BEC Fraud Prevention Guide for Professional Services: Protecting Against Invoice and Payment Fraud

The Four BEC Prevention Controls

Four controls together provide strong BEC prevention:

• 1. Email authentication — DMARC at p=reject prevents attackers spoofing your domain to attack your clients; DKIM and SPF prevent spoofing of inbound email
• 2. Bank detail change verification — a documented procedure requiring phone verification to a known number before any change of payment details is actioned, regardless of how urgent the email instruction appears
• 3. Staff training — regular BEC awareness training including simulated phishing exercises; staff must know that urgent payment instructions received only by email are a red flag
• 4. MFA — multi-factor authentication on all email accounts prevents account compromise that enables the most sophisticated BEC attacks

The Bank Detail Change Verification Procedure

The single most effective procedural control is a mandatory verification call before actioning any change of bank details. The procedure must specify: (1) the verification call must be made to a known number — one already held on file, found independently on a website, or previously used — never a number provided in the email requesting the change; (2) the procedure applies regardless of who the email appears to be from, including the CEO or a senior partner; (3) no exceptions for urgency; (4) a record of the verification call must be kept.

Frequently Asked Questions