Business Email Compromise (BEC) and How to Protect yourself

Business Email Compromise (BEC) and How to Protect yourself

A cousin to ransomware in a sense Business Email Compromise (BEC) also known as “whaling’ or “CEO fraud, attacks in the form of impostor emails targeted at medium to large businesses. BEC is expected to be on the rise in 2016.

CEO’s/Senior staff email accounts are compromised so that messages can be sent to financial staff requesting money transfers. Majority of the victims said they use wire transfers as a common method of transferring funds for business transactions; however, the fraudsters use any method commonly used by the victim in normal business transactions.


If you receive an email with one or more of the following, double-check by consulting the requesting party over the phone or any means other than email:

  • Senior executives asking for unusual information or initiating a wire transfer
  • Requests to respond to the sender only via email and keeping the request private.
  • Requests that bypass normal channels
  • Language issues, poor grammar and unusual date formats
  • “Reply To” addresses that do not match sender addresses, they may also use lookalike domains to trick recipients ( instead of

How to Protect Yourself:

In a technical perspective, you need a secure email solution that supports advanced options for flagging malicious emails based on attributes and email authentication techniques such as Sangari Email Security ( At the very least, configure your email gateway to block messages that spoof your domain(s). Another best practice is to automatically add the [EXTERNAL] tag to the subject line of emails sent from outside your organization.

In a human resources perspective, educate staff and put the effective processes in place. Here are a few basic guidelines:

  • Be suspicious: Ask for clarification, forward suspicious emails to IT, or check with a colleague before responding
  • Slow down: Attackers often time their campaigns around the busiest periods of the day. If an accountant is quickly processing several wire transfer requests, s/he is less likely to pause and consider whether a particular request is suspect.
  • Check the Reply-to field: Once you click Reply, check the address. Is it a genuine internal email address, an external address, or something that looks odd?
  • Check the domain: Attackers are increasingly using “typo squat” domains and lookalikes to trick people savvy enough to check the Reply-to field.
  • Watch for the use of personal accounts:  For example, [ceo name], would often not flag spam rules and could appear legitimate.
  • If something doesn’t feel right, it probably isn’t: Staff should trust their instincts. Ask “Would my BOSS tell me to do this?” or “Why isn’t this supplier using our invoice submitting portal?”
  • Follow a process: Implement appropriate processes for the kinds of transactions BEC phishers are after. Have internal finance and purchasing controls in order to verify legitimate requests. This may include adding a secondary, out-of-band in-person or phone approval by someone else in the organization.

All the above measures can save your organization hundreds of thousands or even millions.