Skip to content

Business Email Compromise Controls SOP

Sub-procedure for Operate pillar managed services - Wire fraud technical and process controls

Service Pillar: Operate Service Category: Wire Fraud Prevention Parent SOP: Cloud Operations SOP Engagement Type: Implementation / Managed Service

Overview

Implementation and management of technical and procedural controls to prevent Business Email Compromise (BEC) and wire fraud attacks. This procedure covers email authentication, impersonation protection, financial process controls, and ongoing monitoring to create a defense-in-depth approach against sophisticated social engineering attacks.

Scope

Pillar: Operate (Managed Services) Service Area: Wire Fraud Prevention - BEC Controls

In Scope

  • Email authentication implementation (DMARC, DKIM, SPF)
  • Anti-impersonation technical controls
  • Financial process controls implementation
  • Vendor payment verification procedures
  • BEC detection and alerting
  • Ongoing control monitoring

Out of Scope

  • Full email security gateway deployment
  • User training delivery (see BEC Training SOP)
  • Incident response procedures

Prerequisites

  • Completed BEC Assessment
  • Executive/CFO sponsorship
  • Email system administrative access
  • Financial process stakeholder buy-in
  • Approved control implementation plan
  • Change management approval
  • Rollback procedures documented

Procedure

Step 1: Email Authentication Implementation

Objective: Prevent domain spoofing through proper email authentication

SPF Implementation: 1. Audit all legitimate sending sources 2. Document IP addresses and third-party senders 3. Create comprehensive SPF record 4. Test with ~all (soft fail) initially 5. Monitor for 2-4 weeks 6. Transition to -all (hard fail)

SPF Record Example: 

v=spf1 include:_spf.google.com include:sendgrid.net ip4:x.x.x.x -all

DKIM Implementation: 1. Generate 2048-bit DKIM keys 2. Publish DKIM public key in DNS 3. Enable DKIM signing on email platform 4. Verify DKIM alignment 5. Monitor authentication reports

DMARC Implementation: 1. Start with p=none for monitoring 2. Analyze DMARC reports (2-4 weeks) 3. Address authentication failures 4. Progress to p=quarantine (2-4 weeks) 5. Implement p=reject enforcement 6. Configure rua/ruf reporting

DMARC Progression: | Phase | Policy | Duration | Action | |-------|--------|----------|--------| | 1 | p=none | 2-4 weeks | Monitor, identify failures | | 2 | p=quarantine pct=25 | 2 weeks | Test quarantine | | 3 | p=quarantine pct=100 | 2 weeks | Full quarantine | | 4 | p=reject pct=25 | 2 weeks | Test rejection | | 5 | p=reject pct=100 | Ongoing | Full enforcement |

Duration: 4-8 weeks for full implementation

Step 2: Anti-Impersonation Controls

Objective: Implement technical controls to detect impersonation attempts

Microsoft 365 Configuration: - [ ] Enable anti-phishing policies - [ ] Configure user impersonation protection - Add executives and finance users - Set to quarantine/reject - [ ] Configure domain impersonation protection - Protect primary domain and common lookalikes - [ ] Enable mailbox intelligence - [ ] Configure impersonation safety tips

External Email Tagging: - [ ] Implement external email banner/tag - [ ] Customize warning message - [ ] Test with users before deployment

Example Banner: 

⚠️ EXTERNAL EMAIL: This message originated outside the organization.
Exercise caution with links and attachments.

First-Time Sender Warnings: - [ ] Enable first-time sender safety tips - [ ] Configure for external senders

Reply-To Analysis: - [ ] Alert on reply-to mismatch - [ ] Block known-bad patterns

Duration: 4-6 hours

Step 3: Financial Process Controls

Objective: Implement business process controls for payment authorization

Wire Transfer Controls:

Control Implementation Verification
Dual approval Require 2 approvers for wires >$X Documented policy
Callback verification Phone call to known number Call log maintained
Waiting period 24-hour delay for new vendors Process documented
Out-of-band confirmation Secondary channel for changes Procedure in place

