For example, messaging service Snapchat and Segate, a disk drive manufacturer, recently fell victim to BEC emails that tricked them out of tax documents that contained employees' addresses and Social Security numbers.
There are technical solutions as well, Jakobsson said, including those offered by his company.
For example, you could check whether an email address is close to -- but not identical to -- that of a trusted contact.
"Or it might have a different reply-to address from the return address -- which is easy for attackers to spoof for companies that don't use DMARC," he added.
DMARC is a 4-year-old project that helps companies authenticate email addresses. According to a report released last month by email security vendor Return Path, only 29 percent of global brands use DMARC.
"If it's an actual account takeover, the best approach is to confirm on a different channel, such as an SMS or known good telephone number," he said.
Sign up for CIO Asia eNewsletters.