How to Prevent BEC With Email Security Features

Stephen Moramarco
May 1, 2018 by
Stephen Moramarco

Business email compromise (BEC) has bilked unsuspecting institutions around the world for more than $9 billion dollars. A whopping two-thirds of these attacks are initiated via email. Therefore, it is imperative =your company have a fortified front. In this article, we will discuss how to prevent BEC with email security features.

What is Business Email Compromise?

BEC is a type of phishing, but it is more dangerous. This is because thieves take extra time to get to know the company they are targeting. They’ll scour social media feeds and even use information listed on the company website to better impersonate an executive.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

Then, if they haven’t broken into the network itself through a phishing attempt, they’ll pose as an executive and send an email, sometimes from a domain that looks similar to one tied to the business (i.e., instead of In the email, they’ll casually request a wire transfer or access to W-2 forms, another popular target. Unwitting employees quickly reply, losing money or information in the blink of an eye.

The problem with catching and preventing BEC scams is there are often no red flags used in standard email protection. Since there are no images, trigger words or malicious attachments, a traditional anti-spam software program, while still important, is of little use.

Five Email Security Features That Will Help Prevent BEC Attacks

To maximize protections against BEC, you should be sure your system includes these additional security features.

  1. Dual authentication: Dual authentication involves confirming email sign ins from two separate systems, e.g., your desktop and a smartphone. Users that sign in to the desktop application are sent an SMS message with a temporary code that must be inputted before login is complete. This extra step can prevent breaches when the hacker has the correct username and password.
  2. Encryption: Encryption is the process of protecting messages by both encoding their contents and ensuring the recipient is who they say they are. There are both commercial and open-source programs, including PGP and GNU Privacy Guard, that use protocols such as openPGP or TLS. Essentially, these rely on a public key to connect and a private key to read/send messages.
  3. AI filtering: The development of artificial intelligence (AI) has allowed security companies to create advanced filtering techniques to catch BEC criminals. This can include using geolocation tools to identify senders outside of certain areas or unusual patterns in sends. These suspicious emails can then be quarantined for further evaluation.
  4. Visual cues: Incoming emails that make it to the inbox, but have suspicious content, can be configured to insert an alert within the email itself. This could inform the recipient the email address does not match the one in an address book, or other signs of possible BEC.
  5. DMARC/DKIM/SPF protection: To prevent domain spoofing, email servers should be protected by Domain-Based Message Authentication, Reporting and Conformance (DMARC). This standard consists of Sender Policy Framework (SPF), which identifies IP addresses that can use your domain, and DomainKeys Identified Mail (DKIM), which lists the sender’s public key. Together, these independent confirmations ensure the sender is indeed who they say they are.

The Ultimate BEC Safeguard: Workforce Security Awareness

Even with all these protections in place, BEC emails can still sneak through. That’s why it’s important to implement an ongoing security awareness program at your organization.

InfoSec Institute’s security awareness training and phishing simulation platform, SecurityIQ, offers over 1,300 training resources to help educate your team. It includes over 20 BEC phishing simulation templates (with reply-tracking capabilities) and several modules to teach your employees about BEC, phishing, social engineering and more.

 You can quickly enroll employees into training via Active Directory sync, and all progress can be monitored by administrators in the dashboard. Those that don’t complete training or fail tests can be automatically enrolled into further training.

Using the SecurityIQ phishing simulator, PhishSim™, you can create your own BEC scam emails or use one of the pre-loaded templates. For example, one template purports to be from an executive and asks for W-2 forms. If an employee replies with the W-2, you will be alerted of their error.

You can add another layer of defense using the PhishNotify Defender™ email plugin. Any users that fail simulations can have their email permissions dynamically modified so that they cannot click on any further links. PhishNotify also works as a tool for other employees to flag any incoming suspicious emails for quarantine.

Final Thoughts

Educate your employees, upgrade your email and prevent your company from falling victim to a BEC scam. SecurityIQ will provide the training needed to help your workforce identify and prevent BEC attacks. To request a free 30-day SecurityIQ trial, visit or call 866.471.0059.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Stephen Moramarco
Stephen Moramarco

Stephen Moramarco is a freelance writer and consultant who lives in Los Angeles. He has written articles and worked with clients all over the world, including SecureGroup, LMG Security, Konvert Marketing, and Iorad.