Safeguarding against Business Email Compromise (BEC)

While large corporations often make the headlines, small and medium-sized organizations increasingly become targets of sophisticated attacks, with Business Email Compromise (BEC) emerging as a significant menace. Recent incidents, such as the New Haven, Connecticut, school district losing over $6 million to cybercriminals, provide stark reminders of the dangers organizations and their executives face in the digital age.

The New Haven, Connecticut case is a chilling example of how BEC attacks can be executed with surgical precision. Cybercriminals gained access to the email account of the school system's Chief Operating Officer (COO), setting the stage for a prolonged and calculated assault. They patiently monitored communications for weeks, identifying vendors and redirecting payments to their accounts. The losses were staggering, with more than $5.9 million fraudulently siphoned off before the scheme was uncovered. The FBI managed to recover only a portion of the stolen funds, highlighting the insidious nature of these attacks.

What makes BEC attacks particularly menacing is their sophistication and patience, qualities that many business owners and employees often do not associate with cyber criminals. These attackers quietly infiltrate targeted email accounts and meticulously gather personalized information, enabling them to successfully reroute substantial sums of money. As cyber criminals harness the power of artificial intelligence (AI) to refine their BEC tactics, small and medium-sized businesses (SMBs) must be prepared for increasingly sophisticated, personalized, and persuasive attacks.


So, what can SMB owners and executives do to safeguard their businesses against BEC threats? Here are some critical steps to consider:

  1. Mandate Two-Factor Authentication (2FA): Assume that hackers may have your usernames and passwords, regardless of how careful you are with them. The only reliable way to enhance email security is to implement 2FA, which adds an extra layer of protection by requiring personal device verification before granting access. This should be mandatory for anyone accessing financial systems or sensitive databases.
  2. Regularly Monitor Online Activity: IT departments should consistently monitor who accesses their systems and from where. Unusual spikes in individual account access should trigger alerts for the account user and IT staff. Even sophisticated criminals leave digital footprints that can be detected with vigilant monitoring.
  3. Require Internal Review of Changes: Implement processes that mandate internal review for any alterations in payment destinations, delivery schedules, or delivery locations. Be cautious of email senders, as cybercriminals often create convincing emails to deceive their targets.
  4. Mandate Voice Approval for Changes: For critical changes like bank account updates or rerouting deliveries, establish a protocol requiring a phone call to the client's point person. You can always use a known contact number for verification, as calling a number provided in a suspicious email can lead to further compromise.
  5. Limit Online Visibility of Key Staff: Consider limiting the online visibility of key personnel to deter criminals from targeting them. This can involve setting up secondary email accounts with unique official duties logins and a publicly visible email.


As the threat landscape evolves, businesses must adapt their defenses. Recent trends indicate that BEC attacks are rising, with the so-called "BEC 3.0" generation showcasing more advanced tactics. These attacks include impersonating legitimate SaaS services and websites, making them even harder to detect.

To combat BEC effectively, SMBs should adopt a multi-faceted approach that combines employee education, advanced technology, and strict data and payment policies. Employees need to be trained to recognize the signs of BEC threats, while automated warning systems can leverage AI to detect red flags in email communications. Additionally, implementing stringent data and payment policies, including multi-factor authentication, adds an extra layer of protection.

In conclusion, the dangers of Business Email Compromise are real and growing, posing a significant threat to SMBs and their executives. By taking proactive steps to enhance email security, monitor online activity, and educate their workforce, businesses can better shield themselves against this evolving menace. The stakes are high, and vigilance is the key to safeguarding your business from the perils of BEC attacks.

Michael Markulec

technology executive, cyber-security guru, politician, rugby player, deadhead, brewer, former army officer, crossfitter, and hard-drinking calypso poet.