Business email compromise is one of the fastest-growing fraud types hitting UK businesses right now. It doesn’t need malware or complicated hacking. It just needs a convincing email and a moment of distraction.
What Is Business Email Compromise?
Business email compromise, or BEC, is a type of fraud where attackers trick employees into transferring money, sharing sensitive data, or updating payment details, all by impersonating someone the victim trusts.
That could be your CEO. It could be a supplier. It could be a member of your finance team. The attacker doesn’t need to break into your systems. They just need to sound convincing enough to get what they want.
What makes BEC different from standard phishing is the level of preparation involved. Attackers research your business first. They study your website, LinkedIn, Companies House filings, and any publicly available information to understand how you operate and who the key people are. Then they craft a message that feels entirely believable.
According to the UK Government’s Cyber Security Breaches Survey 2025/2026, 43% of UK businesses experienced a cyber breach or attack in the last 12 months. Phishing – the category that covers BEC-style attacks – remained the most common threat by far, affecting 93% of businesses that reported a cyber crime.
The Most Common Types of BEC Attack
Not every BEC attack looks the same. Attackers use different approaches depending on the target and the outcome they’re after.
CEO Fraud
This is where an attacker impersonates a senior executive, typically the CEO or Managing Director, and sends a message to someone in finance. The request is usually urgent: a wire transfer, a supplier payment, or a task that needs handling right away. That sense of urgency is deliberate. It discourages the recipient from pausing to verify properly.
Invoice Fraud
The attacker poses as a supplier or vendor your business already works with. They send a convincing invoice with updated bank details. Your team processes the payment as normal, not realising the money is going straight to a fraudster’s account. By the time the real supplier chases up the missing payment, the money is already gone.
Account Takeover
Sometimes attackers don’t impersonate anyone. They get into a real email account, often through a phishing attack or weak password, then monitor conversations for weeks. They wait for the right moment to insert fraudulent payment instructions while appearing to be the legitimate account holder. This type of attack is particularly hard to detect because the emails come from a genuine address.
Vendor Email Compromise
This is similar to invoice fraud, but instead of spoofing a supplier’s address, the attacker actually compromises it. The email genuinely comes from the supplier’s account, which means it passes all the usual checks your team might do. It’s far harder to spot, and it also means your trusted supplier has likely been hacked without knowing it yet.
How Much Does BEC Cost UK Businesses?
The numbers tell a clear story. The UK Cyber Security Breaches Survey 2025/2026 found that there were an estimated 72,000 cyber-facilitated fraud events across UK businesses in the last 12 months alone. The average cost to affected businesses was £10,000, and that’s only counting businesses that reported actual financial losses.
Email and social media account hacking offences increased by 36% in the year ending March 2025. Since 2021, UK businesses have reported losing over £12 million through email account hacking alone. And that figure doesn’t include the many incidents that go unreported.
Smaller businesses are frequently in the crosshairs. They’re often targeted precisely because they tend to have fewer formal controls around financial approvals and payments. You don’t need to be a multinational to be worth targeting.
Warning Signs to Watch For
You and your team need to know what a BEC attempt looks like in practice. The signs are there if you know where to look.
Check the sender’s actual email address, not just the display name. BEC attackers often use addresses that look almost right but differ by a character or two, such as a “0” instead of an “O”, or a domain change like “company-uk.com” rather than “company.co.uk”. Email clients can make it easy to miss this if you’re moving quickly.
Watch out for unexpected urgency. Phrases like “I need this done before end of day” or “don’t contact anyone else about this” are pressure tactics designed to bypass normal checking procedures. A genuine director or supplier won’t object to a quick verification call.
Any request to update bank account details by email should raise an immediate red flag. This is a classic invoice fraud tactic. Always call back on a number you already have on file, not one included in the same email.
How to Protect Your Business from Business Email Compromise
Protection comes from a combination of technical controls and clear internal processes. Neither alone is enough.
On the technical side, your business should have DMARC, DKIM, and SPF email authentication set up. These are protocols that validate incoming emails and make it far harder for attackers to spoof your domain. If you’re unsure whether your email is properly configured, our cyber security team can carry out an assessment and put the right protections in place.
Multi-factor authentication on all business email accounts is non-negotiable. If an attacker gets hold of a password, MFA means they still can’t access the account without a second verification step. This single control stops the vast majority of account takeover attempts before they start.
Your internal processes matter just as much as your technology. Any payment above a set threshold should require verbal confirmation using a pre-approved number. No bank detail changes should ever be processed based on an email alone. These are simple rules, but they stop a large number of BEC attacks before any money moves. Our managed IT support team helps businesses build these kinds of layered defences, covering both the technical controls and the practical guidance your staff need.
Staff awareness training is the final piece. Your team doesn’t need to become security experts, but they do need to know what a suspicious email looks like and feel confident flagging it. Regular short sessions go a long way. You can also look at our cyber security services to see how we approach ongoing protection for UK businesses.
What to Do If Your Business Is Targeted
If you suspect a BEC attack has taken place or is still in progress, speed matters.
Stop any payment immediately if a transfer is underway. Contact your bank straight away, as there may still be time to recall the funds. Report the incident to Action Fraud on 0300 123 2040 and notify the NCSC through their reporting portal.
Preserve all evidence and don’t alter or delete any emails. Your IT team needs to investigate how the attack happened and whether any accounts are still at risk. If you don’t have an IT provider you can call on urgently, our emergency IT support service can step in fast.
Frequently Asked Questions
What is the difference between BEC and phishing?
Phishing is a broad term for emails designed to trick recipients into clicking links, entering credentials, or downloading malware. Business email compromise is a specific type of fraud targeting businesses for financial gain through social engineering, often without any malicious links or attachments. BEC attacks are typically more targeted and researched than standard phishing campaigns.
How do attackers know enough about my business to make the fraud believable?
Most of the information they need is publicly available. Your website, LinkedIn company page, Companies House filings, and social media all contain details about your team, your suppliers, and how you operate. Attackers piece this together before sending a single message.
Can small businesses be targeted by BEC?
Yes, and they regularly are. Smaller businesses are often targeted because they tend to have fewer formal procedures around financial approvals. A small finance team without a call-back policy in place is easier to deceive than a large organisation with strict approval controls.
What should I do if I receive a suspicious email at work?
Don’t click any links or reply to it. Report it to your IT team or managed service provider straight away. If the email appears to come from a colleague or known supplier, contact them using a phone number you already have on file, not one included in the email, to confirm whether they sent it.
How do I report a BEC attack in the UK?
Report it to Action Fraud online or by calling 0300 123 2040. If your business has suffered a serious incident, also report it to the NCSC via their reporting portal. Contact your bank immediately if money has already been transferred.
Does DMARC prevent business email compromise?
DMARC, combined with DKIM and SPF, helps prevent attackers from spoofing your domain. It won’t stop every type of BEC attack, particularly account takeover, but it removes one of the most common routes in. It should sit alongside MFA and staff training as part of a wider approach to email security.
Keep Your Business Email Secure
Business email compromise doesn’t need a complicated technical exploit to succeed. A convincing email at the wrong moment is all it takes. Building the right combination of technical controls, clear payment procedures, and staff awareness is what stops it.
If you’d like to make sure your business is protected, contact UK IT Services for a free IT security consultation. It’s a quick conversation that could protect your business from serious financial loss.