Practical Steps to Reduce the Risk of Business Email Compromise in Your Organisation.

Business email compromise cost Irish organisations an estimated €14 million in reported losses in 2024, according to An Garda Síochána's National Cyber Crime Bureau. The actual figure is higher — the majority of BEC incidents go unreported, either because the business recovers the funds through the bank's fraud process, because the loss is below the reporting threshold, or because the business is embarrassed to report it [^1].

BEC is not a single attack type. It is a category that includes invoice redirection, CEO fraud, supplier impersonation, payroll diversion, and account takeover attacks on email systems — all with the common thread of using compromised or impersonated email accounts to divert money or obtain sensitive information.

Reducing BEC risk requires a combination of technical controls, process controls, and staff awareness — none of which individually is sufficient, but which together address the primary attack vectors.

What Makes BEC Different From Other Email Attacks

BEC attacks are specifically designed to bypass technical email security controls. A spam filter cannot flag an email that genuinely comes from a supplier's compromised account. A DMARC policy cannot block an email from a lookalike domain that has its own SPF and DKIM records. An AI-based phishing detection system cannot flag an email that contains no links, no attachments, and no technical indicators of compromise — just a payment instruction from what appears to be a known contact.

The most effective BEC attacks are indistinguishable from legitimate email at the technical level. This is why process controls and staff awareness are as important as technical controls in the BEC context.

The Technical Controls

DMARC at enforcement level (p=reject). Prevents anyone from sending email that appears to come from your domain. Does not prevent impersonation of your suppliers' domains, but prevents your domain from being used to impersonate you to your clients and suppliers.

External email banners. A visual indicator on every email arriving from outside your organisation — "This email was sent from outside your organisation" — provides staff with a persistent reminder to apply additional scrutiny to external communications. This single control demonstrably reduces the click rate on phishing emails and increases the probability that staff notice lookalike sender addresses.

Conditional Access and MFA. Account takeover is one of the most sophisticated BEC vectors — an attacker who compromises a genuine email account can send convincing emails from the real address. MFA on all email accounts significantly reduces the probability of account compromise. Conditional Access with sign-in risk detection provides a second layer.

Domain monitoring. Services that monitor for newly registered lookalike domains — domains that could be used to impersonate your business — provide early warning of impersonation infrastructure being built. When a domain like pragmatic-security.ie is registered the day after pragmaticsecurity.ie, that is a signal.

Are all your email accounts protected by MFA, and does your domain have DMARC at enforcement level? These two controls address the two most common BEC entry points. If either is absent, that is your immediate priority. Book a free 20-minute strategy call — BEC risk reduction is one of the most frequently requested assessments in our SME advisory practice.

The Process Controls

Call-back verification for all payment and bank account change requests. Any request to make a payment to a new account or to change existing bank details must be verbally confirmed by calling the requester on a pre-existing, trusted number — never the number in the email. This single process control stops the majority of successful BEC payment fraud.

Dual authorisation for transfers above threshold. Requiring two independent approvers for significant payments means that a successful compromise of one individual's email account cannot alone authorise a fraudulent transfer.

Finance team briefing on BEC specifically. Finance staff should receive specific, regular briefings on current BEC techniques — not generic security awareness. They are the most targeted group within the business and need the most specific preparation.

The Awareness Controls

Named person for reporting suspicious financial emails. A specific, named individual to whom suspicious payment requests or bank change notifications should be forwarded before action is taken. Making the reporting channel explicit and low-friction significantly increases the probability that suspicious emails are escalated rather than acted upon.

Regular examples of current BEC techniques. Monthly briefings that include current, realistic examples of BEC emails targeting Irish businesses. Generic awareness training that does not keep pace with evolving techniques provides declining protection over time.

Why This Matters Right Now

The Garda National Cyber Crime Bureau has explicitly identified BEC as a national priority crime category affecting Irish businesses. The DPC has investigated incidents where BEC attacks resulted in the compromise of personal data held in email accounts [^1]. Cyber insurers are paying close attention to BEC claims and are increasingly applying sublimits to social engineering losses.

BEC is the most financially damaging cyberattack category for Irish SMEs, and it is also one of the most preventable. The combination of DMARC, MFA, external email banners, call-back verification, and specific staff awareness addresses the primary attack vectors at a cost that is entirely accessible for any Irish SME.

What Next

1. Verify DMARC status and move to p=reject. Check at mxtoolbox.com. If DMARC is absent or at p=none, this is the first technical fix.

2. Enable external email banners in Microsoft 365 or Google Workspace. A five-minute configuration change that provides persistent visual context for every external email.

3. Write and brief a one-page payment security procedure. Call-back verification requirement, dual authorisation threshold, named contact for suspicious payment emails. Brief finance staff. Post it on the finance team wall.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Email Fraud and Invoice Redirection Scams: How They Work and How to Stop Them
• Someone Is Sending Emails From Your Domain. Here Is How DMARC Stops Them.
• Spotting and Stopping CEO Fraud and Urgent Payment Scams

[^1]: An Garda Síochána — National Cyber Crime Bureau [^2]: NCSC Ireland — Business Email Compromise Guidance [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.