TL;DR: Business email compromise (BEC) is a scam where an attacker poses as a trusted person — your CEO, a supplier, a colleague — to trick someone into sending money or sensitive data. It relies on convincing email, not malware, which is why it slips past antivirus. Defending against it takes layers: lock your domain so it can't be spoofed, add payment-verification process, and train your team. Scan your domain free to start with the technical layer.
How BEC attacks work
There's no virus to catch — just a believable message. Common forms:
- CEO fraud: a "from the boss" email asking finance to make an urgent transfer.
- Fake invoice / vendor fraud: a supplier you know emails new bank details for an outstanding invoice.
- Payroll diversion: an "employee" asks HR to change their direct-deposit account.
The attacker either spoofs a real address, uses a look-alike domain, or sends from a genuinely compromised mailbox.
Why small businesses are targeted
BEC is one of the costliest cyber-crimes by total losses, and small firms are attractive: fewer controls, informal approval processes, and staff who don't expect to be targeted. A single successful transfer can be devastating.
The layers that stop BEC
- Lock your domain (technical). Enforce DMARC so attackers can't send mail that looks like it's from your exact domain — protecting your staff and your customers.
- Verify payment changes (process). Always confirm new bank details or urgent transfers via a second channel — a phone call to a known number, never the number in the email.
- Flag external email (technical). Tag messages from outside your organisation so a "CEO" email from an external address stands out.
- Train your team (people). Teach staff the red flags: urgency, secrecy, changed bank details, slightly-off addresses.
Where Kalenfy fits
We handle the first technical layer: a free scan shows whether your domain can be spoofed in a BEC attack, and we can lock it down with enforced DMARC. The process and training layers are yours — but a spoof-proof domain removes the most convincing version of the attack.
FAQ
Does DMARC stop all BEC?
It stops exact-domain spoofing — the most convincing kind. Look-alike domains and compromised mailboxes still need process controls and training, so use all the layers.
Is BEC really that costly?
Yes — by total reported losses it's among the most damaging cyber-crimes, precisely because each incident can be a large wire transfer.
We're small — are we a target?
Especially. Attackers favour businesses with informal approval processes and no domain protection.
Want to remove the technical half of the risk? Scan your domain, then reply to your report — we're developers and we'll lock your domain against spoofing so it can't be used in a BEC scam.