Vendor Payment Change Procedures: 1. Receive bank change request 2. Do NOT use contact info from the request 3. Call vendor at known phone number 4. Verify with authorized contact 5. Document verification in ticket/log 6. Implement 24-48 hour waiting period 7. Secondary approval for change

Payment Threshold Matrix: | Amount | Approval Level | Verification Required | |--------|----------------|----------------------| | <$5,000 | Single approval | Standard process | | $5,000-$25,000 | Dual approval | Email verification | | $25,000-$100,000 | Dual approval + Manager | Phone verification | | >$100,000 | CFO approval | In-person/video verification |

Emergency Payment Procedures: - Define what constitutes emergency - Require verbal authorization from CFO - Document emergency circumstances - Conduct post-payment review

Duration: 8-16 hours (process development and documentation)

Step 4: Monitoring and Alerting

Objective: Implement detection capabilities for BEC attempts

Alert Rules: - [ ] Mail forwarding rule creation (external) - [ ] Inbox rule manipulation - [ ] Delegate access changes - [ ] Sign-in from unusual location (finance users) - [ ] DMARC failures on inbound email - [ ] Impersonation attempts detected - [ ] Executive email access anomalies

Microsoft 365 Alert Policies: | Alert | Severity | Notification | |-------|----------|--------------| | Mail forwarding to external | High | Immediate | | Suspicious inbox rule | High | Immediate | | DMARC authentication failure | Medium | Daily digest | | Impersonation detected | High | Immediate | | Unusual mail volume | Medium | Daily digest |

DMARC Monitoring: 1. Configure aggregate report (rua) recipients 2. Set up forensic reports (ruf) if needed 3. Use DMARC analysis tool (dmarcian, Valimail) 4. Weekly review of authentication failures 5. Investigate unauthorized sending sources

Duration: 4-6 hours

Step 5: Vendor Risk Controls

Objective: Implement controls for vendor payment security

Vendor Onboarding Controls: - [ ] Verify vendor identity independently - [ ] Establish authorized contacts list - [ ] Document verified phone numbers - [ ] Set up payment information on record - [ ] Require W-9/tax documentation

Vendor Master File Controls: - [ ] Restrict edit access (segregation of duties) - [ ] Audit trail for all changes - [ ] Approval workflow for changes - [ ] Regular vendor file review

Payment Verification Matrix: | Change Type | Verification Method | Waiting Period | |-------------|--------------------|-----------------| | New vendor | Independent verification | 48 hours | | Bank account change | Callback + letter | 48 hours | | Address change | Callback verification | 24 hours | | Contact change | Multi-party confirmation | 24 hours |

Duration: 4-6 hours

Step 6: Control Validation and Maintenance

Objective: Ensure controls remain effective over time

Monthly Activities: - [ ] Review DMARC aggregate reports - [ ] Analyze impersonation detection alerts - [ ] Check mail forwarding rules audit - [ ] Review payment verification logs - [ ] Validate control configurations

Quarterly Activities: - [ ] Test callback verification procedures - [ ] Audit vendor master file changes - [ ] Review payment approval compliance - [ ] Update SPF record if needed - [ ] Assess control effectiveness

Annual Activities: - [ ] Full BEC control assessment - [ ] Update procedures based on threat landscape - [ ] Refresh training for control owners - [ ] Review and update approval thresholds - [ ] Third-party control validation

Duration: 4 hours monthly, 8 hours quarterly

Deliverables

Deliverable Format Owner
Email Authentication Configuration DNS Records Technical Analyst
DMARC Monitoring Dashboard Dashboard/Reports Technical Analyst
Payment Control Procedures Word/PDF Lead Consultant
Vendor Payment Policy Word/PDF Engagement Manager
Alert Configuration Documentation Word Technical Analyst
Monthly Control Review Report PDF Lead Consultant

Quality Gates

  • Email authentication at enforcement level (p=reject)
  • Anti-impersonation controls validated
  • Financial process controls documented and trained
  • Vendor payment procedures implemented
  • Alerting configured and tested
  • Control owners identified and trained
  • Maintenance schedule established
  • Quarterly effectiveness review scheduled

Last Updated: February 2026