BEC policy

Chris Swagler | March 21st, 2024


According to Verizon, more than half of social engineering incidents in 2023 were business email compromise (BEC) attacks. Additionally, threat actors are increasing the number of their cyberattack attempts and becoming increasingly automated and smart in the manner they create their impersonation communications. CIOs and their legal team should think about developing an appropriate BEC policy to prevent financial losses. Cybercriminals have become better at developing email attacks, especially now that many are using generative AI tools, including ChatGPT, to scale the attacks in both volume and sophistication. Numerous social engineering attacks can deceive the human eye but can avoid detection by traditional email security tools because they’re almost indistinguishable from legitimate emails.

Cybersecurity teams and business management need to be aware that technology protections can only reduce risk to a certain extent as BEC attacks continue to increase in 2024. Email defense is critical and defenses, including MFA, solid identity, and access management are just as important as important as anti-spoofing technologies including DMARC, SPF, behavioral analytics, and other threat detection tools. Organizations must, however, add smart people-centric business and technology policies that can reduce risks in other ways to effectively implement defense-in-depth. BEC attack powers stem from the capacity to deceive the victims. According to a threat intelligence lead, these types of attacks don’t generally include dangerous links, malware attachments, or phishing hyperlink payloads and are frequently delivered from compromised accounts of trusted sources. BEC attacks are highly targeted and well developed looking to be legitimate, ordinary requests that wouldn’t raise suspicion. Policies, including establishing a system to follow when transferring funds can help to avoid social engineering stress methods that compel employees to act quickly. It’s critical for companies to have a thorough BEC policy statement that makes users more resistant to attacks. Here are eight measures that experts advocate for BEC protection policies.

Acceptable Use Rules

One of the main sets of rules that companies should establish at the business and technology levels to prevent is appropriate use guidelines for employees who access email and other business systems. Offering policy-based protection against BEC risks requires at least an acceptable usage policy (AUP). AUPs outline security best practices and need to include a specific focus on phishing and BEC prevention guidelines. The best practices should have requirements, including not clicking on suspicious file attachments or links, not disclosing sensitive information to third parties, double-checking requests for invoice payments and payroll changes, and steps for reporting suspected attacks. AUPs are the yin to security awareness training’s yang. With AUPs clearly stating what employers expect from the users when it comes to suspicious links, and how to handle changes in invoice details, security awareness training explains why the polices exist. Awareness training provides context about how threat operators operate, why companies are targets, and how costly a mistake can be, and offers better tools to detect potential attacks while obtaining buy-in for AUP compliance.

Security Awareness Training Requirements and Frequency

Security awareness training needs to be included in BEC policies as a major component of onboarding. Additionally, the policies should require regular and frequent training check-ins as employees continue within companies. With cybercriminal tactics continuously evolving, companies need to conduct refreshers every four to six months at a minimum. Companies should research tools to help automate the training sessions. The updates can serve as essential reminders of the threat and reinforcement of what BEC attacks look like at various stages and can give critical venues for including information about how the attack methods have evolved since the last training. Use training programs to keep employees updated on evolving BEC threats and techniques. Regular updates, including simulation tests and other audits, are important. The scam has progressed from email to using phony audio calls to impersonate C-suite executives. Test and reinforce employees’ ability to recognize suspicious requests by using simulated phishing and social engineering exercises whether they’re emails or deep fake audios or videos.

Mandating Incident Response Plan Based on BEC

Smart boards and CEOs need to demand that CISOs incorporate BEC-specific processes in their incident response (IR) plans, and companies need to implement policies requiring security teams to regularly update and test the IR plans. Security and legal experts urge that organizations plan for legal involvement throughout the incident response process. Legal need to be involved in how incidents are disclosed to internal and external stakeholders ensuring that companies’ legal liability doesn’t increase if BEC attacks occur. Breaches can carry legal liability, so it’s best to have the conversations before the breaches and plan to address the issues rather than inadvertently taking actions that either cause liability that may not have existed or increase liability on what would have existed. BEC policy documents need to require legal to be part of the threat modeling teams, analyzing potential impacts from various BEC attacks so legal liability perspective can be incorporated into the response plan. Additionally, compromised, or exposed information about companies’ clients, and customers, information, including confidential information, can have legal consequences that need to be considered in incident response plans and in responses to actual breaches.

Rules on Sharing Companies’ Chart and Other Operational Information

BEC scammers can frequently build very convincing social engineering attempts by exploiting knowledge of companies’ inner workings targeting specific employees to take over accounts and making believable requests of their victims. One example is knowing a specific employee was second in command to the CFO or the CEO’s executive assistant, which would help threat actors focus their efforts on who to compromise first to create convincing requests for financial dealings. Junior employees’ accounts may be less scrutinized than the high-powered bosses’, but the threat actors’ knowledge of the companies could allow them to use the access to send requests to other employees for financial dealings with nearly the same level of authority as if it was sent by the CFOs or CEOs. Numerous cybersecurity advocates advise companies to make operational data, including organizational charts and job descriptions only available to those who need them. Job descriptions, organizational charts, and other information that threat actors can use to launch targeted phishing scams need to be removed from companies’ websites. Avoid sharing specific personal information on social media platforms, which cybercriminals could use in their personalized social engineering scams.

