6 Ways to Combat the Rise in Business Email Compromise (BEC) Attacks

Zachary Kitchen
April 8, 2023
6 Ways to Combat the Rise in Business Email Compromise (BEC) Attacks

Business email compromise (BEC) attacks have become a major concern for organizations in recent years. BEC is a type of cybercrime where fraudsters use social engineering tactics to compromise email accounts and impersonate authorized personnel to defraud businesses of their money or sensitive information. 

This type of attack is particularly prevalent in professional services industries, such as law firms, accounting firms, CPAs, bookkeepers, investment firms, and property management companies. 

BEC attacks can cause significant financial losses, reputational damage, and legal liabilities. Therefore, it's essential for businesses to be aware of the ways to combat BEC attacks and safeguard their assets and clients' data. In this article, we'll explore some effective strategies to mitigate the risk of BEC attacks.

What are the Types of BEC Attacks? 

To combat BEC attacks, it's crucial to understand the different types of BEC attacks that cybercriminals use. The most common types of BEC attacks include:


This type of attack involves the use of a fraudulent email address that mimics a legitimate sender's email address to deceive the recipient into believing that the email is genuine.


Phishing involves the use of a fake email or website to trick the recipient into providing sensitive information, such as login credentials, credit card details, or personal data.

Account takeover

This type of attack includes stolen credentials or social engineering tactics to gain unauthorized access to a legitimate email account and send fraudulent emails.

6 Ways to Combat BEC Attacks 

1. Strengthen Email Security Measures

To combat BEC attacks, businesses must strengthen their email security measures. Here are some effective ways to do so:

  • Two-factor authentication: Implement two-factor authentication (2FA) for all email accounts to prevent unauthorized access. 2FA requires a second factor, such as a code or biometric verification, in addition to the password.
  • Email encryption: Use email encryption to protect your data in transit. Email encryption ensures that the content of the email is scrambled and unreadable to unauthorized parties.
  • Anti-spoofing and anti-phishing measures: Implement anti-spoofing and anti-phishing measures, such as domain-based message authentication, reporting, and conformance (DMARC), sender policy framework (SPF), and domain keys identified mail (DKIM), to verify the authenticity of email messages and prevent spoofing and phishing attacks.

2. Train Employees on BEC Awareness

Another effective strategy to combat BEC attacks is to train employees on BEC awareness. Employees tend to be the weakest link in the security chain, as they may inadvertently fall prey to social engineering tactics used by cybercriminals

As a result, it's crucial to train your employees on how to identify suspicious emails, report security concerns, verify the authenticity of senders, and handle sensitive information securely. BEC awareness training should be an ongoing process, and employees should be regularly reminded of the latest BEC trends and tactics.

3. Implement Financial Controls

To mitigate the financial risks of BEC attacks, businesses must implement appropriate financial controls. Here are some essential financial controls that can prevent BEC attacks:

  • Payment verification: Implement a payment verification process that requires multiple approvals and verifications before initiating any wire transfer or payment. This can help prevent fraudulent transactions and reduce the risk of financial loss.
  • Segregation of duties: Segregate financial duties among multiple employees to prevent a single point of failure. For example, the employee who initiates a wire transfer should not be the same employee who approves it.
  • Vendor verification: Implement a vendor verification process to ensure that all vendors are legitimate and authorized to receive payments. This can prevent BEC attacks that use fake vendor invoices or impersonate legitimate vendors to defraud businesses.

4. Conduct Regular Security Assessments

Regular security assessments can help businesses identify vulnerabilities in their systems and processes and take appropriate measures to mitigate those risks. Security assessments can include vulnerability scanning, penetration testing, and social engineering testing. By conducting regular security assessments, businesses can proactively identify and address security gaps before cybercriminals can exploit them.

5. Keep Software and Systems Up to Date

Keeping software and systems up to date is an essential aspect of cybersecurity. Cybercriminals often exploit known vulnerabilities in outdated software and systems to launch their attacks. Therefore, it’s important for businesses to keep their software and systems patched and updated with the latest security updates and fixes.

6. Have a Cybersecurity Incident Response Plan

Despite all the preventive measures, a BEC attack may still occur, so it's crucial for businesses to have a well-defined cybersecurity incident response plan (IRP) to minimize the damage and recover from the attack quickly. A cybersecurity IRP should include steps for identifying and containing the attack, notifying the relevant stakeholders, preserving evidence, and restoring the systems and data.

Protect Your Organization 

BEC attacks are a serious threat to businesses, especially in the professional services industries, where the stakes are high. Businesses must take proactive measures to combat BEC attacks and safeguard their assets and clients' data. 

By understanding the types of BEC attacks, strengthening email security measures, training employees on BEC awareness, implementing financial controls, conducting regular security assessments, keeping software and systems up-to-date, and having a cybersecurity incident response plan, businesses can significantly reduce the risk of BEC attacks. Remember, preventing a BEC attack is always better than dealing with the consequences.

If you're interested in improving your organization's cybersecurity posture and protecting your assets and clients' data from BEC attacks, contact Digital Crisis today for a consultation. Our team of cybersecurity experts can help you assess your vulnerabilities and develop a customized cybersecurity strategy to mitigate those risks.

Find Some Time To Talk

We make IT work

Providing superior, high-quality, and professional IT services 
in the Houston Area.

Digital Crisis LLC

Houston IT Support
Business Hours

Mon-Fri 9 am-5 pm CST
Saturday & Sunday: Closed
Emergency Support: 24/7
Houston Office
5718 Westheimer Rd.
Suite 1000
Houston, TX 77057
Minneapolis Office
333 N Washington Ave Suite 300-9007, Minneapolis, MN 55401
A Houston IT Service Provider
© 2009-2022 DIGITAL CRISIS, LLC  
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram