$2.9B Lost to BEC in 2024

Business Email Compromise (BEC) Risk Assessment

Evaluate your organization's vulnerability to BEC attacks across email security, financial controls, and employee training. BEC is the #1 financial cybercrime threat.

← Back to Tools
📧
Email Security Controls
6 questions assessing your email infrastructure defenses
1Is Multi-Factor Authentication (MFA) enabled on all email accounts?
MFA is the single most effective control against email account takeover, which enables BEC attacks.
2Is SPF (Sender Policy Framework) configured for your email domain?
SPF prevents attackers from spoofing emails that appear to come from your domain.
3Is DKIM (DomainKeys Identified Mail) signing enabled?
DKIM cryptographically signs outgoing emails to verify they haven't been tampered with in transit.
4Is DMARC configured with a reject or quarantine policy?
DMARC builds on SPF and DKIM to instruct receivers how to handle unauthenticated emails from your domain.
5Do you use advanced email filtering / anti-phishing?
Advanced email gateways with AI/ML detection catch impersonation, display name spoofing, and lookalike domains.
6Are external email warnings/banners displayed to users?
Visual indicators on external emails help employees identify potential impersonation from outside the organization.
💰
Financial Controls
5 questions assessing payment and wire transfer safeguards
7What is your average monthly wire transfer / ACH volume?
Higher transaction volume increases financial exposure to BEC wire fraud.
8Is dual approval required for wire transfers and payment changes?
Requiring two authorized approvers for payments is a critical control against fraudulent wire requests.
9Do you require verbal/callback verification for payment changes?
Calling a known number to verify banking changes is the most effective defense against invoice fraud BEC.
10Are vendor banking details verified through a secure channel before first payment?
Initial vendor bank account verification prevents attackers from inserting fraudulent payment details.
11Is there a payment change hold period (e.g., 48-hour delay for new bank details)?
A mandatory hold period provides time to detect and stop fraudulent payment redirections.
🎓
Employee Training & Awareness
4 questions assessing BEC-specific training effectiveness
12Do employees receive BEC-specific awareness training?
General phishing training is not sufficient; employees need training on BEC tactics including CEO fraud, vendor impersonation, and W-2 scams.
13Are phishing simulations conducted that include BEC scenarios?
Realistic BEC simulations test whether employees will follow financial verification procedures.
14Are executives and finance staff given targeted BEC training?
CFOs, controllers, AP staff, and executives are the primary targets of BEC attacks and need specialized training.
15Is there a clear, known process for employees to report suspicious emails?
A simple, well-known reporting mechanism (e.g., phish button) increases early detection of BEC attempts.