How to Stop Business Email Compromise: A Practical SMB Playbook

TL;DR: Business email compromise is usually not a malware problem. It is a workflow problem: weak login protection, spoofable domains, and payment processes that trust email too much. This playbook gives Palm Beach County SMBs a repeatable set of controls to prevent BEC, detect it early, and limit losses when something slips through.

From an operational standpoint, BEC is successful because it exploits two things that keep businesses running: speed and trust. Antivirus does not stop a fake invoice approval. A firewall does not stop an executive impersonation email that convinces someone to change a wire. If uptime and cash flow matter, this is infrastructure, not a one-time training video.

Why business email compromise keeps working (and what actually breaks)

Let me walk you through the failure modes. Most BEC incidents land in one of these buckets:

• Domain spoofing: attackers send email that looks like it came from your domain or a vendor domain.
• Email account takeover: attackers log into a real mailbox, then use it to request invoice or payment changes.
• Executive impersonation: attackers imitate the tone and timing of an owner or manager to create urgency.
• Invoice fraud: attackers alter payment instructions, often right before a legitimate payment is due.

This works fine until it does not. And when it does not, it fails hard: funds leave the account, and recovery becomes a race against bank cutoffs and transfer timing.

The core problem: email is not a payment system

Email was designed for message delivery, not identity assurance. In practice, email identity is a set of signals that can be faked unless you enforce authentication. Your payment workflow is where the money moves, and BEC attacks that workflow, not your antivirus.

BEC prevention starts with removing single points of failure

When I diagram this, I see a chain: Identity (login) -> Authority (who can approve) -> Process (how approvals happen) -> Verification (how changes are confirmed). BEC succeeds when any one link becomes a single point of failure.

If you want a structured approach, start with controls that reduce blast radius:

1. Harden logins so takeovers are harder.
2. Make spoofing less effective with SPF/DKIM/DMARC.
3. Fix payment workflows so email alone cannot change money movement.
4. Audit mailbox rules and forwarding so stealth persistence is removed.
5. Prepare an incident checklist so response is fast and consistent.

If you need help implementing this end-to-end, this is exactly the kind of work covered under our managed cybersecurity services for small business.

Email account takeover controls: lock down the front door

Email account takeover is the highest leverage move for an attacker. If they get in once, they can watch invoices, learn vendor names, and time the fraud. Prevention here is about identity assurance and session control.

1) Enforce phishing-resistant MFA (not just "any MFA")

From an operational standpoint, MFA is non-negotiable. But not all MFA is equal. SMS and one-time codes can be phished. Push prompts can be abused with fatigue attacks. The goal is phishing-resistant MFA where possible.

• Preferred: FIDO2/WebAuthn security keys or passkeys (device-bound) when your email platform supports them.
• Good: Authenticator app with number matching and strong conditional access policies.
• Last resort: SMS (better than nothing, but plan to move off it).

Why this matters: if an attacker can trick a user into approving an MFA request, your mailbox is still compromised. For background, see Microsoft Support: multi-factor authentication overview.

2) Reduce credential exposure and session hijacking

In practice, users reuse passwords, store them in browsers, and sign in from unmanaged devices. Each one is a failure point.

• Password hygiene: require long passwords and block known breached passwords if your platform supports it.
• Device control: ensure staff access email from managed devices when possible.
• Session policies: limit sign-ins from risky locations and require re-authentication for sensitive actions.

Consequence of skipping this: even with MFA, stolen session tokens can keep attackers authenticated long enough to create rules, forward mail, and run invoice fraud.

SPF, DKIM, DMARC: domain spoofing protection that actually scales

If you send and receive business-critical email, SPF/DKIM/DMARC is infrastructure. It reduces spoofing and improves how receiving mail systems treat your messages. It also gives you visibility into who is trying to impersonate your domain.

SPF: declare who is allowed to send for your domain

SPF is a DNS record that lists authorized sending systems. Done correctly, it helps receiving servers reject or flag unauthorized senders.

• Inventory every legitimate sender (Microsoft 365 or Google Workspace, marketing platforms, ticketing systems, website forms).
• Publish one SPF record with the right includes.
• Keep it under the DNS lookup limits.

Consequence of sloppy SPF: legitimate mail can fail, or attackers can still spoof because the record is incomplete or too permissive.

DKIM: sign outbound mail so it cannot be altered silently

DKIM adds a cryptographic signature to your outbound email. It proves the message was authorized by the domain and was not modified in transit.

• Enable DKIM signing for your primary email platform.
• Rotate keys on a schedule and document ownership.

Consequence of skipping DKIM: DMARC becomes weaker, and recipients have fewer signals to trust your domain.

DMARC: enforce policy and get reporting

DMARC ties SPF and DKIM together with alignment rules and a policy (none, quarantine, reject). The operational value is twofold: you can block spoofing and you can see impersonation attempts through reports.

1. Start with p=none to collect reports and find legitimate senders you missed.
2. Move to p=quarantine once legitimate sources are aligned.
3. Progress to p=reject when you are confident alignment is correct.

If uptime matters, this step is not optional. Spoofing is a cheap attack; DMARC makes it expensive.

Need help implementing and monitoring this? We handle DMARC rollout as part of email security hardening and cybersecurity services.

