security

Business Email Compromise (BEC): The Email Authentication Checklist That Actually Reduces Risk

Business email compromise is not one attack, it is three: exact-domain spoofing, cousin-domain spoofing, and a genuinely compromised account. DMARC at reject only stops the first. This checklist maps each control to the attack it actually blocks, then ranks them so you fix the highest-leverage gaps first, starting with a free authentication check of your own domain.

Jul 3, 20268 min read

Business email compromise (BEC) is a fraud where an attacker uses email to trick someone in your company into moving money or data. The uncomfortable truth for anyone trying to stop it: BEC is not a single attack you can close with one setting. It comes in three distinct shapes, and each shape needs a different control. Get email authentication right and you kill one whole category outright. The other two need MFA, forwarding hygiene, and a payment process that does not trust email at all.

Reads public DNS only. Nothing is stored unless you save the domain to an account.

This guide breaks BEC into its three real forms, tells you honestly which control stops which, and gives you a prioritized checklist so you spend effort where it changes the outcome.

The three shapes of BEC (and why the distinction matters)

Vendors sell "BEC protection" as if it were one problem. It is not. If you treat it as one, you will over-invest in the part that is easy to fix and leave the two hard parts wide open.

Shape 1: Exact-domain spoofing. The attacker sends mail with your real domain in the From address, for example From: ceo@yourcompany.com, from a server that has nothing to do with you. This is the classic "CEO asks accounts payable to wire funds" email using your literal domain. This is the one email authentication was built to stop.

Shape 2: Cousin-domain spoofing. The attacker registers a look-alike domain, yourcompany-payments.com or yourc0mpany.com, and sends fully authenticated mail from it. Their SPF, DKIM, and DMARC all pass, because it is their domain and they set it up correctly. The human sees a plausible name and a green authentication result. Nothing about your DNS records touches this.

Shape 3: Compromised real account. The attacker steals a real employee's mailbox credentials, usually through phishing or a reused password, and sends from the actual account. Every authentication check passes because the mail genuinely is from your domain, from your server, from that user. This is the fastest-growing and most damaging shape.

Hold these three in mind for the rest of the checklist. Every control below stops some of them and is useless against others.

Step one: lock down exact-domain spoofing with DMARC reject

This is the only BEC shape that DNS records can fully close, so close it. You need SPF, DKIM, and DMARC, with DMARC set to p=reject and enforced.

A published, enforcing record looks like this:

v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com; adkim=s; aspf=s

When your domain publishes p=reject and the receiving mail server honors DMARC (Google, Microsoft, Yahoo and most large providers do), a message claiming to be from ceo@yourcompany.com that does not pass aligned SPF or DKIM gets rejected before it reaches the inbox. Shape 1 is dead.

Two honest caveats. First, p=none does nothing for protection - it only collects reports. If your record says p=none you are unprotected against exact-domain spoofing today. See DMARC policy: none vs quarantine vs reject for the difference and how to move DMARC from none to reject for the safe path. Second, DMARC only protects the exact From domain and, with the right policy, its subdomains. It does absolutely nothing about look-alike domains you do not own.

Start by checking what you actually publish right now:

Reads public DNS only. Nothing is stored unless you save the domain to an account.

If you are missing pieces, work through how to set up SPF, how to set up DKIM, and how to set up DMARC. If you want the conceptual grounding first, SPF, DKIM and DMARC explained covers how the three fit together.

Step two: be honest about what DMARC cannot do

This is the section most BEC advice skips, and it is the most important one.

DMARC reject stops shape 1 and nothing else. Against cousin-domain spoofing (shape 2), the attacker's domain passes its own DMARC, so your policy is irrelevant. Against a compromised account (shape 3), the mail is genuinely yours and passes authentication, so DMARC waves it straight through. If someone tells you DMARC "stops BEC," they are describing one third of the problem. We wrote more on this boundary in does DMARC stop phishing.

So DMARC is step one, not the whole plan. It is the highest-leverage first move because it is cheap, permanent, and closes an entire attack class. But you are two-thirds of the way from done.

Step three: raise the cost of cousin-domain spoofing

You cannot publish a DNS record that blocks a domain you do not control. What you can do is reduce how convincing and how findable those look-alikes are.

Register the obvious look-alikes yourself

Buy the high-risk variants of your domain: common misspellings, hyphenated "billing" and "payments" versions, and the main alternate TLDs. It is cheap defense. You cannot buy every permutation, so treat this as raising cost, not building a wall.

