Business email compromise (BEC) is a targeted cyber attack where criminals impersonate trusted contacts to trick staff into sending money, data, or credentials.
Business email compromise (BEC) is a type of cyber attack where criminals use a real or spoofed email account to impersonate a trusted contact and trick employees into sending money, sensitive data, or login credentials. Unlike generic phishing, BEC is highly targeted. Attackers research the business, learn who controls payments or data, and then craft convincing emails to exploit that trust.
Phishing is usually broad and low-effort, often sent to thousands of people with the same fake link or attachment. BEC is different. It’s tailored to a single business, team, or individual. The emails often contain no obvious malware or links, making them harder for security filters to detect.
These attacks often exploit routine business processes, such as invoicing, payroll, or vendor payments. That makes them hard to spot and costly when successful. Businesses reported approximately 8.58 million cyber crimes across all types in the past 12 months, including many phishing and email-based attacks.
BEC thrives on normal business processes. Attackers infiltrate genuine transactions or relationships, making fraud detection more challenging.
By studying how your business communicates and pays suppliers, they create convincing requests that slip past technical controls and busy staff. Understanding each step of a BEC attack is the first defence against becoming part of the statistics.
Attackers start by collecting intelligence. Public websites, LinkedIn profiles, Companies House filings, and even social media posts give away job titles, supplier names, and payment routines. Some attackers also buy stolen inbox data from previous breaches. This research enables them to create realistic messages that accurately reflect how your business actually works.
Once the target is chosen, the attacker sets up a way to send convincing emails. This can involve spoofing a domain that appears almost identical to a trusted supplier or executive, or taking over a legitimate account using stolen credentials. Account takeover is particularly dangerous because the attacker can read past conversations and reply from the real mailbox.
With trust established, the attacker sends the fraudulent request. Common tactics include:
The emails usually avoid links or attachments to slip past security filters. Instead, they rely on tone, authority, and urgency to push staff into action.
If the request succeeds, the damage is immediate. Wire transfers are deposited into accounts controlled by the attackers, often transferred overseas within hours. Stolen data, such as payroll files or login credentials, may be sold on criminal markets or used in further attacks.
Once the money or information is gone, recovery is rare.
Business email compromise often appears to be routine work. Attackers replicate real processes and messages, allowing the fraud to blend in. Knowing the warning signs helps you stop it before money or data is lost.
Watch for small changes in email addresses. A display name may be correct, but the domain is off by a single character. Reply-To details may differ from the From address. Requests may come from personal accounts claiming to be urgent business. Attackers sometimes use multiple addresses at once to confuse staff.
Messages often create false urgency. They may ask you to bypass normal approvals or keep the request secret. The writing style may feel off, with unusual greetings or phrasing. Many arrive late in the day, at weekends, or around holidays when staff are distracted.
A common sign is a sudden change of bank details. Requests may mention new beneficiaries, currencies, or overseas accounts. Invoice numbers and amounts may appear close to normal but have been slightly altered. Payment instructions are often sent in PDF or image form to avoid detection.
BEC often uses live project details. An attacker may insert themselves mid-thread with references to real purchase orders or delivery dates. They may ask to switch to a new email chain or phone number. Domains can be misspelt or use extra subdomains to mimic trusted suppliers.
Employees may receive MFA prompts they did not initiate. Mailbox rules may appear that hide or forward emails. Unusual sign-ins, such as those from two countries within a short period, are another clue. Sent items may contain emails that the account holder never wrote.
Some BEC messages avoid attachments or links entirely and instead prompt payment. Others use URL shorteners or misspelt links. Invoices may be images instead of text, making it harder to check or search for details.
Look for unusual calendar invites that include private payment steps. Requests may come with new phone numbers for executives or suppliers that do not match your records. Some attacks move the conversation to SMS or WhatsApp to apply pressure.
Admins should review email headers and authentication results. Failures with SPF, DKIM, or DMARC are red flags. Watch for new forwarding rules to external addresses or OAuth permissions granted to unknown apps. Disabled or missing mailbox logs can also signal compromise.
Call the contact on a trusted number to confirm. Use dual approval for banking changes, ideally across multiple channels. Inspect the sender address and headers closely. Compare invoice details with the last verified payment. Ask IT to check the sign-in logs if there is any doubt.
Stop any payment or data transfer immediately. Inform finance, IT, and your insurer’s incident response line. Preserve all emails and logs. Reset affected passwords and enforce MFA. Contact your bank’s fraud team at once to attempt a recall if funds have been sent.
BEC thrives on speed and trust. Pausing to verify on a known channel is often what prevents the loss.
Business email compromise is one of the most costly threats facing UK businesses. Claims severity increased by 23% in 2024, with average losses of around £35,000 per incident. BEC accounted for 73% of reported cyber incidents last year. The scale of the problem means prevention is no longer optional.
MFA is the first line of defence against BEC. Yet many organisations still leave accounts unprotected. Apply MFA to all email accounts without exception. Basic SMS or app-based MFA helps, but attackers can bypass it using phishing kits, infostealer malware, or MFA fatigue attacks.
For stronger protection, upgrade to phishing-resistant MFA such as FIDO2 keys or passkeys. These use cryptography that makes credential theft far harder. The cost is modest compared to the losses prevented.
Set up SPF, DKIM, and DMARC to stop attackers from sending emails that appear to come from your domain. DMARC should not stop at “monitor only”. Progress from p=none to p=quarantine and finally to p=reject. This tells receiving servers to block messages that fail authentication.
Monitor reports to ensure legitimate senders are not affected. Many businesses fail at this step and remain open to spoofing attacks.
