Protect · NIST CSF 2.0

Email Security & BEC Defense

We lock down your email so criminals can't impersonate your business, and your team knows when one is trying.

In Plain English

Email Security & BEC Defense protects you from the most common and costliest email fraud: an attacker pretending to be you, a vendor, or an executive to trick someone into wiring money or handing over information. We make it far harder for criminals to spoof your domain, harder to break into your accounts, and we give your people a simple habit for catching the fraud that slips through. Business Email Compromise rarely involves a virus. It's a con built on trust, and the FBI ranks it among the costliest cybercrimes there is.

How It Actually Works

The Technical Reality

Three records do the heavy lifting, and they work together. SPF (Sender Policy Framework) publishes a list of the mail servers allowed to send email for your domain, so a receiving server can check whether a message really came from one of them. DKIM (DomainKeys Identified Mail) adds a cryptographic signature that proves a message genuinely came from your domain and wasn't altered along the way. DMARC ties those two checks to the 'From' address your customers actually see, tells other mail providers what to do when a message fails (ignore it, send it to spam, or reject it outright), and sends you reports so you can see who is sending mail in your name.

Here is the part most people get wrong, and it matters: SPF, DKIM, and DMARC stop criminals from spoofing YOUR domain. They do not stop a look-alike domain (say, an address swapping a lowercase 'l' for a capital 'I') and they do not help at all if an attacker has genuinely logged into a real account using a stolen password. Anyone who tells you these three records 'solve phishing' is overselling them.

That's why the email records are only the first layer. We add multi-factor authentication so a stolen password alone won't open an account, and we set up alerting for the quiet trick attackers use after a break-in: secret inbox rules that auto-delete or forward messages so the real owner never sees the fraud unfolding. These are the gaps the three records leave wide open.

The last layer is a human one, and it's the cheapest insurance you'll ever buy: out-of-band verification. Any time someone asks to change bank details or rush a payment, your team confirms it through a separate, known channel — a phone call to a number you already had on file — before money moves. This guidance follows NIST's Trustworthy Email report (TN 1945) and the federal email-authentication mandate in CISA's BOD 18-01.

Anatomy of a Business Email Compromise

How the attack unfolds in red — and where it gets stopped in cyan.

  1. 01

    Phishing email

    A fake Microsoft login page harvests a password.

  2. 02

    Account takeover

    The attacker signs in with the real, stolen password.

  3. 03

    Hidden inbox rules

    Replies auto-delete, so the owner never sees them.

  4. 04

    Invoice swapped

    Bank details are quietly changed on a real invoice.

  5. 05

    Wire redirected

    The payment lands in the attacker's account.

In Your Business

What It Looks Like For You

For a small or midsize business on Microsoft 365, this looks like a handful of concrete changes. We publish and tune your SPF, DKIM, and DMARC records in your DNS and move DMARC from 'just watch' to actually rejecting forged mail once we've confirmed your legitimate email won't be caught in it. We turn on multi-factor authentication for every account, switch on alerts for suspicious inbox rules and impossible logins, and sit down with the people who actually handle invoices and payroll to set one firm rule: no bank-detail change or urgent wire goes through without a callback to a known number. You end up with a domain criminals can't easily impersonate and a team that knows exactly what to do when someone tries.

The Value

What You Get Out Of It

Your domain stops getting spoofed

Once DMARC is set to reject, criminals can no longer send email that appears to come from your exact address, protecting your customers, vendors, and your name.

A stolen password isn't enough

With multi-factor authentication on every account, an attacker who buys or guesses a password still can't get in, closing the door these email records can't.

Quiet break-ins get noticed

We alert on the hidden inbox rules attackers create to hide their fraud, so a compromised account gets caught in hours instead of after the money's gone.

Payment fraud gets a hard stop

A simple callback habit on every payment change means a convincing fake email never moves your money on its own.

Frameworks & Sources

The Standards Behind It

NIST TN 1945 (Trustworthy Email)NIST's guidance on configuring SPF, DKIM, and DMARC to authenticate your mail and block spoofing of your domain.
CISA BOD 18-01The federal directive that mandated SPF and DMARC (moving to a reject policy) across U.S. government domains. It is the email-authentication template we follow for yours, and we add DKIM on top.
RFC 7208 / 6376 / 7489The internet standards that define SPF, DKIM, and DMARC: the actual specifications, not vendor marketing.
FBI IC3 BEC PSA (2024)The FBI's public alert documenting Business Email Compromise as one of the costliest cybercrimes, and how the fraud works.
Start With a Free 30-Minute Conversation

NO PRESSURE.
JUST A PLAN.

Cybersecurity gap, IT problem, or just not sure where to begin? We'll listen first, recommend second, and only propose what actually serves you.

connor@tremodi.com