Business Email Compromise (BEC) is any type of cyber attack using email that in itself does not contain a malicious attachment. Although there are many different BEC attack vectors, the dominant one is spoofing, used in almost 50% of all BEC attacks. In a spoofing attack, the criminal sends an email that appears to be from a high-ranking member of the organization, requesting a transfer of funds.

A few statistics to act as a wake-up call:

  • In a recent survey, 71% of organizations acknowledged experiencing a BEC attack over the past year.
  • The FBI’s Internet Crime Complaint Center reports that in 2020 there were 19,369 BEC complaints, with losses of approximately $1.8 billion.
  • One of the largest BEC losses came to Nikkei, the Japanese media group, in the amount of $29 million.

A BEC attack generally works like this:

  1. The criminal acquires the name and email address of a senior-level executive within an organization.
  2. The criminal sends an email, spoofing the name and email address of this executive, to their executive assistant or the accounting department, requesting that monies be sent to some account outside of the organization.
  3. Because this email appears to be from a senior-level executive, there is often no expenditure authorization policy in place to limit amounts, and no requirement for secondary approvals.
  4. The monies are sent to the requested accounts, which are immediately cashed out by the criminal.

What Can I Do To Help Prevent an Attack

Expenditure Authorization Policies

Although it will likely result in a few bruised egos, and introduce some time delays, it is vital that expenditure authorization policies mandate that any significant financial request, from any member of the organization–even the owner, president, or CEO–must be cleared through a secondary approval process. Even something as simple as a required video call to the requestor could block most of these attacks.

Staff Education

As part of staff continuing cybersecurity and internet privacy training, all staff should be educated on how a BEC attack works, and what the new expenditure authorization policies are.


The corner stone of a BEC attack is the ability to send an email that appears to be from a legitimate source. We do have technology that can help stop this from occurring. These go by the terms Sender Policy Framework (SPF), Domain Keys Identified mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). 

If your eyes just rolled up to the back of your head, I understand, but stay with me.

SPF is an email validation system. It provides a mechanism to authorize servers and services to send email using your domain. This allows a receiving mail server to verify that incoming mail from a specific domain is coming from a host authorized to send that mail. If a criminal sends email to you with spoofed “from” information, your email server can validate or invalidate the authenticity of the incoming email. This prevents email from a forged or spoofed address from reaching an inbox.

DKIM accomplishes much the same as SPF, but from the opposite direction. It provides a mechanism for the receiver to verify that an email stating to have come from a server which has been authorized to send mail for a specific domain via SPF is indeed the server that is sending the email.

DMARC is a configurable policy that determines how to deal with email that has failed the SPF or DKIM validation.

In a nutshell, SPF authorizes a server to send email on behalf of a specific domain, DKIM authenticates the sending server, and DMARC determines what to do with the email if it fails authentication.

Configuring SPF, DKIM, and DMARC doesn’t require an IT professional. Your email service provider may be willing to set it all up for you. Better yet, do it yourself and be certain it is done properly! The entire step-by-step takes only four pages and less than an hour of your time. Where can you find the steps? They are assignments 13.11.1 through 13.11.4 in any of our current Practical Paranoia Security Essentials books.

Oh! I almost forgot… You can now become master of your cybersecurity and internet privacy even if you wouldn’t know an SSL from a TLS (ok, nerd humor isn’t even funny to other nerds). In just 1 hour a day over 10 days with our Practical Paranoia Online Workshops. If you can tap, double-tap, and save a file, you can quickly and easily secure your computer, tablet, phone, data, and communications using the same steps as used by governments, military, and big business. All you are missing is knowing the how. Lucky for you, we’ve got the know-how to spare, and we will share it all with you in the workshop.

Register by July 31, 2021 and receive 55% discount.