How prepared are you? Get a Free Assessment of Your Organizations Cybersecurity Tools

Take our Assessment

Business email compromise (BEC) and email account compromise (EAC) attacks are complex problems with no easy solution. They come in many forms, and no single approach can stop them.

See how your current cybersecurity tools score with our free, BEC and EAC assessment. You'll get a customized analysis of your organization's BEC/EAC preparedness and a report you can download and share.

Protecting email. No compromises.

Is Your Organization Protected Against BEC/EAC Attacks?

  • Can you detect and block impostor emails?
  • Can you defend against suspicious cloud account activities?
  • Do you have actionable visibility into who your most attacked people are?
  • Can your BEC/EAC defenses stop all tactics or just some of them?

Take the assessment today.

Question 1

My current solution effectively detects and blocks impostor emails from entering my organization.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Disagree
  • Neither Agree
    or Disagree
  • Agree
  • Strongly
    Agree
0% complete

Question 2

My current solution helps implement DMARC authentication to prevent fraudulent use of my domains to protect my employees, business partners, and customers.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Disagree
  • Neither Agree
    or Disagree
  • Agree
  • Strongly
    Agree
5% complete

View previous question

Question 3

My current solution helps me understand what DMARC policies I should create and enforce for inbound messages.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Disagree
  • Neither Agree
    or Disagree
  • Agree
  • Strongly
    Agree
13% complete

View previous question

Question 4

My current solution uncovers suspicious cloud account activities, such as failed logins, that are indicators of account compromise.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Disagree
  • Neither Agree
    or Disagree
  • Agree
  • Strongly
    Agree
20% complete

View previous question

Question 5

My current solution effectively detects and blocks advanced malware that are often used by attackers to compromise accounts.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Disagree
  • Neither Agree
    or Disagree
  • Agree
  • Strongly
    Agree
27% complete

View previous question

Question 6

My current solution can defend against credential phishing at the time of click and post-delivery

  • I have no
    solution for this
  • Strongly
    Disagree
  • Disagree
  • Neither Agree
    or Disagree
  • Agree
  • Strongly
    Agree
33% complete

View previous question

Question 7

My current solution provides actionable visibility into human attack surface, such as who my most attacked people are, and which users are being attacked with impostor and credential phishing threats

  • I have no
    solution for this
  • Strongly
    Disagree
  • Disagree
  • Neither Agree
    or Disagree
  • Agree
  • Strongly
    Agree
40% complete

View previous question

Question 8

My current solution tells me who is sending email using my domains – including third-party senders and lookalike domains

  • I have no
    solution for this
  • Strongly
    Disagree
  • Disagree
  • Neither Agree
    or Disagree
  • Agree
  • Strongly
    Agree
47% complete

View previous question

Question 9

My current solution provides visibility into cloud activities and tells me if there’s any sign of account compromise

  • I have no
    solution for this
  • Strongly
    Disagree
  • Disagree
  • Neither Agree
    or Disagree
  • Agree
  • Strongly
    Agree
53% complete

View previous question

Question 10

My current solution allows me to quickly contain and remediate BEC/EAC threats through automated threat detection and response

  • I have no
    solution for this
  • Strongly
    Disagree
  • Disagree
  • Neither Agree
    or Disagree
  • Agree
  • Strongly
    Agree
60% complete

View previous question

Question 11

My current solution allows me to train end users to spot identity deception and phishing tactics, which could lead to BEC/EAC

  • I have no
    solution for this
  • Strongly
    Disagree
  • Disagree
  • Neither Agree
    or Disagree
  • Agree
  • Strongly
    Agree
67% complete

View previous question

Question 12

My current security awareness training lets me customize training based on the type of threats employees are targeted with.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Disagree
  • Neither Agree
    or Disagree
  • Agree
  • Strongly
    Agree
73% complete

View previous question

Question 13

My current solution provides password training and educates users on why reusing passwords can lead to account compromise.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Disagree
  • Neither Agree
    or Disagree
  • Agree
  • Strongly
    Agree
80% complete

