Stop BEC Emails

TL;DR

Business Email Compromise (BEC) attacks are a major threat. This guide shows you how to block them using email security tools, staff training, and strong verification processes.

1. Understand the Threat

BEC emails try to trick your employees into sending money or sensitive information to criminals pretending to be someone they trust – like a boss, supplier, or customer. They often look very convincing.

2. Email Security Tools

1. Spam Filters: Make sure your email provider has strong spam filters enabled and regularly updated. These catch many BEC attempts.
   • Check settings in services like Microsoft 365, Google Workspace, or your dedicated email security platform.
2. Advanced Threat Protection (ATP): ATP scans emails for malicious links and attachments that bypass spam filters. It can also rewrite URLs to check them before you click.
   • Microsoft Defender for Office 365 is a good example.
3. DMARC, SPF & DKIM: These are email authentication protocols that help prove emails really come from who they say they do. Setting these up correctly makes it harder for attackers to spoof your domain.
   • SPF (Sender Policy Framework): Lists the servers allowed to send email on behalf of your domain.

     v=spf1 include:_spf.google.com ~all

   • DKIM (DomainKeys Identified Mail): Adds a digital signature to emails.

     s=default._domainkey; t=start; h=sha256; p=...your_dkim_key...

   • DMARC (Domain-based Message Authentication, Reporting & Conformance): Tells email servers what to do with emails that fail SPF and DKIM checks. Start with a policy of p=none for monitoring, then move to p=quarantine or p=reject once you’re confident.

     v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=r; aspf=r; pct=100

4. Email Gateway Security: Consider a dedicated email security gateway (e.g., Proofpoint, Mimecast). These offer advanced BEC detection features like impersonation protection and anomaly analysis.

3. Staff Training

1. Regular Awareness Sessions: Train your staff to recognise BEC emails. Show them examples of common tactics (urgent requests, unusual payment details, etc.).
2. Phishing Simulations: Send fake phishing emails to test their awareness and identify who needs more training.
3. Reporting Procedures: Make it easy for employees to report suspicious emails. A dedicated email address (e.g., [email protected]) is helpful.

4. Strong Verification Processes

1. Verify Payment Requests: Always verify payment requests, especially new ones or changes to existing arrangements.
   • Confirm details with the requester via a separate communication channel (phone call, in-person).
2. Multi-Factor Authentication (MFA): Enable MFA on all email accounts and critical systems. This adds an extra layer of security.
3. Out-of-Band Verification: For high-value transactions, use out-of-band verification – a completely separate channel to confirm instructions (e.g., phone call to a known number).

5. Incident Response Plan

1. Develop a plan: Create a clear incident response plan for handling suspected BEC attacks.
   • Include steps for isolating affected accounts, contacting law enforcement, and recovering funds (if applicable).
2. Regularly test the plan: Practice your incident response plan to ensure everyone knows what to do.