The BEC defender's playbook.

Business Email Compromise is where the attacker registers a domain one character off from yours on Monday and reroutes a wire transfer on Thursday. The defense has four moving parts: lookalike detection, WHOIS-freshness escalation, blocklist automation, and a recovery framework for when one gets through.

The shape of the attack

BEC is shockingly mundane. A typical attempted wire fraud looks like:

1. Monday 09:00 — attacker registers acme-corp.co (your domain is acmecorp.com; they swap an inserted hyphen and a TLD).
2. Monday 14:00 — attacker stands up a mail server and sends a test message from mike@acme-corp.co to themselves to confirm delivery.
3. Tuesday — attacker spends the day researching your team via LinkedIn. Identifies CFO and an AP clerk who just changed jobs (LinkedIn shows new role announcements; new hires don't yet know the company's internal voice).
4. Wednesday 16:30 — CFO “Mike” (real domain: acmecorp.com; attacker domain: acme-corp.co) emails the AP clerk: “Hey, I'm wrapping up the ABC vendor onboarding before EOD — can you wire $48,250 to the new account I'm sending? Need it before Friday close. Thanks.”
5. Thursday 09:00 — AP clerk wires.
6. Friday 11:00 — real CFO sees the wire confirmation, asks “what's this?” and the company has 24–72 hours to recover funds before they're moved to an account beyond reach.

The whole attack relies on one thing: your AP clerk didn't notice the domain was off by one character. Email clients show the display name (“Mike Smith”) prominently and the actual address almost never. The fraud is, technically, trivial.

Layer 1 — lookalike permutation scanning

The fundamental defensive insight: you can predict which lookalike domains are most likely to target you, by generating the permutations attackers would generate. Then you check which of those are registered. Ifacme-corp.co is registered to a privacy-protected registrant in a country you don't do business with, that's a flag.

Categories of permutation attackers use, ranked by frequency:

• Character omission — acmecorp.com → acmcorp.com. (Drops one letter.)
• Character insertion — acmecorp.com → acmecorp1.com.
• Character substitution — l → 1, o → 0, rn → m (visual similarity).
• Hyphen insertion — acmecorp.com → acme-corp.com. This one is brutal because the hyphenated form often looks more legitimate than the unhyphenated one.
• TLD swap — .com → .co / .org / .us / .cm (the last is Cameroon, often used because .cm is one keystroke off .com).
• Bit-squat — flipping a single bit in the domain name. Surprisingly common in automated DNS-cache attacks.
• Homoglyph — Cyrillic or Greek characters that visually match Latin. аcmecorp.com (with a Cyrillic а) is indistinguishable from acmecorp.com in most fonts.

A reasonable scan covers all the above, generating roughly 80–200 permutations per protected domain. We run it daily on every Mailstinger tenant's domains.

Layer 2 — WHOIS-freshness escalation

Not every registered lookalike is malicious. Plenty of them are defensively registered by your own legal team, by competitors who got there first, or by squatters waiting to extort you years later. The signal that separates “low priority” from “high priority” is WHOIS age.

A permutation registered this week is almost certainly malicious. Domains aren't registered spontaneously; somebody intends to use them. A 5-day-old lookalike of your domain has a use case, and that use case is rarely benign.

Domains registered within the last 7 days auto-escalate to high-risk in our scanner regardless of MX status. The classic BEC attack happens within the first 14 days of registration. A lookalike registered last quarter that nobody's used is a different category of risk.

The other escalation signal is MX presence. A registered lookalike with MX records pointing somewhere is ready to send mail. A registered lookalike with no MX is either parked, defensively held, or two days from being activated. Both deserve attention; the MX-positive one is the urgent one.

Layer 3 — blocklist automation

Detection is only useful if it leads to enforcement. The enforcement layer for BEC defense lives in your mail provider:

Microsoft 365 / Exchange Online

Use New-TenantAllowBlockListItems in the PowerShell module to add lookalike domains to the blocked-sender list with a 90-day expiration:

Connect-ExchangeOnline

$domains = @(
  "acme-corp.co",
  "acmecorp1.com",
  "acmecorp.cm"
)

New-TenantAllowBlockListItems `
  -ListType Sender `
  -Block `
  -Entries $domains `
  -ExpirationDate (Get-Date).AddDays(90) `
  -Notes "BEC lookalikes for acmecorp.com"

The 90-day expiration matters: lookalikes get abandoned quickly. Letting expired entries fall off keeps the list clean. Re-add anything still flagged by the next scan.