View previous question

Question 14

My current solution protects the main attack vectors for BEC and EAC, including corporate email, personal webmail, cloud apps, and social media.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Disagree
  • Neither Agree
    or Disagree
  • Agree
  • Strongly
    Agree
87% complete

View previous question

Question 15

My current solution allows me to consolidate multiple security products and vendors by providing an integrated, comprehensive BEC/EAC solution.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Disagree
  • Neither Agree
    or Disagree
  • Agree
  • Strongly
    Agree
93% complete

View previous question

Assessment Complete

You are Protected

Fill out the form for a detailed analysis of your results and a downloadable report.

You’ll get a breakdown of your score and recommendations for improving your BEC/EAC preparedness. We'll follow up to learn more about your cybersecurity needs and whether our multilayered, integrated approach to these attacks is right for your organization.

You are Protected

Business email compromise (BEC) threats, in which attackers pretend to be you, and email account compromise threats (EAC), in which attackers become you, use social engineering and identity deception to trick or threaten victims into complying with a request. They don’t need malicious links or attachments; often they masquerade as a legitimate business. Read your score breakdown below for more information.

Business email compromise
How well are you protected against BEC attacks?

It’s never too late—or too early— to start developing a strong defense strategy for BEC/EAC attacks.

BEC/EAC Business email compromise (BEC) and email account compromise (EAC) have resulted in reported losses of more than $26 billion worldwide since 2016, and the financial losses associated with these scams continue to rise. These attacks target companies of all sizes and in all regions. If you have not addressed this matter yet, you need to prioritize it.

Addressing the common tactics used to commit business email compromise—such as domain spoofing, display name spoofing, and lookalike domains—is critical. Your email security solution must be able to accurately identify impostor emails that show up at your gateway and block them before they can reach your users.

Having a DMARC record and enforcing DMARC authentication on third- party domains are also key to preventing impostor threats and fraudulent use of your trusted domain. DMARC authentication adds another security layer to protect your internal users from impostor email and credential phishing. In addition, your email security solution should guide you on what DMARC policies to create and enforce without interrupting your core business communication.

You are on the right track to combating impostor threats.

A robust gateway can help you reduce cybersecurity “noise”— incidents you must investigate, verify and remediate. A gateway built for modern BEC/EAC threats accurately blocks imposter emails and credential phishing with dynamic detection for all users, which is more effective than those relying on manual or static rules for limited number of users. In addition, your email security solution must address common tactics used to commit business email compromise, such as domain spoofing, display-name spoofing and lookalike domains.

Having a DMARC record and enforcing DMARC authentication on third-party domains are also key to preventing impostor threats and fraudulent use of your trusted domain. DMARC authentication adds another security layer to protect your internal users from impostor and phishing email. It also protects your organization’s brand so that it doesn’t get used by attackers to steal money from customers or business partners. In addition, your email security solution should guide you on what DMARC policies to create and enforce without interrupting your core business communication.

You’re off to a good start. A robust email gateway that can dynamically detect impostor emails and identify phishing scams helps stop these threats before they can hurt your users. It doesn’t rely on manual or static rules, which can’t keep up with the latest change.

Enforcing DMARC is also key to prevent fraudulent use of your domains. DMARC authentication protects not just your internal users from impostor email, but also protects customers and business partners from fraudulent email that misuses your domain.

But BEC/EAC is a complex problem. Attackers often shift around different security measures. Make sure you’re thinking holistically and address all attackers’ tactics.

Email account compromise
How well are you protected against EAC attacks?

There’s still room for improvement. You’re exposed to two kinds of email fraud: business email compromise (BEC), in which attackers pretend to be you, and email account compromise (EAC), in which attackers essentially become you. BEC and EAC intertwine with each other. You may still be exposed to email fraud even if you’re protected against tactics that rely on identity deception. Once they compromise your account, they can easily start phishing and BEC attacks internally and with your supply chain.

