Seven Essential Strategies to Prevent and Detect Business Email Compromise

Seven Essential Strategies to Prevent and Detect Business Email Compromise

While sophisticated Business Email Compromise attacks require advanced defences, implementing these seven fundamental strategies will dramatically improve your organisation's resilience against the vast majority of BEC attempts without significant commercial impact.

Business Email Compromise has become one of the costliest cybercrimes of our time. Recent data shows BEC claims severity increased 23% in 2024, with average claims costs reaching £35,000, while UK businesses face average losses of £22,000 per incident. Even more concerning, Business email compromise attacks accounted for 73% of all reported cyber incidents in 2024.

The attraction for criminals is clear: phishing kits have created a low barrier to entry, allowing even novice attackers to deploy sophisticated-looking campaigns. When users are expecting legitimate communications from suppliers or clients who may themselves have been compromised, they become particularly susceptible to clicking malicious links, entering credentials, and approving MFA prompts.

The strategies below won't stop every sophisticated attack, but they will provide robust protection against the majority of BEC attempts while offering excellent return on investment.

1. Multi-Factor Authentication (MFA) - The Foundation

Deploy immediately if not already in place. In 2025, this should be obvious, yet we still encounter environments where over 30% of accounts lack MFA protection. This represents the lowest-hanging fruit in cybersecurity. Audit your accounts at least quarterly (or monthly depending on staff onboarding and offboarding frequency)

However, MFA alone isn't a silver bullet. Modern attack techniques can circumvent traditional MFA through:

  • Reverse proxy phishing - Sophisticated sites that capture and replay authentication tokens
  • Infostealer malware - Malicious software that harvests stored credentials and session tokens
  • Push notification spam - Overwhelming users with authentication requests until they approve one

Upgrade your approach: Consider implementing Phishing Resistant MFA such as FIDO2 security keys or Passkeys. These cryptographic methods are significantly harder to compromise than SMS or app-based authentication.

2. Block Application Registration at the Tenant Level

Quick configuration, massive impact. This setting can be enabled at your Microsoft 365 tenant level and should be among your first defensive measures.

Attackers frequently abuse application registration to:

  • Rapidly exfiltrate entire mailbox contents
  • Maintain persistent access even after password changes
  • Bypass traditional monitoring that focuses on user account activity

By blocking users from registering applications and requiring admin approval, you eliminate a common persistence mechanism while maintaining legitimate business functionality through controlled processes.

3. Automated Notifications for Unusual Mailbox Activity

Perfect for small to medium environments. Depending on your organisation's typical email behaviour, this can provide immediate detection without creating alert fatigue.

Key indicators to monitor:

  • Inbox rules creation - Particularly rules that hide, delete, or forward emails
  • Email forwarding rules - Especially those directing mail outside your organisation
  • Unusual folder creation - Attackers often organise stolen data before exfiltration
  • Mass email downloads - Bulk access to historical messages

Critical investigation protocol: When these alerts trigger, use out-of-band communication methods (phone calls, in-person conversations, or verified alternative email addresses) to contact the affected user. Never rely solely on email to verify suspicious activity.

While this approach won't replace detection rules in a well-tuned SIEM, it effectively catches low-hanging fruit and unsophisticated threat actors who represent the majority of BEC attempts.

4. Conditional Access Policies

Leverage both free and premium features. Some conditional access policies can be configured without additional licenses, though advanced features like risky sign-in detection require Entra ID P2 licenses.

Free conditional access options include:

  • Device platform restrictions - Block access from unauthorised operating systems
  • Location-based policies - Require access from trusted IP ranges or block specific countries
  • Application-specific controls - Different requirements for different Microsoft 365 services
  • Time-based restrictions - Limit access to business hours for sensitive applications

Conditional Access Policies that require additional licencing:

  • Risk-based policies - Automatic detection and response to unusual sign-in patterns
  • Device compliance requirements - Ensure accessing devices meet security standards
  • Session controls - Limit functionality for risky sessions

The additional cost for Entra ID P2 licensing is worthwhile for most organisations, providing sophisticated threat detection that adapts to emerging attack patterns.

5. Data Loss Prevention (DLP) Rules and Policies

Long-term investment with immediate security benefits. While comprehensive data categorisation requires significant upfront effort, the investment pays dividends in both security and compliance. This can be achieved through Sharepoint Activity Reports, although it is important to baseline this so that you know what "normal" looks like.

