Business Email Compromise (BEC) Countermeasures Playbook

December 17, 20234 min read

Playbook Objectives

  • Assess the current state of vulnerability to Business Email Compromise (BEC) attacks within the organization.
  • Educate the IT security team and relevant employees on the identification and prevention of BEC threats.
  • Develop and practice response strategies to a BEC incident, including detection, containment, eradication, recovery, and post-event analysis.
  • Test the effectiveness of communication channels and incident response coordination among different departments.
  • Refine existing security policies and protocols relating to email security and funds transfer requests.
  • Evaluate the effectiveness of email filtering and monitoring solutions.
  • Strengthen inter-departmental understanding of financial procedures and IT security policies.

Difficulty level

  • Intermediate to Advanced


  • Company Name: InnoTech Corp
  • Story: InnoTech Corp, a leading software solutions company known for its innovative approach, has recently expanded its operations internationally. With this expansion and the introduction of remote work policies, email communication has become the backbone of company-wide coherence and managerial commands, making it the central nexus of potential vulnerabilities.
  • InnoTech Corp has been successful in cultivating a strong digital presence and securing client trust. However, reports of increasing Business Email Compromise (BEC) scams targeting similar companies in the tech industry have raised the board’s concern, prompting an immediate action for a proactive stance against such threats. As part of its cybersecurity resilience plan, InnoTech Corp has decided to conduct a Cyber Range exercise among the IT security team, the finance department, and the C-level executives.
  • The goal is to simulate a realistic BEC attack tailored to the company’s characteristics to better understand how well-equipped the employees are in recognizing and responding to such scams. The exercise will also serve to educate and prepare all parties involved with a playbook of countermeasures, ensuring that everyone is on the same page regarding the protocols for such incidents.
  • The simulated attack will involve sophisticated social engineering techniques in which the attackers impersonate the newly appointed CFO, Michael Goodman, attempting a fraudulent wire transfer from the company’s accounts to an offshore account under the guise of an urgent business deal with a long-standing, trusted client.


  • Incident Response, Social Engineering, Fraud Prevention

Exercise Attack Steps

  • Actors involved in the exercise receive a breakdown of their roles and responsibilities.
  • The simulated BEC attack commences with a crafted spear-phishing email sent to a member of the finance team, supposedly from the CFO, Michael Goodman.
  • The email requests an urgent transfer of funds to an external account to secure a time-sensitive business deal.
  • Attackers create a sense of urgency and confidentiality, instructing the finance team member not to involve others or delay the process.
  • Simultaneously, the email system’s monitoring solutions are tested for their ability to flag and filter the suspicious email.
  • The finance team member must decide how to respond to the email, according to the company’s procedures.
  • If the process advances, a phone call impersonating Michael Goodman is placed to the finance team member to “confirm” the request.
  • The IT security team monitors the entire interaction, noting any deviations from expected protocols.
  • Upon detection of the scam or following through the steps, the incident response team is activated. They proceed with containment strategies, including communication with financial institutions to prevent the fund transfer.
  • The exercise concludes with a review session, where actions are scrutinized, lessons are learned, and improvements to the playbook are proposed.