Having Invoice and Financial Transactions Protocols

One of the most important policies in preventing massive losses from BEC has nothing to do with email defense or technological safeguards. It’s building foolproof methods for invoicing and initiating financial transactions that are resistant to fraudulent attempts. The companies’ standards and procedures are critical. It’s primarily about applying defense-in-depth principles to companies’ activities rather than network security. What are the companies’ process responses if payment information modification requests are received through emails? Standard practices, including defined processes for companies’ requests and established approval hierarchies, are good measures against BECs. The policies require all payments to be traced back to an approved invoice with a verified payee name, address, and payment instructions. Any ad hoc request for payment must undergo formal review before the payments are issued. Require all payment instruction changes be verified using legitimate avenues being approved.

Verification for High-Risk Changes and Transactions

To elaborate on invoice and financial transaction policies, companies need to exercise caution when verifying and approving high-risk transactions and account modifications. Implementing verification processes for financial transactions and data requests is crucial. It’s a vital safeguard against BEC attacks, ensuring that all requests are thoroughly vetted. Integrating the procedures into daily operations establishes a strong defense system. One of the most important ways companies can provide a backstop for BEC is by ensuring that anything high-risk that is triggered by emails is followed up through out-of-band verification processes, which could include phone calls, secured systems, or SMS.

One of the most important policies is to never change payment/banking details based on email requests alone. When payment or banking information modifications are requested by email, a policy needs to be implemented requiring the recipients to contact the requestors by phone, using a trusted contact method. Call the requestors at the phone number on file and confirm they have authorized the changes. Companies and users can help reduce risks and insider threats by adding a second approver to the hierarchy for high-risk transactions. Threat operators will sit in compromised email boxes, waiting for any payment activities allowing them to integrate themselves into the process. Even though contacts send legitimate documents through emails, they need to be backed up with out-of-band verification. In. numerous circumstances, they will take the valid documents that were previously been sent and significantly modify the documents to contain their (threat operator-controlled) accounts and routing information. The attacks will appear almost identical to normal documents from recognized contacts, with the only difference being that the account information has been altered. It’s critical that all changes must be confirmed outside of the email thread.

Request Register Process

For some companies, policies requiring ad hoc out-of-band phone calls may not be sufficient to reduce BEC risks. One option for taking verification procedures to the next level is creating internally secure “request register” through which all requests to trade or alter sensitive information are routed. Because BECs originate from both external and faked email and internal compromised email sources, prevention requires a wide strategy. Have a novel strategy that’s inspired by positive pay fraud prevention in the financial services sector. The policy mandates a supplementary way of affirmative verification for all sensitive information exchanges and updates, including payees, banking information, accounts receivable, and employees’ data. The mechanisms include internally secure “request registers” ensuring positive validations before any data exchange or alterations. Every sensitive request is registered in a centralized system using policies and technologies, and approved by second factors, including phone calls, one-time passcode (OTP), or hardware security keys like FIDO2. Users are being trained to verify sensitive requests through the register before divulging information or making changes.

Open-Door Reporting

Companies need to work hard to create policies, cultures, and processes making it simple for employees to report requests and incidents that seem odd to them even if they’ve already committed mistakes. It’s critical to make sure employees aren’t afraid to report incidents or questionable actions they may have taken. The sooner incidents are reported the easier it’s to address, however, scared employees may not want to admit their mistakes. One idea is to set up documented reporting steps and mechanisms and attempt to reward thwarted mistakes more than companies punishing mistakes. Suggest reward systems, which can include prize pools or gift cards, for added incentive to reward those who successfully identify and prevent attempted BEC attacks. It will help with the defense mindset and zero trust mentality and employees need to know how to do them safely.

Business Email Compromise attacks continue to pose a significant risk to organizations of all sizes. By implementing a comprehensive BEC policy that covers the essential components discussed above, companies can enhance their resilience against these threats. Regular employee training, robust technical controls, stringent financial measures, and thorough incident response protocols are vital in safeguarding organizations from the devastating consequences of BEC attacks. At SpearTip, our phishing assessments test and educate personnel at the client organization. This is done by sending them non-malicious phishing emails, observing their responses, and providing a short training video on the dangers of phishing and how to spot it. Our training modules educate personnel at the client organization by sending them training emails that contain short videos around a security topic, requiring them to answer questions about the information presented. Interaction with the video and questionnaire is tracked and provided back to the client. Our BEC threat assessments, a hybrid approach of policy evaluation and technical testing, include an assessment focused on vulnerabilities within your environment that could lead to business email compromise (BEC).

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.


Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Frequently Asked Questions

What are some common examples of Business Email Compromise (BEC) scams that companies should be aware of?

Business Email Compromise (BEC) scams often involve fraudsters impersonating executives or other high-ranking officials within a company. They might send out emails asking for wire transfers or sensitive information, often invoking a sense of urgency to pressure the recipient into complying. Sometimes, they might also pose as a trusted vendor or client, sending seemingly legitimate invoices or requests for payment.


How can a company ensure that all employees adhere to the BEC policy?

Ensuring adherence to the BEC policy involves a combination of regular training, monitoring, and reinforcement. Employees should be educated about the policy and its importance regularly, not just during their initial orientation. It should also be made clear that adherence to the policy is not optional, but a required part of their job responsibilities. Regular audits or checks can help to ensure that the policy is being followed, and any violations should be addressed promptly and appropriately to reinforce its importance.

How often should a company revise or update its BEC policy to ensure its effectiveness?

The frequency with which a company should revise or update its BEC policy can vary depending on several factors. Generally, it is advisable to review the policy at least once a year. However, if there are significant changes within the company, such as new technology implementations, major shifts in business operations, or notable increases in attempted BEC scams, more frequent reviews might be necessary. The important thing is to ensure that the policy remains effective and relevant in protecting the company from BEC scams.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.