Business email compromise (BEC) is still thriving even in organizations that have implemented multi-factor authentication (MFA). As security professionals, we often assume that MFA is the silver bullet for email security, but real-world incidents suggest otherwise. Attackers exploit human behaviors, process gaps and operational blind spots that MFA alone cannot address. In many modern BEC cases, no account is technically compromised at all, which places these attacks outside the protection boundary of MFA controls. In 2019, Toyota Boshoku Corporation fell to a BEC attack with an employee transferring over $30m to scammers following a cloned email from a 3rd party company with urgency citing ...