Google Workspace

Admin console > Apps > Google Workspace > Gmail > Compliance > Spam > Address lists. Bulk-add the lookalike domains to a custom address list, then create a Spam rule referencing that list. Match condition: envelope From or Header From domain matches the list.

Mailstinger's Domain Guard page exports both formats in one click — the M365 PowerShell snippet (paste into a connected ExO session) and the GWS Address-list CSV (upload via the Admin console). No manual reformatting.

Other layers

• Anti-Phishing Working Group (APWG) — submit observed phishing attempts to reportphishing@apwg.org. Goes to community blocklists used by browser warnings.
• Google Safe Browsing + Microsoft SmartScreen — report URLs from confirmed phishing pages so browsers warn other users.
• Your DNS firewall / RPZ if you have one — block resolution of known lookalikes at the network edge so users can't click through.

Layer 4 — takedown

Permanent removal of a lookalike domain takes one of three paths:

1. Registrar abuse policy — emailabuse@<registrar> with evidence (screenshots of phishing, copy of the BEC email with full headers, your trademark documentation). Reputable registrars (GoDaddy, Namecheap, Tucows) act within 24–72h on credible reports. Less reputable registrars take weeks or never respond.
2. UDRP / WIPO — the formal trademark dispute process. Costs $1,500–$4,000 in filing fees. Takes 45–60 days. Required when the registrar won't act and you have a registered trademark. End state is the domain transferred to your control.
3. Law enforcement — if funds were actually moved, file with IC3 (US) within 24 hours for the “Financial Fraud Kill Chain” recovery process. The first 72 hours after a fraudulent wire are the only window in which recovery is realistic.

Mailstinger's recon takedown package generates the abuse letters and UDRP template auto-routed to the right contacts, with the WHOIS evidence attached. Click, send, escalate.

Recovery — the wire that already went out

You've been told a wire was sent to the wrong account. Working backwards by hour:

• Within 60 minutes — call your bank. Ask them to initiate a wire recall. Reference the wire ID. If your bank is in the US, ask explicitly for the “Financial Fraud Kill Chain” protocol.
• Within 4 hours — file an IC3 report (online, ic3.gov). Attach the wire details, the fraudulent email with full headers, the lookalike domain's WHOIS. IC3 routes the request to FBI which can request foreign-bank cooperation.
• Within 24 hours — document the chain of trust failure. How did the email pass DMARC? (It didn't — it came from a different domain.) How did your AP clerk not notice the off-by-one? (Email client UI doesn't surface domain names by default.) These answers go in your insurance claim.
• Within 72 hours — if recovery failed, the realistic outcome shifts to insurance claim (cyber-fraud rider) and post-mortem. Real recovery rates on BEC wires beyond 72h are under 5%.

Prevention drills

A defense-in-depth that includes the human layer:

• Two-factor wire verification for any wire over a threshold ($10k is the typical line). Phone-call verification to a known number, not a number from the requesting email.
• Display-name matching enforcement in your mail client. M365 has display-name spoofing detection; turn it on.
• External-sender banner for any mail from outside your domain. Visible warning at the top of every external email. Particularly useful when the external domain is a lookalike that humans miss but the system can see.
• Quarterly drills simulating BEC. Send your AP team a fake wire request from a lookalike domain you control. Track response rate. Coach the people who wired without verifying.

Things people get wrong

• “DMARC stops BEC.” Only when the attacker spoofs your actual domain. The classic BEC attack uses a different domain (the lookalike) and therefore bypasses DMARC. DMARC is necessary; not sufficient.
• “The bank will recover the wire.” Only inside 72 hours, and only if the recipient bank cooperates, and only if the funds haven't moved. Recovery is far from guaranteed.
• “Our cyber insurance covers it.” Most policies do, with caveats. Policies frequently exclude losses where the insured failed to follow their own wire-verification process. The drill matters.
• “We're too small to be a target.” The opposite is true. Small companies are over-represented in IC3 statistics because their controls are weaker. The attackers don't know what your treasury balance is; they fish at every pond.

Where to read next

• What is DMARC, actually?
• Why aligned mail can still get filtered
• Tool: Domain Guard lookalike scan