Business Email Compromise Assessment SOP¶
Sub-procedure for Operate pillar managed services - Wire fraud vulnerability assessment
Service Pillar: Operate Service Category: Wire Fraud Prevention Parent SOP: Cloud Operations SOP Engagement Type: Assessment / Annual Review
Overview¶
Comprehensive assessment of an organization's vulnerability to Business Email Compromise (BEC) and wire fraud attacks. This assessment evaluates email security controls, financial process controls, user awareness, and technical safeguards to identify gaps that attackers commonly exploit for financial fraud.
Scope¶
Pillar: Operate (Managed Services) Service Area: Wire Fraud Prevention - BEC Assessment
In Scope¶
- Email authentication (DMARC, DKIM, SPF)
- Email security gateway configuration
- Financial transaction authorization processes
- User awareness of BEC tactics
- Impersonation protection controls
- Vendor payment verification procedures
- Executive communication security
Out of Scope¶
- Full penetration testing
- Endpoint security assessment
- Network security assessment
- Physical security controls
Business Justification¶
| Metric | Value | Source |
|---|---|---|
| BEC losses in 2023 | $2.9 billion | FBI IC3 Report 2023 |
| Average BEC loss per incident | $125,000 | FBI IC3 Report 2023 |
| BEC attacks targeting SMBs | 43% | Verizon DBIR 2024 |
| Recovery rate for BEC wire transfers | <30% | FBI Recovery Asset Team |
Prerequisites¶
- Email system access (admin level or security read)
- Financial process documentation
- Accounts payable/receivable stakeholder access
- CFO/Controller sponsorship
- List of executives and finance team members
- Current email security policies
- Vendor management documentation
Procedure¶
Step 1: Email Authentication Assessment¶
Objective: Evaluate email authentication controls that prevent domain spoofing
Activities: 1. Analyze SPF record configuration 2. Verify DKIM implementation 3. Assess DMARC policy and enforcement 4. Check subdomain protection 5. Review lookalike domain monitoring 6. Analyze email authentication reports
Assessment Criteria: | Control | Target State | Risk if Gap | |---------|-------------|-------------| | SPF | Hard fail (-all) | Critical - Domain spoofing | | DKIM | Enabled, 2048-bit | High - Email tampering | | DMARC | p=reject | Critical - No enforcement | | Subdomain DMARC | Explicit policy | High - Subdomain abuse |
Tools: - MXToolbox - DMARC Analyzer - dmarcian - PowerDMARC
Duration: 2-3 hours
Step 2: Email Security Gateway Review¶
Objective: Assess technical controls for detecting malicious emails
Activities: 1. Review anti-phishing configuration 2. Assess impersonation protection settings 3. Evaluate external sender warnings 4. Check attachment filtering policies 5. Review URL filtering and sandboxing 6. Assess quarantine procedures
Key Configurations: - [ ] External email tagging/banners - [ ] Display name impersonation detection - [ ] Domain impersonation protection - [ ] First-time sender warnings - [ ] Reply-to mismatch detection - [ ] VIP/executive protection policies
Duration: 2-3 hours
Step 3: Financial Process Assessment¶
Objective: Evaluate business processes that protect against fraudulent transactions
Interview Stakeholders: - CFO/Controller - Accounts Payable Manager - Treasury/Cash Management - IT/Security Lead
Process Review Checklist: - [ ] Wire transfer authorization requirements - [ ] Dual approval thresholds - [ ] Vendor bank account change verification - [ ] Out-of-band verification procedures - [ ] Invoice validation processes - [ ] Emergency/urgent payment procedures - [ ] International wire controls - [ ] ACH/EFT authorization procedures
Red Flags to Identify: | Process Gap | Risk Level | Common Exploit | |------------|------------|----------------| | Single approval for wire | Critical | CEO fraud | | No callback verification | Critical | Vendor impersonation | | Email-only bank changes | Critical | Vendor compromise | | No urgency policy | High | Time pressure tactics |
Duration: 3-4 hours
Step 4: BEC Attack Simulation Readiness¶
Objective: Assess organization's ability to detect simulated BEC attacks
Activities: 1. Review previous phishing test results 2. Assess executive protection measures 3. Evaluate finance team targeting history 4. Identify high-risk users 5. Document current awareness training
High-Risk User Categories: - C-suite executives (spoofed senders) - Finance/accounting team (target recipients) - Executive assistants (intermediaries) - HR (payroll fraud targets) - Vendors with payment access
Duration: 2-3 hours
Step 5: Vendor/Third-Party Risk Assessment¶
Objective: Evaluate controls for vendor payment security
Activities: 1. Review vendor onboarding procedures 2. Assess payment information verification 3. Evaluate vendor communication security 4. Check vendor master file controls 5. Review recent vendor-related incidents
Vendor Payment Controls: - [ ] Verbal verification of bank changes - [ ] Written authorization requirements - [ ] Waiting period for bank changes - [ ] Vendor contact database maintenance - [ ] Accounts payable segregation of duties
Duration: 2-3 hours
Step 6: Findings Documentation & Risk Rating¶
Objective: Compile findings into actionable report with risk prioritization
Activities: 1. Categorize findings by attack vector 2. Rate findings by likelihood and impact 3. Map findings to BEC attack scenarios 4. Develop remediation recommendations 5. Estimate financial risk exposure 6. Create executive summary
Risk Rating Matrix: | Finding Category | Exploitability | Financial Impact | Priority | |-----------------|----------------|------------------|----------| | No DMARC enforcement | High | Critical | P1 | | Single-signature wires | High | Critical | P1 | | No callback verification | High | Critical | P1 | | Weak impersonation protection | Medium | High | P2 | | Limited user awareness | Medium | High | P2 |
Duration: 4-6 hours
Deliverables¶
| Deliverable | Format | Owner |
|---|---|---|
| BEC Vulnerability Assessment Report | PDF/Word | Lead Consultant |
| Email Authentication Analysis | Technical Analyst | |
| Financial Process Gap Analysis | Excel | Lead Consultant |
| Risk Exposure Estimate | Excel | Engagement Manager |
| Remediation Roadmap | Excel | Engagement Manager |
| Executive Summary (CFO-ready) | PDF (2-page) | Engagement Manager |
Quality Gates¶
- All email authentication protocols analyzed
- Financial processes documented with gap analysis
- Key stakeholder interviews completed
- Findings mapped to real-world BEC scenarios
- Risk exposure quantified where possible
- Remediation recommendations prioritized
- Report reviewed by senior consultant
- Executive presentation scheduled
Related Documents¶
- BEC Training SOP
- BEC Controls SOP
- M365 Security Assessment SOP
- Security Training SOP
- Cross-Pillar SOPs
- Templates
Last Updated: February 2026