schedule 3-min read

Business Email Compromise and DMARC: What Leaders Need to Know

BEC fraud cost businesses billions in 2025. DMARC closes the exact-domain-spoofing version. Here’s what leaders need to know about the connection.

01

Introduction

Business Email Compromise (BEC) is the highest-loss email fraud category — the FBI's IC3 reports BEC losses in the billions annually. DMARC at enforcement addresses one specific BEC technique: exact-domain spoofing of executives or vendors. Other BEC variants need different controls.

02

Why this topic matters

BEC is on every board's risk register. Understanding which BEC variants DMARC addresses — and which it doesn't — is essential to building a complete defense.

03

The BEC variants and DMARC's coverage

Variant 1: Exact-domain spoofing BEC

Attacker sends "from" the CEO's exact domain. The receiving server has no policy basis to filter.

DMARC coverage: Stopped at p=reject.

Variant 2: Look-alike domain BEC

Attacker registers brandai.com instead of brand-ai.com, sets up DMARC themselves, sends BEC mail. The look-alike domain is properly authenticated; DMARC passes.

DMARC coverage: Not addressed. Brand-monitoring service required.

Variant 3: Display-name spoofing BEC

"Your CEO <[email protected]>" — the display name says CEO but the email address is the attacker's Gmail.

DMARC coverage: Not addressed. User training and email gateway flags required.

Variant 4: Compromised-account BEC

Attacker has access to a real executive account (phishing, credential reuse, etc.) and sends from it. Real authentication.

DMARC coverage: Not addressed. MFA and account security required.

04

What this means for leaders

DMARC addresses Variant 1 — the highest-volume, lowest-cost-to-attacker BEC type. Variants 2-4 need adjacent controls.

A complete BEC defense:

  • DMARC at p=reject — closes Variant 1.
  • Brand-monitoring service — closes Variant 2.
  • Email gateway with display-name analysis — addresses Variant 3.
  • MFA + account security — addresses Variant 4.
  • User training across all variants.
05

Step-by-step approach

  1. Roll out DMARC to p=reject. Close Variant 1.
  2. Subscribe to brand-monitoring for look-alikes.
  3. Configure email gateway to flag display-name mismatches.
  4. Enforce MFA universally.
  5. Train users continuously.
06

Best practices

  • Frame DMARC as one layer. Don't oversell.
  • Maintain wire-verification protocols. Phone confirmation for any wire-related email.
  • Track BEC attempts internally. Pattern recognition improves defense.
  • Pair with BIMI for visible verification.
  • Review at board level. BEC is a board topic.
07

If you have neither DMARC at enforcement nor brand-monitoring, both are priority investments. Sequence by your specific risk profile.

08

FAQ

Is BEC mostly Variant 1?

Volume-wise yes; loss-wise the variants are roughly comparable. DMARC closes a meaningful portion.

Does DMARC help with vendor-targeting BEC?

If the spoofed vendor has DMARC at p=reject, yes. Otherwise no.

What about CEO-targeting BEC?

Same answer. CEO's domain at p=reject closes the exact-spoofing version.

How big is BEC overall?

FBI IC3 reports billions annually. Growing.

What single control has the highest BEC ROI?

Depends on starting state. DMARC + brand-monitoring + MFA is the top-3 combination.

09

Final thoughts

BEC is the highest-loss email fraud category, and DMARC closes one specific variant. The complete defense layers DMARC, brand-monitoring, gateway analysis, MFA, and training.

For leaders, the framing is portfolio: each control closes a specific gap. DMARC is necessary; the others are necessary too.

Ready to Implement?

Get authenticated mail moving in minutes — start free, book a guided demo, or talk to the team about your stack.

Start free arrow_forward event Book demo mail Contact us