Attackers can get into your environment in multiple ways. Therefore, you must protect all the main attack vectors for BEC and EAC—including cloud applications, users’ corporate email and their personal webmail. For your most attacked users, you should also deploy adaptive security and access controls. That may include additional security awareness training, isolating their web access so their credentials don’t get stolen in phishing attacks and restricting their access to unmanaged devices. That way, you can prevent account compromise before it happens.

Your security solution must also detect EAC and any suspicious cloud account activities such as failed logins and brute force attack. It must also prioritize critical incidents and automate threat response with contextual and actionable alerts.

You have some ability to defend against EAC. But that’s just one form of email fraud. In business email compromise (BEC) attacks, attackers pretend to be you. In email account compromise (EAC), attackers essentially become you. Because BEC and EAC intertwine with each other, it is important to address both in a holistic manner.

Attackers can get into your environment in multiple ways. And once they compromise your account, they can easily start phishing and BEC attacks internally and with your supply chain. Therefore, you need to protect all the main attack vectors for BEC and EAC, including cloud applications, users’ corporate email and their personal webmail. Your security solution must be able to detect EAC and any suspicious cloud account activities, such as failed logins and brute force attack. It must also prioritize critical incidents and automate threat response with contextual and actionable alerts.

For your most attacked users, you should implement adaptive security and access controls. That may include additional security awareness training, isolating their web access so their credentials don’t get stolen in phishing attacks, and restricting their access to unmanaged devices. That way, you can prevent account compromise before it happens.

You’re doing it right. Email fraud involves two main threats: business email compromise (BEC), in which attackers pretend to be you, and email account compromise (EAC), where attackers essentially become you. Because BEC and EAC intertwine with each other, it is important to address both in a holistic manner.

Attackers can get into your environment in multiple ways. And once they compromise your account, they can easily start phishing and BEC attacks internally and with your supply chain. Therefore, you must protect all the main attack vectors for BEC and EAC, including cloud applications, users’ corporate email and their personal webmail. Your security solution must be able to detect EAC and any suspicious cloud account activities such as failed logins and brute force attack. It must also prioritize critical incidents and automate threat response with contextual and actionable alerts.

training or isolating their web access, so their credentials don’t get phished, and restricting their access to unmanaged devices. That way, you can prevent account compromise before it happens.

Visibility
Do you have a full picture of your human attack surface?

You might be flying blind to your BEC/EAC risk. Because BEC/EAC attacks target people, visibility into your human attack surface is critical. Without visibility, it’s hard to provide answers to your board and management about:

  • What your organization’s BEC/EAC risk is
  • Which people are vulnerable
  • What you should do to mitigate the risk

Your email security solution must provide you with people-centric visibility that helps you identify your most attacked people, who’s being attacked with phishing and impostor emails, and who’s cloud email account has been compromised. In addition to knowing who’s being attacked with BEC and phishing, you also need visibility into who’s sending emails using your domain. That includes trusted third-party senders. That way, you can better understand and communicate BEC/EAC risks to your management and the board, while prioritizing mitigation.

Not bad. You've got some visibility into your BEC/EAC risk. But if you don't have visibility into your human attack surface, you're still exposed. Because BEC/EAC attacks target people, visibility into your human attack surface is critical. Attackers are shifting their aim away from infrastructure to people directly. Without people-centric visibility, it’s hard to provide answers to your board and management about:

  • What your organization’s BEC/EAC risk is
  • Which people are vulnerable
  • What you should do to mitigate the risk

Getting people-centric visibility helps you identify your most attacked people, who’s being attacked with phishing and impostor emails, and who’s cloud email account has been compromised. In addition to knowing who’s being attacked with BEC and phishing, you also need visibility into who’s sending emails using your domain. That includes trusted third-party senders. That way, you can better understand and communicate BEC/EAC risks to your management and the board, while prioritizing mitigation.

