Business Email Compromise (BEC) is the single most expensive cyber threat to small businesses, not ransomware, not malware, just a convincing email moving real money. The good news: you can shut down the most common attack paths with six concrete steps, most of which are free or already included in tools you own.

1. Turn on multi-factor authentication (MFA) everywhere

Start with email, then finance and admin accounts. MFA alone stops the overwhelming majority of account-takeover attempts. Prefer an authenticator app or hardware key over SMS.

2. Require call-back verification for any payment change

Write it into policy: no new or changed bank details are actioned on email alone. Call the known number on file, never a number from the email itself.

3. Alert on new inbox forwarding rules

Attackers create hidden auto-forwarding rules to read your mail. Microsoft 365 and Google Workspace can both alert you (or block external forwarding) automatically.

4. Flag external and look-alike senders

Add an “[External]” banner to mail from outside your domain, and watch for look-alike domains (valuealigners.com vs. valuealigners.com). A visible cue breaks the autopilot that BEC relies on.

5. Lock down your domain with SPF, DKIM, and DMARC

These three DNS records make it far harder for anyone to spoof your domain to your clients. Set DMARC to “quarantine” or “reject” once you’ve confirmed legitimate mail passes.

6. Run a 15-minute drill

Ask your finance contact: “An email from me says wire instructions changed, what do you do?” If the answer isn’t “call you to confirm,” you’ve found your gap. Fix it today.

---

Not sure which of these you already have covered? That’s exactly what a quick assessment answers.