Immediate wins:

  • Role-based download monitoring - Alert when staff access data unusual for their position
  • Volume-based detection - Flag bulk downloads of sensitive documents
  • External sharing alerts - Monitor when internal documents are shared outside the organisation
  • Keyword and pattern matching - Detect sensitive information like National Insurance numbers, credit cards, or proprietary terms

Implementation strategy: Start with high-value data categories (financial records, customer lists, intellectual property) and expand coverage over time. This approach provides immediate protection for your most critical assets while building toward comprehensive data governance.

6. Administrative Account Separation and Permission Management

Reduce blast radius through privilege segmentation. One of the most effective ways to limit BEC impact is ensuring that compromised accounts can't access critical systems or perform high-risk actions.

Implement separate administrative accounts:

  • Standard user accounts - Daily email, document access, and routine business activities
  • Administrative accounts - System management, user provisioning, and security configuration only
  • Break-glass accounts - Emergency access stored offline, excluded from conditional access policies

Key principles for admin account management:

  • No email access on admin accounts - Administrative accounts should never have mailboxes or email access
  • Separate naming conventions - Use clearly distinguishable formats (e.g., "admin-[username]" or "[username]-adm")
  • Time-limited access - Use Privileged Identity Management (PIM) for just-in-time activation of administrative roles

Regular permission audits:

  • Quarterly access reviews - Verify all users have appropriate permissions for their current roles
  • Automated reporting - Monitor for privilege creep and unused elevated permissions
  • Role-based access control - Group permissions by job function rather than individual assignment
  • Vendor account management - Regular review of third-party access, especially for suppliers who handle financial processes

Financial controls:

The majority of BEC attacks we've seen have direct financial impact. This can usually be mitigated using strict processes rather than as a software-based control.

  • Dual approval workflows - Require multiple sign-offs for payment processing
  • Segregation of duties - Separate payment initiation from payment approval
  • Out-of-band verification - Phone calls or in-person confirmation for large transactions
  • Payment limits - Restrict single-user transaction amounts based on role

This approach ensures that even if a user's primary email account is compromised, attackers cannot access administrative functions or approve significant financial transactions.

7. Deploy Canarytokens for Early Warning

Maximum impact, minimal investment. Canarytokens provide free detection capabilities that alert you when attackers announce themselves by triggering planted traps.

Effective implementations for BEC detection:

  • Email web bugs - Embedded invisible images in strategic emails that alert when viewed by unauthorised parties
  • Honeydoc files - Documents with embedded tokens that trigger notifications when opened, regardless of user network permissions
  • Fake database entries - Contact lists or vendor information that shouldn't be accessed during normal business
  • Decoy file shares - Attractive folder names that would interest attackers ("Executive Compensation" or "Confidential Contracts")

Example deployment: Create a fake "Passwords.xlsx" document or other "attractively named file containing a canarytoken and place it in accessible but non-routine locations. If an attacker accesses your systems and searches for juicy information, they'll likely open this document and trigger an immediate alert.

The setup is straightforward: generate a token at canarytokens.org, embed it using a simple HTML image tag, and receive email alerts when triggered. Use a separate email account for alerts to ensure attackers don't realise they've been detected.

Conclusion

The reality of modern BEC defence: No single solution provides bulletproof security against sophisticated, determined attackers. However, implementing these seven strategies creates multiple detection and prevention layers that dramatically improve your resilience against business email compromise.

The business case is compelling: These measures require minimal upfront investment while providing substantial protection against attacks that cost organisations an average of £22,000 in the UK and are growing at a projected rate of 22.4% annually through 2030.

Most importantly, these strategies can be implemented without discernible commercial impact on your day-to-day operations. Your users will continue working efficiently while you silently strengthen your defences against one of today's most prevalent and costly cyber threats.

Start with MFA deployment and application registration blocking - these can be configured in under an hour and provide immediate protection. Then systematically implement the remaining strategies to build comprehensive BEC resilience that scales with your organization's growth and threat landscape evolution.

Once these steps are in place, consider further hardening in line with the comprehensive CIS Benchmarks. As ever, if you need assistance with this, feel free to get in touch.

*(special thanks to Dan Card for prompting me to get this post out of my drafts and online!)