How to Prevent Business Email Compromise (BEC)
Prevent BEC by hardening identity (phishing-resistant MFA, disable legacy authentication, least-privilege admin), restricting forwarding and mailbox rules, enforcing DMARC to reduce spoofing, and adding finance controls (out-of-band vendor/bank change verification, dual approval, callbacks). Train staff on BEC patterns and monitor for suspicious sign-ins, rule creation, and payment changes.
Business email compromise (BEC) is one of the fastest ways for attackers to turn stolen credentials into real money—often through invoice fraud, payroll diversion, or vendor bank-detail changes. Effective BEC prevention is less about “better spam filtering” and more about identity hardening + mailbox governance + payment controls + DMARC.
TL;DR - BEC prevention is mostly identity + process: phishing-resistant MFA, disable legacy auth, and strict payment verification. - Lock down mail auto-forwarding and mailbox rules; enforce DMARC (
p=reject) to stop spoofing. - Treat it as urgent: one successful BEC often leads to fraudulent wire transfers within hours.
Detailed Explanation
Business Email Compromise (BEC) is a family of attacks where an adversary abuses email trust to steal money or data—often by impersonating an executive, vendor, or employee, or by taking over a mailbox and using it to request payments or sensitive information. Unlike “spray-and-pray” phishing, BEC is typically targeted and timed around invoices, payroll, gift cards, M&A, or vendor onboarding.
The best prevention strategy combines four control layers.
1) Harden identity and access (most important)
BEC frequently starts with stolen credentials and weak login protections.
Do this first: - Require phishing-resistant MFA for all users, especially executives, finance, HR, and IT admins. Prefer FIDO2/WebAuthn security keys or passkeys. If you can’t, use authenticator apps with number matching and strong conditional access. - Disable legacy authentication (POP/IMAP/SMTP AUTH where not needed). Legacy auth bypasses modern MFA controls and is commonly abused. - Enforce strong conditional access: block logins from high-risk geographies, require compliant devices for sensitive roles, and step up auth for risky sign-ins. - Reduce admin privileges: separate admin accounts from daily email accounts, use just-in-time admin where possible, and regularly review privileged roles. - Password hygiene: block known-compromised passwords, require unique passwords, and monitor credential leaks.
Why it works: If attackers can’t log in, they can’t read threads, create stealthy mailbox rules, or send convincing replies from a legitimate account.
Helpful tooling (optional, but practical):
- A business password manager reduces credential reuse and “shared password” sprawl—both common precursors to BEC. If you’re standardizing for a small team, consider 1Password for Business via Try 1Password →.
For more guidance, see our internal guide: Best Password Manager for Small Business (2026).
2) Lock down the mailbox (rules, forwarding, and persistence)
Once inside, attackers commonly: - Create inbox rules to hide replies (e.g., move messages containing “invoice” to RSS or archive). - Enable external forwarding to an attacker-controlled address. - Add delegates or grant application consent (OAuth) to maintain access.
Key controls: - Disable or tightly restrict automatic external forwarding tenant-wide. - Alert on new inbox rules, new forwarding addresses, and new delegate access. - Require re-authentication or admin approval for OAuth app consent (where possible) and regularly audit consented apps.
3) Stop domain spoofing with email authentication (DMARC)
BEC often includes spoofing your domain or a lookalike domain to bypass user skepticism. DMARC doesn’t stop all BEC (compromised accounts still send valid mail), but it dramatically reduces “pretend to be your CEO” spoofing.
Implement:
- SPF + DKIM for all sending sources.
- DMARC with enforcement: move from p=none (monitoring) to p=quarantine, then p=reject once aligned.
Also consider: - Registering common lookalike domains (or at least monitoring them). - Adding an external sender banner and strong display-name protection rules.
4) Put money movement behind process controls (the “last line”)
Finance workflow controls stop fraud even if email is compromised.
Minimum viable controls: - Out-of-band verification for any bank detail change, vendor onboarding, payment reroute, or urgent exception. Use a known phone number from an internal directory—not the email thread. - Dual approval (four-eyes) for wire transfers and vendor master data changes. - Payment thresholds and “cooling-off” periods for first-time payees. - Verified vendor list and change logs. Treat vendor bank info as sensitive data. - Require a ticket or purchase order match for invoices.
