Resource Corner

4 Ways to Avoid Business Email Compromise (BEC)

Learn ways you can mitigate Business Email Compromise (BEC) in your business

Hand pressing secure lock

Business Email Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

Here are a few non-technical and technical mitigations you can adopt for your business.

Non-Technical Mitigations

Social Engineering Safety
  • Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
  • Be careful what you post to business networking sites like LinkedIn and your company website, especially information about who has which specific job duties.

Training and Awareness
  • Alerts for employees and customers regarding phishing scams targeting specific organizations or interest groups.
  • General information on phishing tactics posted to an organization web site or emails. 
  • Establish an employee testing program with phishing and BEC attempts that appear to come from your senior leaders and trusted business partners.

Technical Mitigations

  • Set up two-factor (TFA) or multi-factor authentication (MFA) on any account that allows it, and never disable it. TFA/MFA aims to protect users if authentication credentials have been captured. The nature of changing tokens limits the attacker's ability to leverage captured credentials. 
  • Avoid free web-based e-mail accounts. Establish a company domain name and use it to create formal e-mail addresses for your employees.
  • Label external emails to help prevent the impersonation of employees. 
  • Ensure emails originating from outside the organization are automatically marked before received.
  • Prohibit automatic forwarding of emails to external addresses. Detect email inbox forwarding rules that send all or selected emails to an external email address.

To learn about more mitigations to help protect your business against Business Email Compromise, read the full article here.


All content is for informational purposes only and does not constitute legal, tax, or accounting advice. You should consult your legal and tax or accounting advisors before making any financial decisions.