BEC thrives on weak payment processes. Protect yourself with dual approval for all transfers and sensitive transactions. Build mandatory out-of-band verification for any changes to bank details or urgent financial requests. Do not rely on email alone to approve payments.
Set clear authority limits for transaction amounts. Use callback procedures with phone numbers taken from your own records, never those supplied in a suspicious email.
Staff in finance, HR, and executive support roles are prime targets for BEC. Run specific training so they can spot red flags: urgent requests, language that bypasses policy, or slight changes in sender details.
Simulated BEC phishing is one of the most effective methods for raising awareness. Scenarios should include fake invoices, payroll changes, and executive fraud. Studies show consistent training can double the rate at which staff report real threats.
Block automatic app registrations in Microsoft 365 to stop attackers from maintaining hidden access. Enable alerts for unusual mailbox activity, such as new forwarding rules, mass downloads, or suspicious logins.
Add advanced filtering and user behaviour analytics to detect anomalies. Utilise automated response tools whenever possible to quickly isolate compromised accounts.
BEC prevention is never perfect, so response matters. Have a documented plan that explains how to contain a suspected attack, notify banks, and involve law enforcement. Include steps for password resets, token revocation, and evidence preservation.
Practice these scenarios so teams know their roles. Keep printed copies available in case email systems are down.
Set up continuous monitoring of email traffic to identify any unusual activity. Use SIEM tools to consolidate alerts from various systems. Run regular audits of your email security, including user access reviews, simulated BEC attempts, and checks on DMARC, SPF, and DKIM.
Canarytokens can catch attackers as they search your systems. Create fake files, such as “passwords.xlsx,” that trigger alerts when opened. Mark external emails clearly so staff can identify impersonation attempts more quickly.
Encrypt sensitive messages and label them appropriately. This reduces the value of any data stolen during a BEC attack.
Passwords remain a weak link. Require long, unique passphrases instead of short complex strings. Enforce regular updates and use password managers. Ban password sharing and stop staff from mixing business and personal email.
Keep business email separate from personal accounts. This helps prevent the spillover of cyber risks and maintains consistent controls.
Unpatched systems remain one of the most common avenues for attack. Apply security updates promptly, particularly to email servers and internet-facing applications. The 2021 Microsoft ProxyLogon exploit showed how fast criminals can exploit known flaws.
No single measure blocks all BEC. Strong MFA, financial controls, staff training, and continuous monitoring combine to reduce your exposure. Businesses that invest in these layers recover faster and are less likely to suffer major losses.
Speed matters when responding to a business email compromise. The faster you act, the higher the chance of recovering funds and limiting damage.
Call your bank’s fraud team as soon as you notice the fraudulent transfer. Provide full details, including account numbers, amounts, and the suspected fraud. Banks may be able to freeze the transfer if it has not cleared or request a recall through the receiving bank.
Block or pause all pending payments until you confirm they are legitimate. Review standing orders and supplier payments to ensure no further money is at risk. Work with your finance team to streamline approval workflows immediately.
If you hold cyber insurance, contact your insurer’s incident response line. Many policies provide immediate access to forensics, legal support, and PR specialists. Early notification also protects your right to claim, as delays can lead to disputes.
Report the incident to Action Fraud, the UK’s national reporting centre for cybercrime. You should also notify the National Cyber Security Centre (NCSC), which can provide guidance and track wider attack patterns. Law enforcement may not be able to recover the funds, but reporting is essential for investigation and intelligence sharing.
Carry out a full review of how the attack succeeded. Look for weak points such as missing MFA, poor financial checks, or untrained staff. Update your controls, retrain employees, and consider an independent security audit. Treat the incident as a lesson to reduce future risk.
BEC recovery depends on speed, evidence, and strong follow-up. Every hour counts. Read our full guide on cybersecurity compliance.
Most cyber insurance policies include cover for business email compromise (BEC), but the scope varies widely. BEC is one of the most common drivers of claims, so insurers apply strict conditions before paying out.
Understanding what is covered, what is excluded, and where policies differ is essential before you rely on the protection.
A well-structured policy helps businesses recover from both the direct financial loss and the operational disruption caused by BEC. Common areas of cover include:
Insurers aim to reduce their exposure by requiring baseline controls. A claim may be limited or denied if these are missing. The main restrictions are:
Cyber insurance can cover the financial loss, investigation costs, and reputational damage that follow a BEC attack.
However, the cover only applies if you meet the security standards outlined in your policy. Multi-factor authentication, clear payment controls, and prompt reporting are critical. Always check whether your policy lists funds transfer fraud, social engineering, or BEC-specific wording, as these terms define the exact scope of protection.
BEC can be complex and often misunderstood. These common questions explain how it differs from other threats, who is most at risk, and how businesses can protect themselves. They also clarify how cyber insurance responds when invoice fraud is involved.
Phishing is broad and untargeted. Attackers send the same message to multiple people, hoping that someone will click. BEC is precise. Criminals research the business, impersonate trusted contacts, and target staff with tailored requests for money, data, or credentials.
Finance teams, HR departments, and executive assistants are prime targets. They handle payments, payroll, and sensitive data. SMEs are also at high risk, as they often lack advanced controls but still process significant transactions.
Use phishing-resistant MFA across all accounts. Enforce dual approval for financial transfers and verify any change of bank details by phone using a trusted number. Train staff to recognise unusual requests and monitor mailboxes for suspicious activity. Continuous monitoring and regular security audits further reduce the risk.
Yes, in many cases. Most cyber policies cover funds transfer fraud, including invoice fraud, where attackers alter or forge payment requests. However, cover often depends on having strong payment controls in place, such as MFA and independent verification. Always check whether your policy explicitly lists funds-transfer fraud or social engineering fraud.