Detecting Business Email Compromise

Overview

Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors, or trusted partners to trick employees into transferring funds, sharing sensitive data, or changing payment details. Unlike traditional phishing, BEC often contains no malicious links or attachments, relying purely on social engineering. This guide covers detection techniques using email gateway rules, behavioral analytics, and financial process controls.

Prerequisites

Email security gateway with BEC detection capabilities
Understanding of organizational financial processes and approval chains
Access to email logs and SIEM platform
Knowledge of social engineering tactics

Key Concepts

BEC Attack Types (FBI IC3 Classification)

CEO Fraud: Attacker impersonates CEO, requests urgent wire transfer
Account Compromise: Employee email compromised, used to request payments from vendors
False Invoice Scheme: Fake invoices from "vendor" with changed bank details
Attorney Impersonation: Impersonates legal counsel for urgent confidential transfers
Data Theft: Requests W-2, tax forms, or PII from HR

Detection Indicators

Urgency and secrecy language ("confidential", "do not discuss with others")
New or changed payment instructions
Executive communication outside normal patterns
Display name matches executive but email domain differs
Reply-to address differs from From address
First-time communication pattern between sender and recipient
Request for gift cards or cryptocurrency

Implementation Steps

Step 1: Configure BEC-Specific Email Rules

Flag emails with VIP display names from external domains
Detect financial keywords combined with urgency language
Alert on first-time sender to finance/accounting staff
Check for Reply-To domain mismatch

Step 2: Deploy Behavioral Analytics

Baseline normal communication patterns per user
Detect anomalous requests (unusual recipient, unusual time, unusual request type)
Monitor for email forwarding rule changes (T1114.003)

Step 3: Implement Financial Controls

Dual-authorization for wire transfers above threshold
Out-of-band verification for payment detail changes (phone callback)
Vendor payment change verification process
Finance team training on BEC red flags

Step 4: Monitor for Account Compromise

Detect impossible travel in email login locations
Alert on email forwarding rule creation
Monitor for mailbox delegation changes
Check for inbox rules hiding BEC-related emails

Tools & Resources

Microsoft Defender for O365 Anti-BEC: Built-in BEC detection
Proofpoint Email Fraud Defense: BEC-specific solution
Abnormal Security: AI-driven BEC detection
FBI IC3 BEC Advisory: https://www.ic3.gov/
FinCEN BEC Advisory: Financial institution guidance

Validation

BEC detection rules trigger on test scenarios
Financial controls prevent unauthorized transfers in drills
Account compromise detection catches simulated attacks
Reduced BEC susceptibility in awareness assessments

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.1 (Logical Access), CC7.2 (Anomaly Detection)
ISO 27001: A.7.2 (Information Security Awareness), A.13.2 (Information Transfer)
NIST 800-53: AT-2 (Awareness Training), SI-8 (Spam Protection), SC-7 (Boundary Protection)
NIST CSF: PR.AT (Awareness & Training), DE.CM (Continuous Monitoring)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add detecting-business-email-compromise

# Or load dynamically via MCP
grc.load_skill("detecting-business-email-compromise")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Detecting Business Email Compromise

Overview

Prerequisites

Email security gateway with BEC detection capabilities
Understanding of organizational financial processes and approval chains
Access to email logs and SIEM platform
Knowledge of social engineering tactics

Key Concepts

BEC Attack Types (FBI IC3 Classification)

CEO Fraud: Attacker impersonates CEO, requests urgent wire transfer
Account Compromise: Employee email compromised, used to request payments from vendors
False Invoice Scheme: Fake invoices from "vendor" with changed bank details
Attorney Impersonation: Impersonates legal counsel for urgent confidential transfers
Data Theft: Requests W-2, tax forms, or PII from HR

Detection Indicators

Urgency and secrecy language ("confidential", "do not discuss with others")
New or changed payment instructions
Executive communication outside normal patterns
Display name matches executive but email domain differs
Reply-to address differs from From address
First-time communication pattern between sender and recipient
Request for gift cards or cryptocurrency

Implementation Steps

Step 1: Configure BEC-Specific Email Rules

Flag emails with VIP display names from external domains
Detect financial keywords combined with urgency language
Alert on first-time sender to finance/accounting staff
Check for Reply-To domain mismatch

Step 2: Deploy Behavioral Analytics

Baseline normal communication patterns per user
Detect anomalous requests (unusual recipient, unusual time, unusual request type)
Monitor for email forwarding rule changes (T1114.003)

Step 3: Implement Financial Controls

Dual-authorization for wire transfers above threshold
Out-of-band verification for payment detail changes (phone callback)
Vendor payment change verification process
Finance team training on BEC red flags

Step 4: Monitor for Account Compromise

Detect impossible travel in email login locations
Alert on email forwarding rule creation
Monitor for mailbox delegation changes
Check for inbox rules hiding BEC-related emails

Tools & Resources

Microsoft Defender for O365 Anti-BEC: Built-in BEC detection
Proofpoint Email Fraud Defense: BEC-specific solution
Abnormal Security: AI-driven BEC detection
FBI IC3 BEC Advisory: https://www.ic3.gov/
FinCEN BEC Advisory: Financial institution guidance

Validation

BEC detection rules trigger on test scenarios
Financial controls prevent unauthorized transfers in drills
Account compromise detection catches simulated attacks
Reduced BEC susceptibility in awareness assessments

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.1 (Logical Access), CC7.2 (Anomaly Detection)
ISO 27001: A.7.2 (Information Security Awareness), A.13.2 (Information Transfer)
NIST 800-53: AT-2 (Awareness Training), SI-8 (Spam Protection), SC-7 (Boundary Protection)
NIST CSF: PR.AT (Awareness & Training), DE.CM (Continuous Monitoring)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add detecting-business-email-compromise

# Or load dynamically via MCP
grc.load_skill("detecting-business-email-compromise")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

Detecting Business Email Compromise

Overview

Prerequisites

Key Concepts

BEC Attack Types (FBI IC3 Classification)

Detection Indicators

Implementation Steps

Step 1: Configure BEC-Specific Email Rules

Step 2: Deploy Behavioral Analytics

Step 3: Implement Financial Controls

Step 4: Monitor for Account Compromise

Tools & Resources

Validation

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Detecting Spearphishing with Email Gateway

Analyzing Malicious Url with URLScan

Analyzing Phishing Email Headers

Implementing Anti Phishing Training Program

Implementing DMARC DKIM SPF Email Security

Implementing Email Sandboxing with Proofpoint

Prerequisites

Detecting Business Email Compromise

Overview

Prerequisites

Key Concepts

BEC Attack Types (FBI IC3 Classification)

Detection Indicators

Implementation Steps

Step 1: Configure BEC-Specific Email Rules

Step 2: Deploy Behavioral Analytics

Step 3: Implement Financial Controls

Step 4: Monitor for Account Compromise

Tools & Resources

Validation

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Detecting Spearphishing with Email Gateway

Analyzing Malicious Url with URLScan

Analyzing Phishing Email Headers

Implementing Anti Phishing Training Program

Implementing DMARC DKIM SPF Email Security

Implementing Email Sandboxing with Proofpoint