8 things that should be in a company BEC policy document

“This is more about defense-in-depth being applied across an organization into business practices, not just network security. For example, if a request to change payment information arrives via email – what’s the business process response?” Fortra CISO Chris Reffkin tells CSO. “Standard practices such as defined processes for business requests and established approval hierarchies are a good measure against BECs.”

Those policies should ideally require that all payments be traced back to an approved invoice that includes a verified payee name, address and payment instructions, recommends Roger Grimes, defense evangelist at KnowBe4. “Any ad hoc request for payment must undergo formal review before the payment is issued,” Grimes says. “Require that all payment instruction changes be verified using legitimate avenues before being approved.”

A strong policy on this front can deflate the sense of urgency and the fear that attackers use against employees, posing as an executive or someone’s boss asking for an abnormal request. “A policy can help protect employees who follow the policy. For example, suppose a boss sends an emergency email from home instructing an employee to pay an emergency invoice. The employee, pointing to policy, can respond that they would need to follow the appropriate, predefined policies before paying the invoice. The policy protects the employee from suffering harm from simply following policy,” Grimes says.

Out-of-band verification for high-risk changes and transactions

Drawing a finer point on invoice and financial transaction policies, businesses should take particular care in how they verify and approve high-risk transactions and changes to financial accounts. “Implementing stringent verification processes for financial transactions and data requests is crucial,” says Igor Volovich, vice president of compliance strategy for Qmulos. “This serves as a critical defense against BEC attacks, ensuring thorough vetting of every request. Embedding these processes into daily operations creates a robust defense mechanism.”

One of the big ways they can set up a backstop for BEC is to make sure that anything high-risk that is triggered by email is followed up via some kind of out-of-band verification process. This could be phone call, through a secured system, or SMS.

“This is one of the most important policies. Never change payment/banking details based on an email request alone,” stresses Robin Pugh, director of intelligence for Good and CEO of DarkTower. “Whenever a payment information or banking information change is requested via email, a policy should be in place that requires the recipient to always contact the requestor via voice, using a trusted contact method. In other words, call them via the phone number on file and make sure that they have authorized the change.” Pugh says that adding a policy for a second approver to the hierarchy for high-risk transactions can also further reduce risk and cut down on insider threats in the process.

Attackers tend to sit in a compromised email box waiting for some kind of payment activity to give them an opportunity to insert themselves into the process, warns Troy Gill, senior manager of threat intelligence for OpenText Cybersecurity. Even if a contact provides a legitimate document via email, it should still be supplemented with out-of-band verification. “In many cases they will take a legitimate document that has been sent previously and alter it slightly to include their (attacker controlled) account and routing numbers. In this case, the attack will look nearly identical to a routine document from a known contact, the only difference being the account details have changed,” explains Gill. “It is critical that all changes must be confirmed outside of the email thread.”

Request register process

For some organizations a policy asking for an ad hoc out-of-band phone call may not be stringent enough for reducing BEC risk. One strategy for taking verification policies to the next level is to establish an internally secure ‘request register’ through which every request to exchange or change sensitive information will be funneled through, explains Trevor Horwitz, CISO and founder of TrustNet.

“Prevention of BECs requires a broad strategy because of the dual originating threats from external spoofed email and internal compromised email sources. We advocate for a novel strategy inspired by ‘positive pay’ fraud prevention in the financial services sector,” says Horowitz, who’s also served a stint as president of InfraGard Atlanta, a chapter of the FBI’s non-profit association for cybercrime information sharing. “This policy requires a secondary method of positive verification for all sensitive information exchanges and changes, including payees, banking information, accounts receivable, and employee data. The mechanics include an internally secure ‘request register,’ which ensures positive validation before any information exchange or modifications.”

Through this policy and methodology every sensitive request is registered in the centralized system and then approved through a second factor, be it phone call, one-time passcode (OTP), or a hardware security key such as FIDO2. “Users are trained to verify sensitive requests through this register before divulging information or making changes,” Horowitz tells CSO.

Open-door reporting

Organizations should work hard to develop a policy, culture, and set of processes that make it easy for employees to report requests incidents that feel off to them — even if they’ve already made mistakes. “It’s important to make sure employees are not scared to report an incident or questionable action they may have taken,” says Feaver. “The sooner something is reported the easier it is to address, but scared employees may not want to admit mistakes.”

The idea is to set up documented steps and mechanisms for reporting and to try to reward thwarted mistakes more than the organization punishes mistakes. “For added incentive, I suggest a reward system — a prize pool or gift cards for example — for those that successfully identify and thwart attempted BEC attacks,” Gill says. “This will help foster a defensive mindset and zero trust mentality and they need to know how to do this safely.”