• United States



Contributing Writer

14 tips to prevent business email compromise

Dec 16, 20206 mins

Criminals fool victims into clicking on malicious links or assisting in financial theft by sending emails that mimic real senders and real companies. Here's how to stop BEC.

malicious email with skull and crossbones
Credit: Natali Mis / Getty Images

I recently received an interesting email from a business that my firm has worked with. The content of the message was supposedly an electronic fax. I knew the email was suspect just based on how the electronic fax was handled. Our firm has a separate and known fax number. Typically, the only time electronic faxes are sent to inboxes is when we have instructed someone to do so.

When I replied to the email, it was clear that the attacker had not only taken control of the business’s mail server but had set up automatic email rules to respond saying the email was legitimate and that I should open the file and follow the instructions.

Because the email contained only links and did not have any direct malicious content, several staff members received it. Not only did the email get through all my spam filters, but the message had been set up with automatic mail rules to enable a response to any correspondence that the account received. This is a classic case of business email compromise (BEC).

According to the Internet Crime Complaint Center (IC3), BEC schemes resulted in more than $1.7 billion in worldwide losses in 2019. The FBI Cyber Division recently warned about BEC and urged organizations to review their forwarding rules and offered these 14 recommendations:

1. Ensure desktop and web email clients run the same version

Keeping desktop and web email clients up to date avoids problems with syncing and updates. A lack of synchronization between the desktop and the web might allow an attacker to place rules that are not exposed in the desktop clients. Thus, the manner of attack is not noticeable.

2. Be wary of last-minute email account address changes

In my case of the hacked email account, the person I had previously corresponded with and was now being used in a phishing attack had recently updated their firm’s domain name and email platform. The migration process made the mail server open to attacks. If suddenly you receive an email from a vendor regarding a financial matter and the email address has changed, call them and request verification of the email address.

3. Check email addresses for slight changes

Small changes can make fraudulent email addresses appear legitimate by resembling actual clients’ names. The letter “l” is one of the worst characters to use in an email address. Is that a lowercase “l” or the number “1”? Depending on the font used, they could be indistinguishable. I used Courier New for both the “l” and the “1” and it is extremely difficult to tell the difference between them. Attackers often use this font trick.

4. Enable multi-factor authentication for all email accounts

I cannot stress this enough: Multi-factor authentication (MFA) ensures that attackers must have something else—phone, key, device, fob, authentication app—in their possession to access your email.

5. Prohibit automatic forwarding of email to external addresses

In many email compromises, forwarding rules may be only seen in web applications and not in the desktop email clients. Email forwarding is so pervasive that Microsoft has even blocked outbound mail forwarding automatically in Microsoft 365. If you had previously set up automatic forwarding rules, review their setup again to ensure that they are functioning as you expect.

6. Monitor the Email Exchange server for changes

Make frequent checks for changes to configuration and custom rules for specific accounts. Create rules that alert you when there are changes to ensure that your system is well protected. Change management in any sized organization should be a well-defined process and not happen willy nilly. It’s wise to perform the change management process on a scheduled basis with documented processes.

7. Flag differences in “reply” and “from” email addresses

Create a rule to flag email communications where the “reply” email address differs from the “from” email address. Set up another flag for when the external message comes from your domain name, indicating that an attacker is trying to trick users into thinking the email is from inside the domain. You can also set up DKIM to reject mail that doesn’t match the domain of the originating mail server.

8. Add a banner to messages coming from outside your organization

Warning users about a message’s origin is a normal configuration that many firms use. Even with the warning many users still click on links. Consider end-user education about how the emails will look and what to expect.

9. Review use of legacy email protocols

Consider the necessity of legacy email protocols, such as POP, IMAP and SMTP, that attackers can use to circumvent MFA. Old protocols can be easily attacked and hacked. Too many of us reuse credentials on various platforms. So, it’s easy for an attacker to use a database of stolen credentials and attempt to log onto systems with these reused credentials.

10. Log and retain changes to mailbox login and settings for at least 90 days

Logging is often overlooked as a security tool. By the time you realize something has happened, it is too late to configure auditing and logging. Evaluate your options to pull off the logs from your mail servers and ensure you store them elsewhere. You can use services such as Splunk to forward and store log files.

11. Enable security features that block malicious email

Are you using features you already have to block phishing and email spoofing? Too often we purchase additional security products for mail servers and do not completely set them up. For Office 365 I recommend following the best practices guide from ITpromentor site.

12. Encourage employees to challenge suspicious payment requests

Employees should request clarification of suspicious payment requests from management prior to authorizing transactions. We’ve been trained to cooperate and to help as much as we can, but that trait can make us open to phishing and tricking. Back up electronic processes with old-fashioned confirmation such as picking up the phone and calling to confirm the amount and the transfer processes.

13. Set up alerts for suspicious behavior in email

If you use Office 365 or Microsoft 365, you can set up alerts for suspicious behavior in email. Review if you need to change licenses to have these alerts, but it may be worth it for some organizations.

14. Report fraud to authorities

Immediately report any online fraud or BEC activity to the Internet Crime Complaint Center. Ensure that authorities know the activities are going on. Even if your specific case can’t be remedied, authorities can often look at patterns and gain more insight from multiple reports. No BEC case is too small to be overlooked.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author