Is anyone at risk right now?”

A good first-hour workflow separates:

• personal safety concerns
• mailbox containment
• payment control
• external notification

That order keeps a well-meaning analyst from focusing on the inbox while the affected employee is still exposed.

Separate email compromise containment from employee protection steps

Containment still matters:

• revoke active sessions
• reset credentials
• disable suspicious forwarding rules
• preserve headers and message bodies
• snapshot audit logs

But if threats mention a person, a home address, or a physical office, another track must open immediately:

• alert executive security or facilities
• check whether the named person is on-site or traveling
• switch to phone or secure chat for internal coordination
• tell employees not to reply directly to the attacker

Decide who can authorize payment, shutdowns, and communications

A BEC event gets messy when everyone can approve something under pressure. Define the decision owners before an incident:

• who can approve emergency payments
• who can authorize mailbox shutdowns
• who can pause outbound email
• who speaks to staff, customers, and law enforcement

If the plan does not name these roles, the attacker will find the weakest approval path in the org chart.

Technical controls that still matter during an extortion event

Mailbox access review, forwarding-rule checks, and token revocation

The boring controls still do the work. Review:

• recent sign-ins and impossible travel
• OAuth grants and delegated access
• inbox rules and auto-forwarding
• recovery email and MFA changes
• active refresh tokens and app sessions

In Microsoft 365 or Google Workspace, a lot of compromise persistence is not the password. It is the token, the rule, or the trusted app that keeps sending messages after password reset.

const checks = [
"recent sign-ins",
"mailbox forwarding rules",
"OAuth app grants",
"active sessions",
"MFA changes",
"message trace and audit logs"
];

for (const check of checks) {
console.log(`verify: ${check}`);
}

Logging the chain of compromise for legal and law-enforcement use

Preserve evidence early:

• original email with full headers
• mailbox audit trail
• identity provider logs
• payment approval records
• chat transcripts
• phone logs and voicemails

You want a clean chain of custody, not just screenshots pasted into a ticket. If outside counsel or law enforcement gets involved later, timestamps and source integrity matter.

Backups, identity recovery, and continuity when systems stay online

Physical extortion often arrives while normal business must continue. That means your identity and messaging recovery needs to work without trusting the compromised channel.

Test:

• secondary admin accounts
• break-glass identity access
• offline copies of contact lists
• manual payment validation steps
• alternate communication paths for staff

If your only recovery path is “email the compromised mailbox owner,” you do not have a recovery path.

Coordination points that are easy to miss

Law enforcement, insurers, outside counsel, and executive security

These groups need different facts:

• law enforcement needs evidence and threat details
• insurers need notification timing and loss estimates
• counsel needs privilege-aware documentation
• executive security needs names, locations, and threat specificity

Do not force one incident bridge to serve all four audiences in the same way.

HR and facilities involvement when threats name people or locations

When a threat names an employee, office, warehouse, or school pickup location, HR and facilities should be in the loop. They may need to adjust access, escorts, badge checks, visitor policy, or work-from-home plans for a short period.

Internal comms so staff do not improvise under pressure

Tell employees exactly what not to do:

• do not reply to the attacker
• do not forward the message widely
• do not move money without approval
• do not post screenshots in public channels

A short internal note beats a week of rumor control.

Tabletop exercises that expose weak assumptions

Test the first hour, not just the recovery day

Most teams rehearse account recovery after the damage is already contained. That misses the real failure mode: confusion in the first 60 minutes.

Your tabletop should test:

• who answers the first call
• who judges safety risk
• who preserves evidence
• who approves payment holds
• who contacts leadership

Practice a scenario where the attacker knows org charts and travel plans

This is the part many playbooks ignore. Assume the attacker has already learned:

• reporting lines
• executive names
• travel calendars
• vendor relationships
• office locations

That scenario forces the team to rely on verification, not familiarity.

What a good hardened playbook contains

Clear escalation triggers and decision owners

A hardened playbook names the trigger conditions:

• threats of violence
• references to family or location
• evidence of mailbox persistence
• payment diversion attempts
• executive impersonation with urgency

And it names the owners for each branch. No guessing.

Safe communication channels if email is suspect

Keep at least one channel outside the primary email tenant:

• emergency phone tree
• secure messaging app
• out-of-band call-back numbers
• printed escalation contacts for critical roles

Recovery criteria that are not tied only to ransom demands

Do not define success as “the attacker stopped asking.” Define it as:

• compromised access revoked
• evidence preserved
• affected people protected
• payment controls restored
• business communication stable

Closing notes on continuity and restraint

Physical extortion changes BEC from a fraud problem into a broader resilience problem. The fix is not panic and it is not overreaction. It is a playbook that assumes the attacker can reach beyond the inbox.

If your current plan only says “disable the account and call finance,” it is incomplete. Add safety escalation, legal coordination, alternate comms, and clear decision authority now, while the room is still calm.