Preventing Business Email Compromise (BEC) With Strong Security Policies

Stephen Moramarco
April 11, 2018 by
Stephen Moramarco


Business email compromise (BEC) is a phishing and social engineering scam threatening every organization in every sector on every continent. Even if you have some anti-phishing policies in place, you may not be protected from this growing threat. In this article, we will break down the BEC threat and explain how ineffective security policies can compound BEC-related concerns at your organization.

What is Business Email Compromise (BEC)?

Unlike ordinary phishing emails, BEC is a form of fraud using clever and time-tested methods of deception. Scammers often scour the Internet for information such as coworker names and company structure, travel information (for example, a CEO speaking at a conference) or expansion plans. They’ll use this information to make a message or request seem more legitimate. For example, “the boss” may message through Facebook saying he’s out of town, has been robbed and needs money wired to him now.

Role-appropriate training to your entire workforce

Role-appropriate training to your entire workforce

Get a free year of cybersecurity skills training with your security awareness training purchase.  

According to the FBI, BEC is exploding. The scam has increased by 1,300% since 2015, generating estimated losses of $5.3 billion worldwide. These scams are much harder to detect because they usually don’t involve any links or malware attachments, so it might not be flagged by a typical email spam filter. A message through another channel like SMS or LinkedIn may also easily slip through. Therefore, you need to review your policies and, if they are not working, understand why.

Are Your Policies Clear?

In order to combat BEC, you need to have detailed instructions that are understood by everyone. For example, if your policy is simply “verify transfer requests with a supervisor,” it leaves a gaping hole in which thieves can act. If the employee believes they are already speaking with their supervisor, there is no need in their mind for additional confirmation.

Are Your Policies Enforced?

Some companies may have general policies that everyone ends up breaking. For example, everyone may be required to have a unique username and password, but to save time, many may create an easy password and/or share it amongst several people.

Are Your Policies Actionable?

If you have a policy against opening attachments or clicking suspicious links, what happens if someone accidentally breaks protocol? Who do they report to? What are the steps that should be taken?

Are Your Policies Intimidating?

The threat of BEC is very real and the consequences of a breach should be understood by all employees; however, they should not feel scared to report any errors for fear of reprisal. This could lead to delays that will make the compromise worse.

How to Prevent BEC With an Effective Security Policy

A good policy starts with awareness. Do your employees know what BEC is? How about phishing in general? A clear, concise definition, with examples, should be included in required materials for all employees, including CEOs.

Next, it’s essential to create or adopt clear policies for assessing possible BEC threats and dealing with breaches. At minimum, these should include:

  1. Phone call confirmations for any unusual money or information requests
  2. Alerting a supervisor about suspicious communications
  3. Thinking before clicking links or downloading attachments

And while most companies can’t legally control employee social media postings, they should be reminded not to break company policy or divulge proprietary information. Employees must also be wary of any work-related Facebook messages sent by senior leadership.

Prepare Your Team to Fight BEC Attacks With Security Awareness Training

The three simple policies listed above can go a long way towards company security. However, they’re only strong if followed. To find out if your team is complying with your policy, it’s highly advisable to test everyone’s aptitude with phony phishing emails. Those who click phishing links should be alerted of their error and enrolled in further training.

Everyone should be encouraged to follow policy, not break it. To keep everyone engaged, give prizes to those who flag the phony emails; you could also create a “secure” employee of the month program to further encourage and reward participation.

To help you create, implement and enforce an effective BEC policy, InfoSec Institute created SecurityIQ, an awareness training and phishing simulation program. It offers 100s of modules on a variety of subjects tailored to employee role and security aptitude. Topics include phishing, BEC, social engineering and much more.

You can also use PhishSim™, the SecurityIQ phishing simulator, to monitor employee phishing susceptibility. It includes 850+ phishing templates in multiple languages and difficulty levels — including 20 BEC phishing simulations. PhishSim is powered by SecurityIQ analytics, so you can adjust simulation difficulty based on your team’s aptitudes, roles and past performance.

If your team takes the bait, they will learn exactly what they missed in real time. SecurityIQ analytics will log the event and enroll high-risk employees into additional training

Together, SecurityIQ and a strong security policy will go a long way towards keeping your organization secure from BEC attacks. To request a free 30-day SecurityIQ trial, visit or call 866.471.0059.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Stephen Moramarco
Stephen Moramarco

Stephen Moramarco is a freelance writer and consultant who lives in Los Angeles. He has written articles and worked with clients all over the world, including SecureGroup, LMG Security, Konvert Marketing, and Iorad.