Protecting Executive Email Accounts from Business Email Compromise

Business Email Compromise — BEC — is one of the most financially damaging cyber threats facing organizations today. The FBI's Internet Crime Complaint Center consistently places it at or near the top of reported losses, with global losses measured in the billions annually. And unlike many cyber attacks, BEC doesn't rely on sophisticated technical exploits. It relies on authority, urgency, and the trust that people extend to executives.
Understanding why executive accounts are targeted — and how attackers exploit them — is the foundation for defending against it.
Why Executives Are the Target
Attackers don't target the CFO's email because it's easier to compromise than an intern's. They target it because of what that account can authorize. A message that appears to come from the CEO asking finance to wire funds to a new vendor, or from the CFO approving an unusual payment, carries a weight that a message from almost anyone else in the organization doesn't.
The social engineering is built around two things: authority and time pressure. "We're closing a deal today and I need this processed before 5pm. Don't discuss this with anyone else — it's confidential." That framing bypasses the normal verification steps that would catch the fraud.
Executives are also more exposed than typical employees. Their names, titles, and email addresses are on the company website. They speak at conferences, post on LinkedIn, and participate in public-facing roles that give attackers everything they need to construct a convincing identity.
How BEC Attacks Actually Work
BEC isn't a single attack type. It comes in several forms, and understanding them separately helps in building defenses against each.
Account Takeover
The most dangerous form: the attacker actually compromises the executive's real email account. They may use phishing, credential stuffing (testing leaked passwords), or by exploiting a reused password from another breached service. Once inside, they can send mail from the real account, read existing correspondence to understand ongoing deals and relationships, and set up forwarding rules to maintain access even after a password change.
Messages from a genuinely compromised account are nearly impossible to distinguish from legitimate traffic — they pass SPF, DKIM, and DMARC checks because they're coming from the real account.
Domain Spoofing
The attacker sends email that appears to come from an executive's address but doesn't. Without proper DMARC enforcement, receiving mail servers may accept email claiming to be from ceo@yourcompany.com even when it's sent from an entirely different server. DMARC at an enforcement policy (p=reject or p=quarantine) blocks this attack vector — but only if you've deployed it correctly.
Lookalike Domains
The attacker registers a domain that looks like yours at a glance — yourcompany-corp.com, yourcornpany.com (with a substituted character), or a homograph attack using visually similar Unicode characters. They then send email from ceo@yourcompany-corp.com. DMARC doesn't help here because the domain is technically different from yours. Recipient vigilance and lookalike domain monitoring are the primary defenses.
Display Name Spoofing
The simplest version: the attacker creates a free email account with the executive's name as the display name and sends from John Smith <jsmith.ceo@gmail.com>. Many mobile email clients show only the display name by default, hiding the actual address. Recipients who don't check the From header see "John Smith" and assume the email is legitimate.
Securing Executive Accounts: The Controls That Matter
Multi-Factor Authentication — Everywhere, No Exceptions
The single highest-impact control for preventing account takeover is strong MFA on every executive account. Phishing-resistant MFA — hardware security keys (FIDO2/WebAuthn) or passkeys — is substantially stronger than SMS-based codes, which can be intercepted through SIM-swapping. If your executives are still using SMS for MFA, upgrade them to authenticator apps or hardware keys as a priority.
Executives are often the hardest people to enforce security controls on, because they're busy and they push back on friction. The conversation worth having is: one extra tap to log in versus an incident that costs your organization six figures. Frame it in terms of their personal risk — their email accounts are the ones attackers specifically want.
Separate Accounts for Public-Facing vs Internal Use
Many executives use the same email address for external communications (speaking invitations, media, public inquiries) as they do for internal operations and financial approvals. Separating these creates a smaller attack surface: the public-facing address gets the public exposure; the internal account used for sensitive communications is never published anywhere.
DMARC at Enforcement
If you haven't deployed DMARC at p=reject, domain spoofing attacks against your executives are still possible. Deploying DMARC eliminates this attack vector for your own domain. It won't stop lookalike domain attacks, but it closes a real and frequently exploited avenue.
MailDog's DNS security tools can help you review your current DMARC configuration and identify gaps. The DMARC reports guide on the blog covers how to read the data and act on what it tells you.
Payment and Transfer Verification Procedures
The most important defense against BEC isn't technical — it's procedural. Any wire transfer, change to banking details, or unusual payment request should require a second verification channel. If the CFO emails asking for a wire, call the CFO directly at a known number before processing it. This one procedure eliminates the majority of successful BEC fraud.
This sounds obvious, but it consistently fails in practice because of the urgency and authority framing in BEC messages. Formalizing the policy — writing it down, training finance and operations staff on it, and making it explicitly non-negotiable — is what makes it stick.
Monitor for Forwarding Rules and Inbox Changes
A classic move after an account takeover is to set up a forwarding rule that copies all incoming email to an external address. This lets the attacker maintain visibility even after a password reset. Many organizations have no process for reviewing whether executives' accounts have unexpected forwarding rules configured.
Regular audits of inbox rules, delegate access, and connected applications on executive accounts can catch compromises that have already happened. This is especially important after phishing incidents.
Lookalike Domain Monitoring
Services that monitor for newly registered domains that are similar to yours provide early warning of impersonation infrastructure being set up. If someone registers yourcompany-finance.com today, knowing about it before they use it gives you time to warn your team and potentially pursue takedown options.
Training Executives — Not Just Their Staff
Security awareness training often focuses on lower-level employees, on the assumption that executives don't need it or won't engage with it. This is backwards. Executives are the target, and they need to understand what BEC looks like from the receiving end. Walk them through real examples, show them how lookalike domains and display name spoofing work, and specifically train them on the red flags in financial request emails.
The goal isn't to make executives paranoid — it's to give them a fast mental checklist: unexpected urgency, unusual payment destination, request to bypass normal process, or explicit instruction not to verify. Any of those is a reason to pick up the phone before doing anything else.
For broader coverage of email security controls, see our guides on MFA for business email and detecting compromised accounts. For questions about your email infrastructure's security configuration, reach out to the MailDog team.
BEC Doesn't Need a Technical Exploit
That's what makes it persistent. The technical mitigations — MFA, DMARC, monitoring — close specific attack paths. But BEC ultimately succeeds when someone with authorization to approve a transaction is convinced to approve the wrong one. The combination of strong technical controls and clear procedural policies is the only complete defense.


