Building Your BEC and TSF Toolkit

written by

Alec Simpson

March 29, 2021

Creating a playbook and devising a toolkit to address Business Email Compromise (BEC) and Tech Support Fraud (TSF) is vital in the increasingly digital-focused landscape of today’s world. So, let’s take a look at the industry standard methods to disrupt and deter these new and growing problems for brands.

The first step in building your BEC and TSF toolkit is to know your enemy. Brands should gain as much threat intelligence as possible to determine all facets of a BEC or TSF adversary’s operations.

What is Threat Intelligence?

Threat intelligence could mean a lot of different things depending on the size and nature of your business. However, threat intelligence typically refers to any data point that indicates an attack on or compromise of business infrastructure. More generally, threat intelligence refers to information on potential risks across your organization, of which there are many.

Advanced Persistent Threats

Advanced persistent threats (APTs) are one such risk. APTs are prolonged and targeted attacks typically aimed at large organizations with high-value information, such as intellectual property, military plans, and other data from governments and enterprise organizations. Even entire nation states will sponsor or support these APTs to steal sensitive data.

Fraud Kits and “crime-as-a-service”

However, large, organized attacks aren’t the only risks facing businesses. In fact, less sophisticated threat actors also require businesses to be vigilant as ‘crime-as-a-service’ and turnkey fraud kits are becoming increasingly available. These services allow criminals with little knowhow or technical expertise to conduct advanced attacks.

Intelligence Gathering

What kind of information do you need to find these potential risks and how do you collect it? Creating lists of IP addresses, domains, tools, and attributes used by threat actors can provide actionable intelligence. Therefore, businesses may have to build their threat intelligence capabilities by creating a secure platform for data collection. They may also need to develop automation, playbooks, and templates for risk mitigation. This information can provide insight into the scope of the problem. Moreover, it can also help to mount a defense against these malicious activities. For example, a business may be able to use the collected data to block risky domains and IPs from their systems or petition a court to take down fraudulent sites using brand names or trademarks.

Common threat intelligence data includes domain research, malware code analysis, IP addresses, and system logs. These are often the best places to look for actionable intelligence on various threats and techniques. 

Consumer Reporting

A business can also obtain initial threat intelligence by setting up a consumer reporting mechanism. This can provide a reliable intake system for scams and fraudulent schemes that are affecting your customers and business reputation.

A consumer reporting system can deliver valuable intel to your internal security team and result in a better understanding of the threats impacting your business. The intel can even be shared with law enforcement to identify those responsible, develop leads, and disrupt further schemes.

Read our earlier blog to learn more about the process for creating a standardized reporting mechanism, including a free demo of our sample consumer reporting tool.

Threat Hunting

While consumer reporting is helpful, threat intelligence efforts more commonly involve hunting for known indicators of compromise (IOCs) on existing systems and scanning for suspect activity across the business. Once a business finds suspicious activity or indicators, they should conduct incident response immediately. Preservation of this digital evidence is critical to maintain forensic integrity in the event of legal proceedings.

Incident Response

Incident Response is how an organization reacts to a breach. The process should be handled by cybersecurity experts. They can analyze the nature of the threat, provide intelligence, make recommendations, and implement remediation solutions. Their analysis can also provide important insights into how the attack was conducted, what was exploited or exposed, and the extent of the threat.


In particular, threat analysis provides a deeper understanding of the steps that were taken to compromise business email systems, the scope of the damage, and any identifying information for the culprit. This data may prove useful in support of criminal referrals and enforcement.

For example, cyber forensic analysts may discover that a customer service portal is open to the internet and leaking identifying customer information that could be used for TSF scams. Or they might reveal compromised employee devices that are providing a backdoor for hackers to steal critical business information.

With a strong understanding of the threat landscape, the next step is to build out the processes and tools needed to disrupt and deter future threats while repairing any damage. 


Here are some recommendations for building your BEC and TSF toolkit to fight back against these types of cyber risks.

  • Register and enforce your IP. Scammers will often use your brand’s positive reputation to lure in their victims by using your logo, trademarked names, or other brand imagery. This intellectual property can provide a powerful legal protection against unauthorized usage by scammers and fraudsters. Brand owners have an obligation to protect their critical business intellectual property from misrepresentation by enforcing these protections wherever possible.  
  • Deter future occurrences by holding the supporting infrastructure for BEC and TSF frauds accountable. This includes targeting payment processors, email hosts, and other digital business services that support these types of scams. 
  • Monitor internal systems for data leaks, hacks, and other malicious actors. Criminals are frequently probing your systems for information to further their compromise and fraud schemes. Furthermore, reputation monitoring on both the Clearnet and Dark Web will bolster digital security efforts and provide intelligence about your brand across more channels.
  • Audit 3rd party partners and suppliers for cybersecurity and data compliance best practices. Often criminals will exploit weak supply chain partners to infiltrate or exploit businesses.
  • Develop a protocol for handling these incidents and a plan to minimize potential risk and overall business impact. 

It’s important to take steps to remain vigilant and safeguard your brand. Building your BEC and TSF toolkit and developing a playbook that includes the plan and processes for gathering and analyzing threat intelligence, hunting for known indicators of compromise, and conducting incident response, as well as following the recommendations above, will position you to disrupt and deter these growing threats.

written by

Alec Simpson

March 29, 2021

Table of Contents
    Add a header to begin generating the table of contents

    written by

    Alec Simpson

    March 29, 2021

    Stay informed with industry-relevant emails curated by our team of experts.

    We send out emails once or twice a month relating to IP Services, industry news, and events we'll be attending so you can meet our experts in person.

    Alec Simpson

    Alec Simpson is a trained risk management professional with a keen interest in keeping markets safe and secure for consumers. After earning a degree in Economics, he gathered experience working in the banking & insurance industries before joining the brand protection team at IP Services. Local legends say he is a foosball wizard.