// BEC defense · the hard-stop firewall

Stop BEC by refusing the action, not just reading the mail.

Business email compromise is an irreversible-action problem, not a spam problem. The loss happens the moment someone — or an autonomous agent acting for them — is socially engineered into sending a wire, changing where money is remitted, or replying to a strangerwith sensitive data. RadMail's answer is a deterministic firewall that removes those dangerous action classes from what an autonomous agent can do at all.

RadMail is a tool, not a guarantee. It refuses the exact action classes that cause BEC losses; it does not promise that no fraud can ever occur, and it claims no detection rate. RadMail is pre-release, with its engine live in a test bed on two real businesses; the public MCP server runs the heuristic sandbox engine.

Why a smarter filter doesn't stop it.

BEC mail is often perfectly deliverable — from a real, compromised, or look-alike account, and grammatically clean — so a "is this spam?" score does nothing. The malicious content is the same content the agent is asked to read and reason about, which turns the classic BEC playbook (urgency, authority, a plausible pretext) into a prompt-injection attack against the agent. You cannot make these actions safe by classifying them more accurately. You make them safe by refusing to let an autonomous process perform them.

The action classes RadMail keeps human-only.

These are human-only, forever — no RadMail tool auto-executes them, at any tenant, at any rollout stage. The firewall fails closed: if the risk evaluation was not performed, the answer is hard-stop, not send.

hard-stop :: human-only action classes
  • Moving moneyApproving a wire, paying an invoice, an ACH or remittance instruction — any movement of money.
  • Changing banking detailsThe highest-yield pattern: 'we've updated our bank account, send future payments here.' One accepted change redirects every future payment.
  • Decisions that commit the accountApprove, sign off, authorize, or go-ahead on an order, PO, contract, or payment.
  • Contacting a third partyBeing steered into looping in, or disclosing to, someone outside the known counterparty — including a first-contact reply to a new party.
  • Releasing a deliverableSending out a document, credential, or asset.

The only action ever eligible to auto-send is a self-directed follow_up— a "did you get my last note?" check-in that moves no money and commits nothing — and even that requires a known counterparty at an allowlisted domain, and is blocked outright if the source mail carries a money, new-banking, decision, or injection signal.

What an agent connected to RadMail cannot do.

The MCP server exposes only read, triage, explain, list-commitments, and draft tools. There is no tool that does any of the following — by design, as the BEC defense:

Common questions.

What is business email compromise (BEC)?

Business email compromise is a fraud where an attacker uses email — often from a real, compromised, or look-alike account — to socially engineer someone into taking an irreversible action: sending a wire, changing where payments are remitted, approving a purchase, or replying to a stranger with sensitive data. The message is only the delivery vehicle; the loss happens at the moment of the action taken in response, which is why a clean, deliverable email can still cause a large loss.

tl;dr BEC is an irreversible-action problem, not a spam problem.

How does RadMail stop BEC and wire fraud?

RadMail's firewall removes the dangerous action classes from what an autonomous agent can do at all. Moving money, changing banking or wire instructions, decisions that commit the account, contacting a new third party, and releasing a deliverable are human-only: the firewall will never return an auto-sendable reply for them, at any tenant, at any rollout stage. It refuses the exact action classes that cause the losses rather than trying to score intent more accurately — so a persuasive email cannot talk an agent into the dangerous action, because the agent was never able to perform it.

tl;dr It refuses the irreversible action classes outright — human-only, forever.

Why can't you just detect BEC with a smarter spam filter?

Because BEC mail is often perfectly deliverable, from a real or look-alike account, and grammatically clean, so a 'is this spam?' score does nothing. The malicious content is the same content the agent is asked to read and reason about, which turns the classic BEC playbook — urgency, authority, a plausible pretext — into a prompt-injection attack against the agent. RadMail's premise is that you cannot make these actions safe by classifying them more accurately; you make them safe by refusing to let an autonomous process perform them.

What about a changed-banking-details email?

A changed-banking-details request is the single highest-yield BEC pattern — one accepted banking change redirects every future payment to the attacker. RadMail treats any new-banking signal as a permanent hard-stop: the agent will never auto-send a reply that acts on it, and a change-of-bank instruction surfaces to a human to review. This holds even for a well-known, long-trusted sender, because a known counterparty is never a key that unlocks money or banking changes.

tl;dr Changed banking is a permanent hard-stop, even from a trusted sender.

Can an agent connected to RadMail be tricked into sending money?

No auto-send tool for money exists to be tricked. The safety decision is deterministic — not a confidence threshold and not delegated to a model — and it fails closed: if the risk evaluation was not performed, the answer is hard-stop, not send. Obfuscation such as zero-width characters or base64-encoded payloads is normalized before scanning, so hiding the instruction cannot buy a bypass. A model drafts language; it cannot talk the firewall into sending.

tl;dr The high-risk send is not exposed as a tool at all, and the system fails closed.

Is RadMail fraud-proof or a guarantee against BEC?

No. RadMail is a tool, not a guarantee. It narrows what an autonomous agent can be tricked into doing by removing the dangerous action classes from its reach; it does not certify that fraud is impossible or claim any detection rate. It does not replace your own controls — bank-side call-back verification for banking changes, dual authorization for wires, SPF/DKIM/DMARC, and human judgment on the surfaced drafts remain your responsibility. Compliance is a shared responsibility, and RadMail is pre-release with its engine live in a two-business test bed.

tl;dr A tool that shrinks the blast radius — not a guarantee, and not a replacement for your controls.

See the hard-stop refuse a send. The public magic-moment shows RadMail visibly refusing a money / new-banking / first-contact send — no signup, no credentials.

› Start free — no card
radmail@inbox:~$ disposition --money --new-banking --first-contact = hard_stop