Business Email Compromise Defense Guide: BEC Attack Types, Email Controls, and Wire Fraud Prevention

BEC attacks take several distinct forms, each targeting different organizational processes and employee roles. Understanding the attack variant determines which defensive controls are most relevant.

CEO Fraud (Executive Impersonation): The attacker spoofs or impersonates a senior executive (CEO, CFO, or other C-level officer) and sends an urgent request to an employee with financial authority, typically asking for a wire transfer to a new account, a gift card purchase, or a change to vendor payment details. The urgency framing ("I'm in a meeting, handle this immediately without going through normal channels") is designed to bypass verification instincts. CEO fraud typically targets accounts payable staff, executive assistants, or finance department employees.

Defense focus: DMARC enforcement prevents domain spoofing. Process controls requiring phone verification for any executive-initiated financial request provide the critical out-of-band verification step. Train employees that any executive email requesting financial transactions outside normal channels should be verified by calling the executive at a known number, not replying to the email.

Vendor Impersonation (Invoice and Payment Redirection): The attacker impersonates a known vendor or supplier and requests that the organization update payment details to a new bank account. The request appears to come from a legitimate vendor relationship, often referencing real invoice numbers or project names obtained through OSINT or a prior compromise of the vendor's email system. Finance teams process the updated payment details and subsequent legitimate invoices are paid to the attacker's account.

This variant is particularly effective because it exploits an existing trusted business relationship and the request (updating payment details) is a normal business activity. Defense focus: establish a callback verification policy requiring that any payment detail change for an existing vendor be confirmed via phone at the vendor's known contact number (not the number provided in the change request email).

Payroll Diversion: The attacker, often using a compromised or spoofed employee account, contacts HR or payroll with a request to update direct deposit banking information. When the next payroll runs, the employee's salary is diverted to the attacker's account. The employee may not realize for 2 to 4 weeks until they notice missing deposits.

Defense focus: out-of-band verification for any direct deposit change request. A phone call to the employee at their known number, or an in-person verification for local employees, eliminates this attack vector entirely.

M&A and Real Estate Fraud: Attackers monitor for public announcements of mergers, acquisitions, or real estate transactions and insert themselves into the communication flow at the point where wire transfers are expected. The attacker sends wire instructions that appear to come from the other party or from the escrow or title company. Losses in this category are often in the millions.

Account Compromise-Based BEC: Rather than spoofing or impersonating, some BEC attacks begin with compromising a legitimate email account (via phishing or credential stuffing) and then operating from that account to conduct fraud. This variant bypasses DMARC and email authentication entirely because the email comes from the legitimate account. Detection requires monitoring for inbox rule creation, unusual forwarding rules, and authentication anomalies.

Email authentication prevents attackers from spoofing your domain in emails sent to your own employees and customers. Implementing DMARC at p=reject is the single highest-impact technical BEC prevention control.

SPF (Sender Policy Framework): SPF is a DNS TXT record that lists the IP addresses authorized to send email on behalf of your domain. When a receiving mail server gets an email claiming to be from your domain, it checks whether the sending IP is in your SPF record. If not, the email fails SPF.

Publish your SPF record:

yourdomain.com. IN TXT "v=spf1 include:spf.protection.outlook.com include:_spf.google.com ~all"

The ~all (soft fail) is a starting point for testing; harden to -all (hard fail) after validating all legitimate mail sources are included.

DKIM (DomainKeys Identified Mail): DKIM adds a cryptographic signature to outgoing email that proves the email was sent by a server with authorization from the domain owner and that the message was not modified in transit. Receiving mail servers verify the signature using a public key published in DNS.

For Microsoft 365, enable DKIM signing per domain in the Defender portal or via PowerShell:

New-DkimSigningConfig -DomainName yourdomain.com -Enabled $true

Publish the CNAME records returned by this command in your DNS before enabling.

DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC ties SPF and DKIM together and specifies what to do with email that fails authentication. The policy options are:

• p=none (monitor mode): collect reports, take no action on failures
• p=quarantine: send failing email to spam folder
• p=reject: reject failing email outright

DMARC at p=reject is the only policy that fully prevents your domain from being used in phishing attacks against your employees. It also prevents attackers from spoofing your domain in attacks against your customers.

DMARC deployment sequence:

1. Publish p=none with rua (aggregate reporting) and ruf (forensic reporting) addresses
2. Review reports for 2 to 4 weeks to identify all legitimate mail senders that need SPF/DKIM alignment
3. Move to p=quarantine; pct=25 (apply to 25 percent of failing mail)
4. Increase pct to 100 percent after confirming no legitimate mail is quarantined
5. Move to p=reject once stable at p=quarantine; pct=100

DMARC aggregate reports can be parsed using MXToolbox, Valimail, or Dmarcian to identify unauthorized mail sources.

Lookalike domain protection: DMARC prevents spoofing of your exact domain but does not prevent lookalike domain attacks (micros0ft.com, yourcompany-invoices.com). Defense against lookalike domains requires registering common misspellings and variants, monitoring for newly registered domains similar to yours (using tools like dnstwist), and configuring your email gateway to flag or block email from domains registered within the past 30 days.

Microsoft Defender for Office 365 provides specific anti-impersonation capabilities designed to detect BEC attempts at the email gateway level.