Make your real mail visibly trustworthy

When your legitimate mail is consistently well-authenticated and, where supported, shows a verified logo through BIMI, staff build a baseline for what real company mail looks like. That makes a bare cousin-domain message stand out. See how to set up BIMI and VMC. BIMI is a trust signal, not an anti-spoofing control, so treat it as reinforcement.

Flag external mail at the gateway

Configure your mail platform to tag messages from outside your organization with a clear "EXTERNAL" banner. A cousin domain is by definition external, so the banner fires on it. It is a small, durable nudge that breaks the reflex to trust a familiar-looking display name.

Step four: contain the compromised account (shape 3)

When the attacker is inside a real mailbox, authentication is on their side. Everything here is about access control and detection.

Enforce phishing-resistant MFA. Passwords alone lose to credential phishing. Require MFA on every mailbox, and prefer hardware keys or passkeys over SMS for anyone who can approve payments. This is the single biggest control against account takeover.

Kill auto-forwarding to external addresses. A classic post-compromise move is a hidden inbox rule that forwards finance threads to the attacker. Block external auto-forwarding at the tenant level and alert on new forwarding rules. As a bonus, external forwarding is also the thing that quietly breaks your SPF on legitimate mail - see why email forwarding breaks SPF.

Watch for impossible travel and new mail rules. Sign-ins from two continents an hour apart, or a brand-new rule that moves "invoice" messages to an obscure folder, are high-signal indicators of an active takeover.

Rotate credentials and revoke sessions fast. When an account is suspected compromised, resetting the password is not enough. Revoke active tokens and sessions so the attacker's existing login dies.

Step five: the control that beats all three shapes

Every BEC shape converges on one goal: get someone to move money or data based on an email. So the last control does not care which shape you are facing.

Verify every payment change out of band. Any request to change bank details, send a wire, or release sensitive data gets confirmed through a second channel - a phone call to a known number, not the number in the email. This single process rule defeats exact-domain spoofs, cousin domains, and compromised accounts alike, because none of them survive a human calling a trusted contact to confirm.

Make it policy, not a suggestion. Set a mandatory callback for any payment over a threshold and for any change to existing payment instructions. The attacker's entire plan depends on the request never being checked outside email.

The prioritized BEC checklist

Do these in order. Earlier items are higher leverage per hour spent.

  1. Out-of-band verification for all payment changes and wires. Beats all three shapes. Start here.
  2. Phishing-resistant MFA on every mailbox. Closes most account takeovers.
  3. DMARC at p=reject with aligned SPF and DKIM. Kills exact-domain spoofing permanently. Check yours with the scanner above.
  4. Block external auto-forwarding and alert on new inbox rules.
  5. Register high-risk look-alike domains and enable external-sender banners.
  6. Detection: impossible-travel alerts, new-forwarding-rule alerts, fast session revocation.
  7. Reinforce visual trust with consistent authentication and BIMI.

If you only do items 1 through 3, you have addressed the most damage for the least effort. Everything after that is depth.

Frequently asked questions

Does DMARC reject stop business email compromise?

It stops one form of it: exact-domain spoofing, where the attacker puts your real domain in the From address. It does not stop cousin-domain look-alikes, because those pass their own authentication, and it does not stop a compromised real account, because that mail is genuinely yours. DMARC is step one, not the whole answer.

What is cousin-domain spoofing and can DNS records block it?

Cousin-domain spoofing uses a look-alike domain the attacker owns and authenticates correctly, such as yourc0mpany.com. You cannot publish any SPF, DKIM, or DMARC record that blocks a domain you do not control. You reduce the risk by registering obvious variants, banner-tagging external mail, and requiring out-of-band verification of payment requests.

If our email authentication is perfect, are we safe from wire fraud?

No. Perfect authentication closes exact-domain spoofing only. A stolen mailbox sends fully authenticated mail, and a look-alike domain passes its own checks. This is why the highest-priority control is a payment process that confirms every change through a second channel, independent of email.

Where should we start if we can only do one thing this week?

Mandate out-of-band verification for any wire or bank-detail change, then check your domain's DMARC policy. Verification defeats all three attack shapes at the process level, and confirming you are at p=reject closes exact-domain spoofing at the technical level. Together they cover the most common and most expensive BEC paths.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Related guides

Business Email Compromise: The BEC Checklist That Works