Well done. You've got visibility into your BEC/EAC risk. You know that BEC/EAC attacks target people and having visibility into your human attack surface is critical to successfully defending against these types of attacks. Attackers are shifting their aim from infrastructure to people directly. With people-centric visibility, you can provide answers to your board and management about:

  • What your organization’s BEC/EAC risk is
  • Which people are vulnerable
  • What you should do to mitigate the risk

People-centric visibility helps you identify your most attacked people, who’s being attacked with phishing and impostor emails, and who’s cloud email account has been compromised. In addition to knowing who’s being attacked with BEC and phishing, you also need visibility into who’s sending emails using your domain. That includes trusted third-party senders. With visibility into all these areas, you can better understand and communicate BEC/EAC risks to your management and the board, while prioritizing mitigation.

Remediation
Can you identify and respond to BEC/EAC threats quickly and efficiently?

You’re probably spending too much time cleaning up BEC/EAC threats across your organization. And the longer it takes for you to remediate BEC/EAC threats, the longer your organization is exposed.

To quickly contain the spread of BEC/EAC threats, your solution needs to automate the threat detection and response process. For example, it should allow you to quarantine potential impostor emails, reset user passwords, reauthenticate users, and suspend compromised accounts in an automated fashion. You should also be able to delete those phishing emails that contain URLs that are poisoned post-delivery with one click or automatically, even if it was forwarded or received by other end users. Automating these functions helps you accelerate threat response while doing less manual work.

Good for you. You have some capabilities in threat remediation. Cleaning up BEC/EAC threats across your organization could be time-consuming. The longer it takes for you to remediate BEC/EAC threats, the longer your organization is exposed.

To quickly contain the spread of BEC/EAC threats, your email security solution must automate the threat detection and response process. For example, it should allow you to quarantine potential impostor emails, reset user passwords, reauthenticate users, and suspend compromised accounts in an automated fashion. You should also be able to delete those phishing emails that contain URLs that are poisoned post-delivery with one click or automatically, even if it was forwarded or received by other end users. Automating these functions helps you accelerate threat response while doing less manual work.

Nice job. You are automating threat detection and response. It’s easy for you to clean up BEC/EAC threats across your organization. Your email security solution automates the threat detection and response process. It should also allow you to quarantine potential impostor emails, reset user passwords, reauthenticate users, and suspend compromised accounts, all in an automated fashion. You should also be able to delete those phishing emails that contain URLs that are poisoned post-delivery with one click or automatically, even if it was forwarded or received by other end users. Automating these functions helps you accelerate threat response while doing less manual work.

End User
Are your people equipped to recognize and report BEC/EAC attempts?

You’re missing a key component in your BEC/EAC defense strategy—end user training.

BEC and EAC have a lot in common. They both target people; they both rely on social engineering; and they both aim to solicit fraudulent payment. These threats rely on people to activate them. Therefore, mitigating BEC and EAC risks requires both technology and training. You need to educate your users to identify phishing and identity deception tactics, such as display-name spoofing and lookalike domains. You should also provide end-users with password training, so they know how to create a strong password and why they shouldn’t reuse or share passwords. Security awareness training plays a critical role in mitigating risks of email fraud because it helps your users to become part of your line of defense.

You should also customize security awareness training so that it maps back to your organization’s internal process. Make sure you have an abuse mailbox set up and instruct your users to send suspicious emails to it. You should also provide feedback to your users and let them know the analysis results of any email they report.

You have taken end-user training into account, which is a key component in mitigating BEC/EAC risks.

BEC and EAC have a lot in common. They both target people; they both rely on social engineering; and they both aim to solicit fraudulent payment. These threats rely on people to activate them. Therefore, mitigating BEC and EAC risks requires both technology and training. You need to educate your users to identify phishing and identity deception tactics, such as display-name spoofing and lookalike domains. You should also provide end-users with password training, so they know how to create a strong password and why they shouldn’t reuse or share passwords. Security awareness training plays a critical role in mitigating risks of email fraud because it helps your users to become part of your line of defense.

