Google AI Business Email Compromise (BEC) Policy


To create a comprehensive Business Email Compromise (BEC) policy, organizations should include sections on employee training, technical controls, and response procedures. The following is a sample policy that can be adapted for your business. 

1. Introduction and policy purpose

This policy defines the rules and requirements for protecting [Company Name] from Business Email Compromise (BEC) attacks, a common form of cyber fraud. This includes schemes such as CEO fraud, false invoices, and fraudulent wire transfers. The policy outlines security measures, employee responsibilities, and incident response procedures to minimize the risk of financial loss and data compromise. 

2. Scope

This policy applies to all employees, contractors, and third-party vendors who use company email or access company systems, particularly those with financial or sensitive data access. 

3. Employee responsibilities and security awareness

All personnel must be trained to recognize and report suspicious emails, with a focus on social engineering tactics. 

Recognizing BEC attacks

  • Verify all unusual requests: All requests for financial transactions, changes to payment information, or handling sensitive information via email must be treated with suspicion, even if they appear to come from a known colleague or executive.
  • Watch for red flags: Employees should be vigilant for signs of a potential BEC attack, including:
    • Requests with a sense of urgency.
    • Requests to send sensitive information, such as W-2 forms.
    • Poor spelling, grammar, or unusual phrasing.
    • Differences in the sender's name and the actual email address when you hover over the sender's display name.
  • Be cautious with links and attachments: Do not click on links or open attachments in unsolicited emails or text messages. 

Verification procedures

  • Use a separate communication channel: Employees must use a secondary communication method, such as a known phone number or in-person conversation, to verify any changes to payment instructions or requests for wire transfers. Do not simply hit "Reply" to the suspicious email, as the response may go directly to the attacker.
  • Call a known contact: If verifying a request from a vendor, use a phone number on file from a legitimate system of record, not one provided in the email. 

4. Technical controls

The IT department will implement and enforce technical measures to defend against BEC.

  • Multi-factor authentication (MFA): MFA must be enabled for all email accounts and other critical business systems to prevent unauthorized access, even if a password is stolen.
  • Email authentication protocols: The company's email infrastructure will use protocols such as SPF, DKIM, and DMARC to detect and block spoofed emails from reaching employees.
  • Email filters: Advanced email security software will be used to automatically identify and quarantine phishing emails based on content, sender information, and malicious links or attachments.
  • Endpoint security: All company devices will have endpoint protection software to guard against malware that could be used by attackers to monitor communications.
  • Regular updates: All software and systems will be regularly updated with the latest security patches to close vulnerabilities.
  • Domain monitoring: The company may use a third-party service to monitor for domains registered by attackers that are similar to the official company domain (e.g., mycompany.com vs. mycompay.com). 

5. Financial controls and procedures

These controls are especially critical for finance teams and anyone who handles payments.

  • Payment authorization: All financial transactions exceeding a specific dollar amount must have a dual authorization process, requiring approval from at least two designated employees.
  • Supplier invoice changes: Any request from a vendor to change bank details or payment instructions must be verified via a phone call to a pre-established contact number, not via email.
  • Separation of duties: The employee who initiates a payment request should not be the same person who authorizes it. 

6. Incident response procedures

In the event of a suspected BEC incident, the following steps must be taken immediately: 

  1. Stop all transactions: Immediately halt any wire transfers or payments related to the suspicious request.
  2. Report the incident: Notify the IT security team, direct supervisor, and compliance department immediately.
  3. Contain the breach: The IT team must immediately reset the password and revoke authentication tokens for any potentially compromised email account. Malicious inbox rules used by the attacker should also be removed.
  4. Contact your bank: If a fraudulent transaction has already occurred, contact your financial institution immediately to attempt to recover the funds.
  5. Notify law enforcement: Report the incident to the FBI's Internet Crime Complaint Center (IC3) at IC3.gov.
  6. Conduct a post-incident review: The incident response team will analyze what went wrong and identify any necessary changes to security protocols or employee training. 

7. Policy enforcement

Any employee who violates this policy may be subject to disciplinary action, up to and including termination. 

8. Policy review

This policy will be reviewed and updated annually or following a significant security incident. 

Referenced sources include:
Safety Policy – Capital Disaster Solutions. https://capdsus.com/safety/; Ransomware: The menace of today's digital age - YFile. https://www.yorku.ca/yfile/2017/01/18/ransomware-the-menace-of-todays-digital-age/; Creating a Digital Fortress for Your Org: Tips & Best Practices. https://ancilla.io/blog/creating-a-digital-fortress-for-your-org-tips-best-practices