Email Security and Protection Against BEC Fraud: A Practical Guide

Email security is a set of technical and organizational measures that prevent an attacker from abusing a mailbox, spoofing a sender, or tricking an employee into a harmful action. The most dangerous threat today is BEC fraud (Business Email Compromise), in which the attacker impersonates a director, supplier, or colleague and requests a payment or a change of bank details. The defense is built in two layers: technical controls such as SPF, DKIM, DMARC, and multi-factor authentication, together with clear internal procedures for confirming every financial transaction.

What BEC fraud is and why it is more dangerous than ordinary phishing

BEC (Business Email Compromise) is a form of targeted fraud in which the attacker does not try to deploy malware, but instead manipulates people into performing an action that benefits the attacker themselves. Most often this is a money transfer or the disclosure of confidential data. Unlike mass phishing sent to thousands of addresses, BEC is targeted, carefully prepared, and often contains no attachment or link at all, which makes it hard for classic antivirus tools to detect.

The attacker usually studies the company first: who the director is, who runs accounting, who the suppliers are, and what internal communication looks like. This information is easily gathered from the website, LinkedIn, and public registers. Once they understand the context, the attacker composes a message that sounds convincing: urgent, authoritative, and seemingly entirely legitimate. This is precisely why BEC fraud hits both small and large companies, from a sole trader in Mostar to firms with offices across the region.

The most common BEC fraud scenarios

• CEO fraud (fake director): a message arrives "from the director" to the accountant requesting that a payment be made urgently to a new account, with a note that it concerns a confidential matter that must not be discussed over the phone.
• Fake supplier invoice: the attacker intercepts or imitates communication with a genuine supplier and sends an invoice with an altered bank account number.
• Compromised mailbox: the attacker actually takes control of an employee's mailbox (most often via a stolen password) and sends messages from the real account, which is especially difficult to detect.
• Payroll and HR data fraud: a fake request from an employee to redirect their salary to a new account.

The technical foundation: SPF, DKIM, and DMARC

Three DNS records form the foundation of email security because they make it harder to spoof your domain. Without them, an attacker can send messages that appear to come from your address, and recipients will not recognize them as fake. With them, you drastically reduce the chance that someone will misuse your company's name.

Mechanism	What it does	What it prevents
SPF	Defines which servers are allowed to send mail on behalf of your domain	Sender spoofing from unauthorized servers
DKIM	Digitally signs messages with a cryptographic key	Tampering with message content and forging the signature
DMARC	Tells recipients what to do when SPF/DKIM fail, and sends reports	Domain spoofing, and provides visibility into abuse

The key is that all three mechanisms work together. SPF and DKIM are checks, while DMARC is the policy that links the results of those checks to the identity shown in the visible sender address. Many companies have SPF and DKIM in place, but leave DMARC in p=none mode, which means nothing is blocked and only reports are collected. That is a good first step, but real protection only comes once the policy is tightened to p=quarantine or p=reject, and of course only after analyzing the reports so that legitimate mail is not wrongly rejected.

A practical rollout order

1. Set up an SPF record listing all legitimate mail sources (your own server, marketing tool, ERP, invoicing system).
2. Enable DKIM signing on all systems that send mail on your behalf.
3. Add a DMARC record with p=none and a reporting address.
4. Analyze the reports for several weeks and identify all legitimate senders.
5. Gradually tighten the policy to quarantine and then reject.

The human layer: why technology alone is not enough

SPF, DKIM, and DMARC protect your domain from spoofing, but they do not help when an attacker uses a lookalike domain (e.g. neob1t.ba instead of neobit.ba) or a genuinely compromised account. This is where the human factor comes into play, and in BEC fraud it is almost always the decisive link. An employee who can recognize an unusual request is more valuable than any filter.

Warning signs to recognize

• Urgency and pressure: "needed right away", "before the end of the business day", "I can't talk on the phone".
• Change of bank details: every request to change a supplier's account must be confirmed through an independent channel.
• Unusual channel or style: a director who normally calls is now writing an email from a private address, or using different language than usual.
• Subtle differences in the address: a swapped letter, an added word, or a different domain extension.
• Secrecy: a request not to discuss the transaction with colleagues.

The "four-eyes" confirmation procedure

The single most effective measure against BEC fraud is the rule that every payment above a certain amount and every change of bank details must be confirmed through a second, independent channel. If a request arrives by email, confirmation is sought by phone using a number you already have on file, never a number stated in the suspicious message. This rule must be written down, known to everyone in accounting, and applied without exception, even when the "director" insists on urgency.