Anti-phishing policy with impersonation protection: In Defender for Office 365 Plan 1 or Plan 2, configure an anti-phishing policy with user and domain impersonation protection:

1. Add protected users: list all executive email addresses, key finance staff, HR leadership, and accounts payable contacts. Defender monitors for emails that appear to impersonate these specific addresses.
2. Add protected domains: add your organization's domains, key partner domains, and domains of major vendors you regularly receive invoices from.
3. Enable mailbox intelligence: allows Defender to learn normal communication patterns and flag anomalous senders.
4. Set action to quarantine for impersonation detections rather than junk folder, so finance staff do not accidentally act on quarantined BEC attempts.

Configure via PowerShell:

New-AntiPhishPolicy -Name "BEC Protection" `
  -EnableTargetedUserProtection $true `
  -TargetedUsersToProtect @("ceo@yourdomain.com", "cfo@yourdomain.com", "ap@yourdomain.com") `
  -TargetedUserProtectionAction Quarantine `
  -EnableOrganizationDomainsProtection $true `
  -EnableMailboxIntelligence $true `
  -EnableMailboxIntelligenceProtection $true `
  -MailboxIntelligenceProtectionAction Quarantine

External sender tagging: Enable external sender warnings that prepend a visual warning to emails from outside the organization. This prevents attackers from using display name spoofing (setting display name to "CEO Name" in a personal email account) to bypass employee vigilance. In Exchange Online:

Set-ExternalInOutlook -Enabled $true

Monitor for inbox rule manipulation: A common post-compromise persistence technique is creating inbox rules that forward all email to an external address or delete emails matching certain keywords (to intercept vendor communications or hide BEC fraud notices). Monitor for inbox rule creation events in the Microsoft 365 unified audit log:

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) `
  -Operations "New-InboxRule","Set-InboxRule" | Select-Object CreationDate, UserIds, Operations, AuditData

Alert on any inbox rule that forwards to an external address or deletes email from finance, accounting, or vendor domains.

Technical controls reduce the volume of BEC attempts that reach employees, but process controls determine whether employees who receive BEC attempts act on them. Process controls are the highest-confidence BEC prevention mechanism because they provide out-of-band verification that a purely email-based attack cannot circumvent.

Callback verification policy: The single most effective BEC process control: any request received via email to change payment details, transfer funds, update banking information, or take financial action outside the normal purchase order process must be verified via phone call to a contact at a number from your internal directory, not from the contact information provided in the email.

Implementation: document this policy in writing, include it in finance and HR onboarding, and train employees that verifying a request is always acceptable and encouraged. The attacker cannot impersonate the CFO on a phone call to the CFO's known mobile number.

Dual authorization for wire transfers: Require two separate employee approvals for any wire transfer above a defined threshold (commonly $10,000 to $25,000 for SMBs, higher for enterprises). The approval request must come through your accounts payable system, not via email chain. This prevents a single compromised or deceived employee from authorizing fraud unilaterally.

New vendor payment approval: Require that any new vendor or first payment to a vendor be approved by a manager and verified against a known contact at the vendor organization before payment is processed. This prevents the payroll-style attack where an attacker sets up a fraudulent vendor before submitting invoices.

Wire transfer delay and review window: Implement a 24-hour review window before wire transfer processing for transfers above the threshold, unless the business need is documented and approved by two managers. This creates a window for employees who suspect fraud to pause the transaction without creating an emergency.

Train employees on "Friday afternoon urgency": BEC actors frequently send requests late on Friday afternoon or before holidays, when verification is harder and employees are more likely to process urgent requests without standard controls. Train employees that urgency framing in financial requests is a red flag, not a legitimate reason to bypass verification.

Detecting BEC in progress and recovering funds after a successful transfer requires rapid action. Wire transfers can sometimes be recovered if reported within 72 hours of execution.

Detection signals for active BEC:

• Inbox rules created to forward email to external addresses or delete email matching finance keywords
• Authentication from unusual geographies immediately before a suspicious financial request
• Email from a new domain claiming to be from a known vendor requesting payment detail changes
• Executive account logins outside normal hours or locations
• Outbound email from executive accounts to unfamiliar external domains

Microsoft Sentinel detection query for inbox rule anomalies:

OfficeActivity
| where Operation in ("New-InboxRule", "Set-InboxRule")
| where Parameters has "ForwardTo" or Parameters has "RedirectTo" or Parameters has "DeleteMessage"
| project TimeGenerated, UserId, Operation, Parameters
| order by TimeGenerated desc

Immediate response when BEC is suspected:

1. Preserve all email evidence before taking remediation action
2. Check whether a wire transfer has been initiated through your financial institution
3. If a transfer has been initiated: call your bank immediately to request a recall. Banks have specific procedures for fraud-related recalls; speed is critical as funds can be moved out of the receiving account within hours.

FBI IC3 reporting and fund recovery: If a wire transfer was executed, report immediately to the FBI Internet Crime Complaint Center (ic3.gov) and to your bank's fraud department. The FBI operates the Financial Fraud Kill Chain (FFKC) process for domestic transfers and coordinates with foreign law enforcement for international transfers. Reporting within 72 hours of execution significantly increases recovery probability. Include: date/amount of transfer, receiving bank name and account number, and all email correspondence related to the fraud.

Post-incident controls: After any BEC incident (including near-misses where the fraud was stopped before transfer): reset all credentials for the accounts involved, review for other compromised accounts, audit all inbox rules tenant-wide, and update callback verification procedures if the incident exposed a gap.