What is? And how can I protect against, Business Email Compromise?

Recently the BBC published this article about Business Email Compromise, how it works, and why the scam is so successful.

Let me explain what Business Email Compromise is.

I bet at some point in your business career you have received an email asking you to make an urgent payment from a colleague. Of course, being the bright spark that you are, you contacted the colleague to confirm before making the payment. At that point, you found out that your colleague never sent the email. The email was a fraud, a bad guy pretending to be someone you work with and wanting to trick you into making a payment.

Business Email Compromise, also known as CEO Fraud is where an attacker sends a fake email, looking like it comes from someone with authority, usually your boss. These emails are most commonly sent to someone in the finance department, to trick them into making a money transfer.

It is an incredibly successful scam, with the US FBI reporting current worldwide losses to businesses of $26 billion. This figure is expected to continue to grow.

The ludicrous part of this scam is it is straightforward for a business to protect themselves.


Sadly, most IT providers - especially ones that work exclusively with small businesses, are unaware of how to secure your email system - even though these security settings have existed for 30 years or more.

I founded Kimbley IT in 2007. We are yet to on-board a new client that already has a correctly configured and secured email system. Since 2015 we have posted the instructions on how to secure Gmail in G Suite. If this is your first time securing Gmail, it will take you around 45 minutes to put the correct settings in place.

Once you have put these email settings known as SPF, DKIM and DMARC in place emails you and colleagues send will get verified as genuinely coming from you and not a bad guy pretending to be you.

Bad guys will still try to send fake emails, but you can tell the recipient's email system what to do with emails that don't pass verification. You could set a setting that tells the recipients email system to put emails that don't pass verification into their spam folder. Better still, you could set the system to "reject" any emails that don't pass checks - so the recipient never receives the fake emails.

If more companies checked that their email systems have been secured correctly, the would-be drastic reductions in Business Email Compromise scams!