Why it works: BEC thrives on urgency and social pressure. A mandatory callback breaks the attacker’s timeline.
Common Misconceptions
“A better spam filter will stop BEC.”
Spam filtering helps, but many BEC messages are low-volume, well-written, and sent from compromised legitimate accounts—meaning they may pass reputation checks. BEC prevention is primarily identity security and business process.
“DMARC will prevent all BEC.”
DMARC blocks spoofed email that fails alignment. It does not stop an attacker sending from: - a compromised employee mailbox, - a vendor’s compromised mailbox, or - a lookalike domain that passes its own DMARC.
DMARC is essential—but it’s one layer.
“If we use MFA, we’re safe.”
MFA reduces risk, but not all MFA is equal. Push fatigue, OTP phishing, and adversary-in-the-middle attacks can bypass weaker MFA. Favor phishing-resistant MFA (FIDO2/passkeys) and block legacy auth.
“Only big companies get hit.”
SMBs are frequent targets because they often have fewer controls and less payment verification rigor. Attackers also target specific roles (AP/AR, payroll, HR), not just Fortune 500 executives.
“We’ll spot it because the email will look suspicious.”
Modern BEC often uses real threads (“thread hijacking”) and correct context because the attacker read the mailbox. The message can look completely normal—until the payment destination changes.
Practitioner Checklist (What to do next)
Prioritize these actions this week
- Enforce MFA for all users; make finance and admins first.
- Disable legacy authentication and review SMTP AUTH usage.
- Block automatic external forwarding; audit existing forwarding rules.
- Implement (or progress) DMARC toward
p=reject. - Add a mandatory callback/verification step for vendor bank changes and wires.
Then improve detection and response
- Create alerting for:
- impossible travel / risky sign-ins,
- new inbox rules and forwarding,
- mailbox delegation changes,
- mass deletions or unusual sent-mail patterns,
- new OAuth app consents.
- Run a BEC tabletop exercise with finance and IT: who approves, who calls, who freezes payments, who contacts the bank, and what evidence to preserve.
Technical Notes: Quick config and audit examples
Microsoft 365: Check external forwarding and inbox rules (PowerShell)
# List mailboxes with forwarding configured
Get-Mailbox -ResultSize Unlimited |
Where-Object {$_.ForwardingSmtpAddress -ne $null -or $_.DeliverToMailboxAndForward -eq $true} |
Select DisplayName,UserPrincipalName,ForwardingSmtpAddress,DeliverToMailboxAndForward
# Enumerate inbox rules that forward/redirect
Get-Mailbox -ResultSize Unlimited | ForEach-Object {
$upn=$_.UserPrincipalName
Get-InboxRule -Mailbox $upn |
Where-Object { $_.ForwardTo -or $_.RedirectTo -or $_.ForwardAsAttachmentTo } |
Select @{n="Mailbox";e={$upn}},Name,Enabled,ForwardTo,RedirectTo,ForwardAsAttachmentTo
}
Microsoft 365: Disable automatic external forwarding (high-level)
In the Defender/Exchange settings, set outbound spam policy to Automatic forwarding = Off (or restrict to trusted domains). Validate exceptions with business justification.
Google Workspace: Investigate suspicious forwarding
Look for user-level forwarding addresses and unusual routing rules in Admin console. Also review OAuth app access and recently authorized third-party apps.
Log patterns to monitor (generic)
- New rule creation events containing keywords like:
invoice,wire,payment,bank,swift,ACH - Sign-ins from new countries/ASNs followed by:
- mailbox rule creation,
- changes to recovery methods,
- sending to new external recipients,
- deletion of sent items.
Related Reading
- If you’re evaluating endpoint controls that can help with phishing payloads, malicious attachments, and post-compromise investigation, see: Compare the Best Antivirus for Windows Business Endpoints (2026).
- If your policies reference “IOC-based detection” during BEC investigations (IP addresses, domains, file hashes), here’s a quick explainer: What Is an IOC?
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.