10 Tips to Save Your Company from Business Email Compromise

Business Email Compromise

Lately, businesses are the focal point for cybercriminals. Business owners should protect their email and social accounts to avoid being compromised. Cybercriminals have been successfully hacking accounts in an attempt to impersonate key position holders in a company. This is usually done to make unsuspecting clients or businesses make payments to them. A business email compromise is rampant, and business owners should work towards avoiding it.

Business email compromise (BEC) has cost businesses a lot of money, as there has been an increase in the rate of compromised emails. You can take these steps to protect your business email from scams.

Steps to protect you against business email compromise

1. Default passwords are a danger to your organisation

If you’ve ever used a default password for your company, it’s time to change. Default passwords are easy to find online and can be exploited by hackers. The most common is “password,” but almost any word can work: “password,” “123456,” or even the name of your boss will do just fine!

To prevent business email compromise, use unique passwords with upper and lower-case alphabets, symbols and numbers to reduce the risk of unauthorized access.

You should also make sure that your employees know about this risk and what they need to do about it when they get an email from their organization asking them for personal information like names and addresses in order for them to proceed with payment processing services offered by the organization (such as credit cards).

2. Keep your software up-to-date

  • Keep your software up-to-date.
  • Update your operating system, applications, and firmware (e.g., BIOS).
  • Keep your antivirus software up-to-date; consider using a second device or service to scan files as they’re sent over the network or received on remote devices.
  • Make sure that browsers are updated with security fixes as soon as they become available.
  • Use a self-hosted or Subscription service for all email exchanges, they are more secure than a free email server.

3. Use multi-factor authentication (MFA) wherever you can

MFA, or multi-factor authentication, is a security feature that requires you to provide two or more pieces of information in order to verify your identity. Using MFA can be an effective method for protecting your data from unauthorized access and preventing business email compromise.

MFA is especially useful when combined with other security features such as 2-step verification, which requires the user’s mobile phone number and password before they can log into their account on any device except those approved by their employer or school. This additional layer of protection can help ensure that only those people who have access are using it—and even then they’ll have to use something like Google Authenticator (which generates codes based on secret questions) instead of just entering their password directly into the app itself!

Enable two-factor authentication on your email accounts. This will prevent attackers from being able to hack into your accounts and use them to perform fraud.

4. Verify requests coming through email, regardless of apparent authenticity

  • Verify requests coming through email, regardless of apparent authenticity.
  • Use SPF (Sender Policy Framework) records to verify the sender’s domain name and IP address, as well as their email address. If you’re not familiar with SPF, it’s a protocol that can be used to verify whether an email has been sent from a particular source or server. You can also use DKIM (DomainKeys Identified Mail) records to determine if the message has been forged or tampered with in any way before reaching your inbox.
  • Check that the person who sends you an email address is legitimate by checking other sites they may be linked with; if possible, ask them for some additional information about themselves so that there aren’t any surprises when it comes time for signing up for services like Google Docs instead of Microsoft Office 365!
  • Double-check emails that request an immediate transfer of funds even if they are sent from the executives.

5. Review wire transfer payments and other sensitive financial processes

You should review wire transfer payments and other sensitive financial processes to ensure they are being done correctly. Wire transfers are a common form of payment for many businesses, but it’s important that you know who you are paying, and that the payment is legitimate. Be sure that only a minimum number of people is authorized to process and approve company wire transfers and check payments.

To prevent business email compromise, constantly ensure that all requests for payments are confirmed either via phone or in person. Do not make payment until it is confirmed outside the email.

It’s also worth checking the email address of the sender to see if it is legitimate—if an email says “from” [email protected] but doesn’t include any other information about who wrote it or sent it, then there may be something wrong with that person’s identity. If this happens frequently enough in one place (like your company), then consider asking them why they would want access to such private information without knowing who exactly was going to receive their messages first!

Also read: Risk Management for Small Businesses

6. If a scammer sends you a spoof email, forward it to your IT department immediately with full headers for investigation.

To prevent business email compromise, have a team in charge of IT security in order to lock down your systems when needed. They should also implement proper security policies. They should also educate their employees on practices that guarantee safety across all platforms.

  • Forward the email to your IT department immediately with full headers for investigation.
  • Do not click any links or attachments in the emails that you receive. If you already opened an attachment, delete it immediately and report it to your local police department or law enforcement agency.
  • Do not reply to any emails that request personal information from you (such as passwords). This is a scam!

7. Implement valid email address policies

Email address policies are a way to keep your business secure. They can help you identify and prevent unauthorized access to your accounts and devices, as well as detect suspicious activity.

Here’s how email address policies work: Each employee has their own unique email address that they use for work purposes only, like sending emails from the company’s servers or logging into remote systems. Unfortunately, it’s not uncommon for employees to share these same accounts with friends or family members—or even themselves! If an attacker gets hold of one of these accounts then they could easily access any other personal information stored on that same device (such as banking credentials).

To prevent business email compromise, you’ll want to implement some kind of policy around who can log in with which ID number/password combination(s). This means restricting access only when needed; for example, if someone wants access then they need express permission via e-mail before being allowed entry into any given area such as an office space where sensitive data might be stored.”

8. Use caution when receiving emails from unfamiliar senders

It’s important to be cautious when receiving emails from unfamiliar senders. If you see a link in an email or a file attachment, don’t click on it. If the sender requests that you reply with information about yourself, don’t do that either. To prevent business email compromise, ensure that you delete all spam, they sometimes take you to sites that are not secured or sites with malware to compromise your email.

The most common way people get their business email compromised is by opening attachments that contain malware or viruses and then clicking on links inside them (this can happen if someone clicks on a malicious link in an email).

Another way is when hackers send out phishing emails pretending to be from companies like your bank or credit card company asking for personal information so they can steal money from your account.

9. Set a Withdrawal Limit

To prevent business email compromise, consider putting a limit on the amount of money your company can withdraw from your company bank. This way your bank can verify requests that go above the limit.

10. Train your employees on cybersecurity best practices

To prevent business email compromise, train your employees on cybersecurity best practices and ensure they are fully aware of all policies, procedures and processes involving payment activity within your company or agency. This includes:

  • How to identify phishing emails (which typically look like legitimate emails from a trusted source)
  • How to avoid being tricked into clicking on a link that takes you to a malicious site where you may be asked for sensitive information such as usernames and passwords


Business Email Compromise (BEC) is a serious threat to corporate networks. If you want to prevent business email compromise and be protected, you need to take steps now and implement good cybersecurity practices.