Mailbox rules audit: the quiet persistence mechanism in BEC

Here is what actually breaks in real environments: attackers get into one mailbox, then create rules to hide their activity.

What to look for in a mailbox rules audit

• Auto-forwarding to external addresses (especially free email providers).
• Rules that move mail from vendors, banks, or executives to RSS, Archive, Deleted Items, or obscure folders.
• Rules that mark as read to reduce user suspicion.
• New inbox rules created at odd hours or right after a suspicious sign-in.

Consequence of missing this: you reset a password, but the attacker has already siphoned weeks of invoices and can re-engage the moment they regain access.

Operational control: schedule audits, do not rely on memory

Create a repeatable process:

1. Quarterly mailbox rules review for finance, payroll, and executives.
2. Immediate rules review after any suspicious sign-in alert.
3. Disable external auto-forwarding globally unless there is a documented exception.

Wire fraud prevention and invoice fraud controls: fix the payment workflow

BEC is not defeated in the inbox. It is defeated at the point where money moves. Your goal is to make it impossible for a single email to change payment instructions.

Vendor payment verification: a two-channel rule

Implement a simple policy that staff can follow under pressure:

• No payment detail changes via email alone.
• Any request to change bank account numbers, ACH details, or remittance addresses requires out-of-band verification.
• Out-of-band means: call a known-good phone number from your vendor master record, not the number in the email.

Consequence of skipping this: invoice fraud becomes a one-step process for attackers. They only need to write a convincing email.

Secure payment process: separate duties and add friction where it matters

Friction is not the enemy. Uncontrolled friction is the enemy. Add friction at high-risk steps:

1. Dual approval for wires and ACH changes above a threshold.
2. Vendor master record control: only specific roles can edit payment details.
3. Payment change hold: delay first payment to a new account for 24 hours when feasible.
4. Positive pay / bank controls where your bank supports them.

Executive impersonation: remove urgency as an attack vector

Attackers love urgency because it bypasses process. Your countermeasure is a standard script:

• If an email requests secrecy, urgency, gift cards, or a wire, treat it as suspicious by default.
• Verify using a second channel. If you cannot verify, you do not pay.

Dry wit from the trenches: executives do not get mad about verification when they understand the alternative is explaining a missing wire to the bank.

Email security awareness training: make it procedural, not motivational

Security awareness fails when it is vague. Make it procedural and role-based. Office managers and finance staff need different drills than field staff.

What training must include for BEC prevention

• How to spot spoofed domains and lookalike domains.
• How to validate payment change requests using the vendor verification policy.
• How to report suspicious emails quickly and consistently.
• How to recognize MFA phishing and push fatigue attempts.

For ongoing examples of how phishing evolves, see Malwarebytes resources on phishing and business scams.

Operational cadence: short, frequent, measurable

• Quarterly micro-training (15-20 minutes) with one policy reminder and one scenario.
• Track: reporting rate, click rate (if you run simulations), and time-to-report.

Incident response for BEC: a checklist that limits losses

Prevention is the goal, but response speed limits damage. When money is involved, minutes matter. Build an incident checklist before you need it.

Immediate actions if you suspect business email compromise

1. Stop payments: pause wires/ACH if there is any chance payment instructions were altered.
2. Contact your bank: request a recall and fraud escalation. Document timestamps and transaction IDs.
3. Secure the mailbox: reset password, revoke sessions, and review MFA methods.
4. Remove persistence: delete suspicious inbox rules, forwarding, and delegated access.
5. Search and scope: identify which conversations, vendors, and internal users were targeted.
6. Notify affected vendors/customers: using known-good contact info.
7. Preserve evidence: keep headers, message IDs, and logs for investigation and insurance.

If you suspect malware on endpoints contributed to credential theft, treat it as a containment priority. Our professional virus removal and cleanup service can help validate device integrity so you are not re-compromised after a password reset.

Recovery and resilience: backups and data recovery still matter

BEC is often paired with data theft or follow-on attacks. From an operational standpoint, you want to assume the attacker looked for leverage.

• Ensure you have tested, restorable backups for key systems. See our business backup planning and monitoring options.
• If email data or critical files were deleted or encrypted during the incident, escalation to data recovery services may be required.

SMB BEC prevention checklist (print this and run it quarterly)

• Identity: phishing-resistant MFA enabled for all mailboxes, especially finance and executives.
• Access: risky sign-ins monitored; legacy authentication disabled where possible.
• Domain: SPF, DKIM, DMARC implemented and DMARC policy progressing toward quarantine/reject.
• Mail flow: external auto-forwarding blocked by default; mailbox rules audited quarterly.
• Payments: vendor payment changes require out-of-band verification using known-good contacts.
• Approvals: dual approval for high-risk transfers; change holds for new bank details.
• Training: role-based BEC drills run quarterly; reporting process tested.
• Response: bank contacts, escalation steps, and evidence capture documented and accessible.

Local note for Palm Beach County businesses: make this part of normal operations

In Palm Beach County, BEC hits the same types of organizations over and over: professional services, construction, medical offices, HOAs, and any team that pays vendors on a schedule. West Palm Beach, Palm Beach Gardens, Lake Worth Beach, Boynton Beach, Jupiter, and Boca Raton all share the same risk profile because the workflows are the same. The fix is also the same: remove single points of failure and make verification routine.