Contact us

One Email. One Wire. You’re Done.

The RCMP describes Business Email Compromise (also called CEO fraud / executive scam) as a targeted spear‑phishing scheme that steals from businesses by manipulating trust; often by redirecting payments through “updated” banking details. That’s why BEC is so dangerous: it bypasses your firewall by going straight through your people and your process.

 

What BEC looks like in real life (and why it works)

BEC succeeds because it rides on context. The attacker doesn’t send a random phishing link. They send a message that looks like it belongs inside an existing conversation:

  • “Hi- we’ve updated our banking details. Please pay the next invoice to the new account.”
  • “Can you process this wire today? I’m in meetings. Don’t delay.”
  • “Our bank is migrating. Here’s the new EFT info. Same vendor, new account.”

Often, the criminal is using either a spoofed domain or a compromised mailbox, then inserting themselves into an existing vendor thread and quietly changing the payment details. The RCMP explicitly calls out this “change of payment details” pattern. (Source)

The 5-stage BEC kill chain (so you can break it)

Here’s the pattern we keep seeing across Ontario and beyond:

  1. Recon: attacker learns who approves payments (LinkedIn, your website, job postings, vendor portals).
  2. Access: they compromise a mailbox (phishing, reused passwords, MFA fatigue, stolen session tokens).
  3. Persistence: mailbox rules get created (“move vendor invoices to Archive”), forwarding gets enabled, alerts get silenced.
  4. Thread hijack: they wait for a real invoice and slip in with “updated banking.”
  5. Cash-out: money leaves fast. Recovery becomes a race against time and banking cutoffs.

Your goal: stop treating this like “email security” and start treating it like “payment integrity.” The best control is not a tool, it’s a rule your business follows even when people are busy.

3 lies that keep Canadian SMBs exposed

Lie #1: “We have MFA, so we’re safe.”

MFA is necessary; but not magical. Attackers still win through session hijacking, push fatigue, compromised devices, and social engineering. If you want the deeper truth, read our internal breakdown: Hackers Don’t Break In, They Log In and Your MFA Isn’t Enough.

Lie #2: “Our staff can spot phishing.”

Classic phishing? Maybe. But BEC isn’t always a “Nigerian prince” email, it’s a realistic vendor thread with a subtle change. That’s why training must be continuous and scenario-based, not once-a-year compliance theatre. Start here: Is Your Cyber Awareness Training Making You More Vulnerable?

Lie #3: “Our spam filter will block it.”

Spam filters are great at spam. BEC is often “legitimate-looking business email,” sometimes from a real compromised account. You need authentication controls (DMARC) and process controls (verification) or you’re still gambling.

The only BEC defence that actually works: People + Process + Platform

At 010grp, we approach BEC with a layered model. Here’s the blueprint.

1) Process controls (this is the money-saver)

If you implement only one thing from this article, implement this:

  • No banking changes accepted via email. Ever.
  • Call-back verification: verify changes using a phone number you already have on file (not the one in the email).
  • Dual approval for payments: two humans, two separate logins, two separate brains.
  • Cooling-off window: any “urgent” payment change gets delayed until it’s verified.
  • Vendor onboarding hygiene: banking details captured through a controlled workflow, not inbox chaos.

Yes, it slows things down slightly. But it’s cheaper than wiring $48,000 into a mule account and spending months on recovery, insurance paperwork, and reputation damage.

2) Identity controls (lock down who can be tricked)

Because BEC usually starts with account takeover, your identity stack matters. We recommend:

  • Phishing-resistant MFA where possible (especially for finance + admins).
  • Conditional access: block logins from risky locations/devices; require compliant devices for finance roles.
  • Least privilege by role: finance users should not have admin privileges “just because.”
  • Privileged Access Management (PAM): time-limited admin access beats standing admin forever.

These controls map directly to services we run for Canadian organizations: Identity and Access Management (IAM), MFA, and PAM.

3) Email controls (make spoofing hurt)

Canada’s cyber authority is very clear on email security: strong authentication, secure gateways, monitoring, and user awareness dramatically reduce email-based risk. Start with the Canadian Centre for Cyber Security’s Email Security Best Practices.

Then implement DMARC properly. The Cyber Centre’s Email Domain Protection guidance explains the core rule: DMARC passes only when SPF or DKIM passes and aligns with the domain in the From address. Translation: DMARC makes domain spoofing far harder to pull off at scale.

Quick technical wins we implement all the time:

  • DMARC: move from p=nonep=quarantinep=reject (with reporting enabled).
  • SPF + DKIM: clean records, correct alignment, no “shadow senders.”
  • Disable external auto-forwarding and audit mailbox rules.
  • High-risk banners for external mail to reduce “internal-looking” trickery.
  • Email filtering tuned for BEC (display name spoofing, lookalike domains, executive impersonation).

If you want help operationalizing this without adding workload to your team, this is exactly what our e-mail filtering and managed security operations are designed to handle, quietly, continuously, and with reporting that actually means something.

The 14-day DMARC sprint

Most businesses delay DMARC because they assume it’s a months-long DNS science project. It doesn’t have to be. Here’s a realistic two-week sprint:

  1. Days 1–2: inventory every system that sends email as your domain (Microsoft 365/Google, CRM, invoicing tools, marketing platforms, ticketing systems).
  2. Days 3–4: clean up SPF (remove dead services, reduce DNS lookups) and enable DKIM where supported.
  3. Days 5–7: publish DMARC at p=none with reporting enabled; watch what’s actually sending as you.
  4. Days 8–10: fix alignment issues and unauthorized senders; validate your legit systems.
  5. Days 11–14: move to p=quarantine, then plan the jump to p=reject once reporting is stable.

If you need a plain-English explainer, Cloudflare’s overview of SPF/DKIM/DMARC is a good reference for non-specialists.

What to do if you suspect BEC (the “first hour” checklist)

BEC response is time-sensitive. If money has moved, speed matters more than perfection.

  • Call your bank immediately and request a recall/hold on the transfer.
  • Preserve evidence: don’t delete the emails; export headers if possible; screenshot the conversation.
  • Lock down the mailbox: reset passwords, revoke sessions, remove forwarding/rules, check for suspicious sign-ins.
  • Report it: use the RCMP/CAFC reporting pathway via Report Cybercrime and Fraud (and contact local police/RCMP as appropriate).

The RCMP also provides BEC-specific response steps and context on common schemes; keep their page bookmarked: Business Email Compromise (RCMP).

Do this next

  • Today: publish an “email is not a payment channel” policy and roll out the call-back rule.
  • This week: audit mailbox rules + external forwarding and identify who can approve payments.
  • This month: complete the DMARC sprint and tighten identity controls for finance and executives.

If you want 010grp to pressure-test your current setup (email, identity, and the AP workflow) and give you a practical remediation plan, reach out here: contact 010grp.

Skip to content