Your solution should allow you to customize security awareness training so that it maps back to your organization’s internal process. Make sure you have an abuse mailbox set up and instruct your users to send suspicious emails to it. Your solution should automatically analyze those emails and provide feedback to your users, letting them know the analysis results of the email they report.

You’re doing it right—you have taken end-user training into account. That is a key component in mitigating BEC/EAC risks.

BEC and EAC have a lot in common. They both target people; they both rely on social engineering; and they both aim to solicit fraudulent payment. These threats rely on people to activate them. Therefore, mitigating BEC and EAC risks requires both technology and training. You need to educate your users to identify phishing and identity deception tactics, such as display-name spoofing and lookalike domains. Security awareness training plays a critical role in mitigating risks of email fraud because it helps your users to become part of your line of defense.

Your solution should allow you to customize security awareness training so that it maps back to your organization’s internal process. Make sure you have an abuse mailbox set up and instruct your users to send suspicious emails to it. Your solution should also automatically analyze those emails and provide feedback to your users, letting them know the analysis results of the email they report.

Integration
Are your BEC/EAC capabilities part of an integrated cyber defense?

Growing overwhelmed by too many security products and vendors—and not having enough people to manage them—are two common challenges for any security team. An integrated, end-to-end solution that addresses all attackers’ tactics helps to not only better defend against BEC and EAC, but also allows you to consolidate multiple security products and vendors. That saves you time and cost in managing point products that don’t talk to each other. In addition, you need visibility across all your security control points. A solution with tight integration should help you automate threat detection, investigation, and response, and connect the dots across different control points, including email, cloud apps, and users.

You have some integration. But growing overwhelmed by too many security products and vendors—and lack of security professionals to manage them—are two common challenges for any security team. An integrated, end-to-end solution that addresses all attackers’ tactics helps to not only better defend against BEC and EAC, but also allows you to consolidate multiple security products and vendors. That saves you time and cost in managing point products that don’t talk to each other. In addition, you need visibility across all your security control points. A solution with tight integration should help you automate threat detection, investigation, and response, and connect the dots across different control points, including email, cloud apps, and users

Excellent. You have an integrated solution that allows you to consolidate multiple security products and vendors. Growing overwhelmed by too many security products and vendors—and lack of security professionals to manage them—are two common challenges for any security team. While your integrated solution saves you time and cost in managing point products that don’t talk to each other, it should also address all attackers’ tactics used to conduct BEC and EAC.

You should already be getting visibility across all your security control points and automating threat detection, investigation, and response. An integrated BEC/EAC solution can help you connect the dots across different control points, including email, cloud apps and users.

Defend against BEC/EAC attacks quickly and effectively with Proofpoint

Because BEC and EAC intertwine with each other, you need to address them both with a comprehensive solution that addresses all tactics, automates detection and remediation, and provides visibility into to your BEC/EAC risk. Proofpoint is the only vendor that provides an integrated, holistic solution to effectively stop BEC and EAC attacks. Our solution includes:

  • Visibility into which users are being attacked
  • Visibility into who's sending emails using your domain
  • Training that allows users to be more resilient to impersonation
  • Automated detection and remediation of attacks
  • An impostor classifier that prevents delivery of BEC attempts
  • Automatic remediation of compromised accounts through re-authentication and password results

Click here to re-take the assessment

Assessment Complete

You are Protected

Download a detailed analysis of your results below.

You'll get a breakdown of your score and recommendations for improving your BEC/EAC prepardness. We'll follow up to learn more about your cybersecurity needs and whether our multilayered. integrated approach to these attacks is right for your organization.

 

Interested in learning more about BEC and EAC?
Click below or download the Gartner BEC report.

Click here to re-take the assessment

Simplify the Business Email & Email Account Compromise problem with Proofpoint

Speak with one of our cybersecurity specialists to start your free Proofpoint trial today.