In a post last year, I broke down Business Email Compromise (BEC)—how criminals impersonate executives, vendors, or partners to trick employees into wiring money or sharing sensitive data.
This follow‑up is different. Instead of more theory, I want to give you a short, curated list of resources you (and your team) can use to:
- Learn how BEC really works in the wild
- Train employees to spot and stop it
- Use tools you probably already own to reduce your risk
Think of this as your BEC “starter kit”—no fluff, just things that will actually help.
At one of our clients, we had a real spear‑phishing incident: an attacker spoofed an internal email and convinced an employee to initiate a wire transfer. Something felt off, so she picked up the phone to verify and was able to stop it minutes before the money left the bank.
Same pattern as classic BEC:
- Looks like it came from a trusted internal source
- Urgent financial request
- Pressure to bypass normal process
That one phone call made the difference between a story we tell in presentations and a direct financial loss.
This is why I care so much about sharing the resources below.
If you only read a few things on BEC, make it these:
FBI / Internet Crime Complaint Center (IC3)
The FBI’s IC3 site maintains up‑to‑date stats and advisories on Business Email Compromise, including:
- How the scams are evolving
- Common attack variants (CEO fraud, vendor invoice compromise, payroll redirection, real estate fraud, etc.)
- How and where to report incidents
This is the best way to understand how big the problem really is and how it hits organizations similar to yours.
Government Cybersecurity Guidance (CISA / FTC / NIST)
- Local Resources from Infragard Philadelphia (We have been a partner for over 10 years now)
- NIST Cybersecurity Framework 2.0 – This is a way to start.
These resources are written in business‑friendly language—perfect for leadership teams and compliance committees.
Hands‑On Training & Simulation (For Employees)
Reading is good. Practice is better. This is what I like for phishing/BEC awareness:
Employee Education (Phishing Simulation + Micro‑Training)
In our security presentations, we highlight our Employee Continuous Cyber Training as a powerful way to test and train employees in real‑world conditions:
- Send simulated phishing emails that look like what attackers actually use
- See who clicks, who enters credentials, and who reports
- Automatically enroll “clickers” in short, targeted training videos
Practical tip:
Ask your IT partner or internal IT team: “Do we already have a phishing simulation / awareness platform in place? Are we using it consistently?”
A lot of businesses are paying for tools they’re not fully leveraging.
Use the Security You Already Own (Microsoft 365)
Many organizations already have Microsoft 365, but aren’t using its security features to reduce BEC risk. In our own materials, we talk about how Microsoft 365 helps protect against phishing and malware, and how features like OneDrive versioning help with recovery.
Here are a few capabilities to ask your IT team about:
-
Advanced phishing protection & email filtering
- Are we using the modern protection stack for inbound email?
- Are high‑risk messages (financial / payment‑related) being inspected more carefully?
-
Multi‑Factor Authentication (MFA)
- Is MFA enabled for all accounts—especially executives, finance, and IT?
- Are we enforcing MFA for remote access and key cloud apps?
-
Conditional access & login alerts
- Do we get alerts on unusual sign‑in activity or suspicious forwarding rules?
-
OneDrive / SharePoint versioning & restore
- If a BEC incident leads to broader compromise (ransomware or account misuse), can we roll back damaged data quickly?
You don’t need to buy every shiny security tool on the market before you fully configure what you already pay for.
Simple Employee Checklist: “Pause Before You Pay”
Here’s a short checklist you can share straight with staff. Put this in a PDF, intranet page, or even a poster near finance:
Before you approve any payment or change banking details requested by email, always:
- Check the sender carefully
- Is the email domain exactly correct (no extra letters, swapped characters, or look‑alike domains)?
- Is this the address the person normally uses for this type of request?
- Slow down when there’s urgency
- BEC emails often say things like “I’m in a meeting—just get this done now” or “We’ll lose the deal if we don’t wire today.”
- Urgency is a red flag, not an instruction.
- Verify out‑of‑band
- Call the person on a known good phone number (not the one in the email) or use a separate channel (Teams, text) to confirm.
- For vendor banking changes, confirm with two contacts if possible.
- Follow the documented process
- Don’t skip dual approval or dollar‑threshold checks just because it “came from the CEO.”
- When in doubt, escalate
- It’s always OK to say: “I need to verify this for security reasons.”
If your team only remembers one thing from all of this, let it be:
“No wire or payment change happens on email alone.”
“No wire or payment change happens on email alone.”
Additional Resources
“If you haven’t had an independent review of your email and payment‑related controls in the last 12–18 months, it’s time. A focused assessment around BEC and phishing risk can uncover gaps before criminals do.” – Call us today.
Where to StartIf you’ve read this far, you’re already ahead of most organizations. The next step is to turn awareness into action:
- Share this article with your finance, HR, and leadership teams
- Decide who owns BEC risk internally
- Schedule a conversation with your IT and insurance partners about training, controls, and coverage
If you’d like help evaluating your current exposure or rolling out practical, employee‑friendly protections, our team can help. We’ve seen BEC from both sides—in the headlines and in real life—and we know which controls actually move the needle for small and mid‑sized firms.