📧 Free Download

The BEC Defense Playbook — before $2.9 billion becomes your problem

CEO impersonation. Vendor invoice swap. Payroll diversion. One DMARC record and an out-of-band callback policy stops 90% of it. The other 10% is covered in this playbook.

11-page playbook — download instantly

DMARC enforcement guide included

3 tabletop scenarios inside

Playbook — 11 pages · 2026

What's inside the BEC Defense Playbook

⚠️

5 BEC attack patterns — CEO fraud, VEC, payroll, attorney, gift card

🔗

The BEC kill chain — recon to reply-chain hijack to wire diverted

🚩

Detection signals — display-name spoofing, lookalike domains, urgency triggers

🔒

DMARC enforcement guide — SPF, DKIM, DMARC p=reject, BIMI, ARC

✅

Out-of-band verification protocol — the single most effective control

⏱

0–72 hour IR timeline — FBI IC3 + FinCEN Kill Chain process

📋

3 tabletop scenarios — CFO fraud, vendor swap, M&A wire diversion

4 things your organization will use immediately

This playbook is operational, not theoretical. Every section is built to be used — by your finance team before approving a wire, by your IT team configuring DMARC, and by your whole organization running a tabletop exercise.

⚠️

Recognize all 5 BEC attack patterns before your team falls for one

CEO impersonation, vendor email compromise (VEC), payroll diversion, attorney impersonation, and gift card scam — with the exact red flags and who each pattern targets.

🔒

Implement DMARC p=reject — the technical control that stops most BEC

SPF, DKIM, DMARC enforcement (p=reject), BIMI, and ARC explained step by step. Most organizations have SPF and DKIM set but never enforce p=reject. This is the gap.

✅

Copy-paste the out-of-band verification protocol your finance team will actually use

6-step verification process for any payment request or banking detail change. Works for vendor invoices, payroll changes, wire transfers, and executive requests.

📋

Run 3 tabletop scenarios that build muscle memory before a real attack

CFO impersonation, vendor invoice swap, and M&A wire diversion — with setup, discussion questions, and expected answers. 30-minute exercise for any team.

From reconnaissance to wire diverted in 6 steps

BEC is not a brute-force attack. It's a targeted social engineering operation built on research, patience, and the exploitation of trust. Understanding the kill chain is the first step to stopping it.

Reconnaissance

Attacker scrapes LinkedIn for org structure, reviews SEC filings, press releases, and social media for transaction activity.

Weeks before

Account Takeover or Domain Spoof

Real email account compromised via phishing, OR lookalike domain registered (acme-inc.co vs acme-inc.com).

Days before

Passive Monitoring

With account access, attacker reads email threads to learn deal timing, relationships, and language patterns.

Days to weeks

Reply-Chain Hijack

Attacker inserts into an existing trusted email thread. The target sees a familiar thread and a familiar name.

1–3 days before

Payment Instruction Swap

"Wire routing changed." Urgency and secrecy layered on. "I'm in a meeting — process this before 3pm."

Hours before wire

Exfiltration

Funds hit the mule account and move through transit accounts within minutes. 72-hour recovery window starts now.

Minutes after wire

5 BEC patterns your team needs to recognize

These five patterns account for the majority of BEC losses across industries. Each has distinct triggers, red flags, and a specific defense. The playbook covers all five in depth.

1. CEO / Executive Impersonation

Lookalike domain or spoofed display name. Urgent wire request via email only, often framed as a confidential acquisition or settlement.

🚩 Urgency + secrecy + email-only = stop

Targets: CFOs, finance associates

2. Vendor Email Compromise (VEC)

Real vendor email compromised or spoofed. "New banking instructions" timed to an expected invoice. Payment goes to attacker's account.

🚩 Banking change on existing vendor relationship

Targets: AP teams, controllers, finance

3. Payroll Diversion

Attacker impersonates an employee and emails HR requesting a direct deposit change before next payroll run.

🚩 Unsolicited direct deposit change via email

Targets: HR, payroll, any organization with automated payroll

4. Attorney / Legal Impersonation

Attacker poses as outside counsel or settlement administrator. Funds must wire immediately for a confidential legal matter or deal close.

🚩 Urgent legal wire request, email-only, no prior phone discussion

Targets: Corporate finance, M&A teams, C-suite

5. Gift Card Scam

Executive impersonation requesting gift card purchases for a team event or charity. Codes sent via email. Lower dollar amount but high frequency.

🚩 Executive email asking to buy gift cards + secrecy

Targets: Any employee who handles expense requests

The one technical control that stops most BEC: DMARC p=reject

Most organizations have SPF and DKIM set up but leave DMARC at p=none (monitor only). That means spoofed emails still reach your inbox. Moving to p=reject closes this gap. The playbook walks you through the full path.

Step 1

Verify SPF and DKIM are configured for all your sending domains

Step 2

Set DMARC to p=none — audit reports for 2–4 weeks to find all legitimate mail streams

Step 3

Move to p=quarantine — spoofed emails go to spam instead of inbox

Step 4 — Critical

Enforce p=reject — spoofed emails are blocked before they reach anyone

Also covered: BIMI (brand logo in Gmail/Apple Mail), ARC for forwarding scenarios, external sender warning banners in Microsoft 365 and Google Workspace.

Get the BEC Defense Playbook

Enter your work email and we'll send the 11-page PDF instantly — 5 attack patterns, DMARC enforcement guide, out-of-band verification protocol, IR timeline, and 3 tabletop scenarios.