The difference between a spoofed and a "lookalike" domain

It is useful to understand two techniques attackers use, because different defenses work against each. In spoofing of your own domain, the attacker enters your real domain in the sender address but sends the message from their own server. This is exactly what correctly configured SPF, DKIM, and DMARC stop. In the case of a lookalike domain, the attacker registers a domain that at first glance looks like yours: a swapped letter, an added word such as "-group", or a different extension (.com instead of .ba). Technically, that domain is perfectly valid and passes all checks because it belongs to the attacker, so the only defense is a careful eye on the recipient's side and, where possible, blocking known variants at the mail system level. This is why employee training is not a substitute for technical controls, but a necessary complement to them.

Additional technical controls worth implementing

Beyond DNS records and training, a number of concrete settings further raise email security in any company:

• Multi-factor authentication (MFA): mandatory on all mailboxes. A stolen password is then no longer enough to take over a mailbox.
• Visual tagging of external mail: an automatic "EXTERNAL SENDER" label at the top of every message from outside the organization helps employees spot a fake "colleague".
• Anti-forwarding rules: attackers often set up a hidden rule that forwards mail to an external address; these should be monitored and restricted.
• Login monitoring: alerts for logins from unusual locations or impossible travel (a login from two distant countries within a short time).
• Registration of lookalike domains: proactively claiming the most obvious variants of your domain reduces the room for fraud.
• Limits on large payments: extra approvals for transactions above a threshold reduce the damage even when fraud gets through.

Training and simulated exercises

Technical settings are implemented once, but employee awareness needs to be refreshed. The best results come from a combination of short, concrete training sessions and occasional simulated phishing campaigns in which the company safely and without blame measures who would fall for a fake message. The goal is not to punish employees, but to identify where additional explanation is needed and to confirm that the procedures really work under pressure. Particular attention is warranted for the departments that handle money and data, namely accounting, procurement, and management, because they are the most common target of BEC fraud. Regular, short reminders work better than a single long annual training that is quickly forgotten.

What to do if the fraud is already underway

Speed of response is decisive for recovering funds. If you suspect that a payment has been made to a fraudulent account, act immediately:

1. Contact your bank and request an urgent recall of the transaction; every hour counts.
2. Change passwords and revoke active sessions on the potentially compromised account.
3. Check for and remove any suspicious mail forwarding rules.
4. Preserve evidence (original messages with full headers, logs) for the investigation.
5. Report the incident to the competent authorities and, if necessary, engage incident response specialists.

It is precisely because of this step that it pays to know in advance who to turn to. The NeoBit team for incident response and SOC monitoring helps companies in Mostar and across the region limit the damage and reconstruct how the breach occurred.

How to check where your company currently stands

Many companies assume they are protected because they have antivirus and a spam filter, but email security depends on details that need to be measured, not assumed. Check whether DMARC is in a mode that actually blocks fraudulent mail, whether MFA is enabled on every single account, and whether employees can recognize a request to change a bank account. A structured assessment provides a concrete picture of the situation, and a quick starting point is the NeoBit penetration testing questionnaire, through which we define the scope and priorities for your organization.

Email security is not a one-off project but a process that is maintained and reviewed. The combination of correctly configured SPF, DKIM, and DMARC records, consistent multi-factor authentication, and employees who know to pause at a suspicious request makes the difference between a company that is an easy target and one that attackers bypass. If you want an independent assessment and a concrete plan, get in touch with the NeoBit team.

Frequently asked questions

How does BEC fraud differ from ordinary phishing?

Classic phishing is mass-distributed and usually contains a link or attachment used to steal data or install malware. BEC fraud is targeted, carefully prepared, and most often contains no link at all. The attacker impersonates a trusted person and leads the victim to make a payment or disclose data themselves, which is why technical filters struggle to stop it.

Do SPF, DKIM, and DMARC protect against all BEC attacks?

No. These mechanisms prevent spoofing of your own domain, but they do not help when an attacker uses a lookalike domain or a genuinely compromised account. This is why technical controls must be combined with multi-factor authentication and internal transaction confirmation procedures.

What is the single most effective measure against BEC fraud?

The rule that every change of bank details and every larger payment is confirmed through an independent channel, most often by phone using an already known number. This simple procedure stops most fake-director and fake-invoice fraud, regardless of how convincing the message is.

Should small companies in BiH invest in email security too?

Yes. Attackers do not choose targets by size but by how easy they are to breach, and smaller companies often have weaker controls and fewer checks. Basic measures, DMARC, MFA, and a clear procedure for payments, are relatively inexpensive and quick to set up, yet they prevent losses that can be devastating for a small company.

Related guides: Cyber security in BiH - a complete guide · Protection against hacker attacks - 10 steps for companies · Ransomware protection: how to protect your company from attacks