What Is Business Email Compromise (BEC)? UK SME Guide

What Is Business Email Compromise?

Business Email Compromise (BEC) is a sophisticated type of cybercrime in which attackers impersonate a trusted person — typically a senior executive, supplier, or solicitor — to trick employees into transferring money or handing over sensitive data. Unlike mass phishing campaigns that cast a wide net, BEC attacks are highly targeted and often involve weeks of reconnaissance into the victim organisation before a single fraudulent email is sent. BEC sits within the broader landscape of cybersecurity threats facing UK businesses, and understanding it is essential for any organisation that handles financial transactions or sensitive information by email.

The scale of the threat is significant. According to the DSIT Cyber Security Breaches Survey 2025, 43% of UK businesses experienced a cybersecurity breach or attack in the past twelve months, with impersonation reported by 35% of businesses experiencing breaches (DSIT Cyber Security Breaches Survey 2025). BEC is one of the most financially damaging forms of impersonation attack. Industry data indicates that UK businesses lost an average of £109,000 per BEC incident, and nearly 30% of BEC incidents lead to a direct funds transfer fraud event. For micro and small businesses, even the average cost of the single most disruptive breach — approximately £1,205 (DSIT Cyber Security Breaches Survey 2025) — can cause serious cash-flow problems, whilst a successful BEC attack can be catastrophic.

Common Types of BEC Attack

CEO Fraud

The attacker impersonates the chief executive or another senior leader and sends an urgent email to a finance team member requesting an immediate bank transfer. The message typically claims the payment is confidential, time-sensitive, and should bypass normal approval processes. CEO fraud exploits the natural deference that employees show to senior leadership, and it is particularly effective when the real CEO is known to be travelling or unavailable — information that attackers can glean from social media and out-of-office replies.

Invoice Redirection

Attackers intercept or spoof supplier communications and notify the target that the supplier's bank account details have changed. Payments are then redirected to an account controlled by the criminal. This is also known as mandate fraud. Invoice redirection is especially dangerous because the email may arrive during a legitimate payment cycle, making it appear entirely routine. In some cases, attackers compromise the supplier's own email account first, sending the fraudulent request from a genuine address.

Supplier Impersonation

Criminals register domains that closely resemble a genuine supplier's domain (for example, amvia-invoices.com instead of amvia.co.uk) and send convincing invoices or payment requests. The target has no reason to suspect the email is fraudulent because the branding, tone, and formatting closely mirror legitimate correspondence. Lookalike domains are inexpensive to register and can be set up in minutes, making this a low-cost, high-reward tactic for criminals.

Payroll Diversion

Attackers impersonate an employee — often by compromising their email account or creating a lookalike address — and request that their payroll direct debit details are updated to a new bank account. The next payroll run sends salary directly to the fraudster. Payroll diversion attacks often go undetected until the genuine employee queries their missing pay, by which point the funds have been withdrawn.

Solicitor or Legal Impersonation

In this variant, attackers pose as a solicitor or legal representative involved in a confidential transaction such as a property purchase, merger, or acquisition. They request urgent payment into a specified account, citing legal deadlines. The confidentiality of legal matters makes victims less likely to verify the request through alternative channels, and the sums involved are often substantial.

Why BEC Attacks Are So Effective

BEC attacks succeed because they exploit human trust rather than technical vulnerabilities. They typically do not rely on malicious attachments or links that email security tools might detect. The emails look legitimate, come from plausible addresses, and are timed to coincide with real business events such as a supplier invoice being due or the CEO being away on travel.

• Attackers research LinkedIn profiles, Companies House records, and company websites to identify targets and understand organisational hierarchies
• Emails are carefully crafted to match the writing style, tone, and formatting of the person being impersonated
• Urgency and authority are used to discourage staff from following normal verification procedures
• Many attacks are carried out over weeks, with preliminary emails building credibility before the final fraudulent request
• Attackers often time their emails for late Friday afternoon or just before a bank holiday, when staff are under pressure and less likely to verify

The DSIT Cyber Security Breaches Survey 2025 found that 85% of breaches involved phishing and 93% of cyber crimes were phishing-based (DSIT Cyber Security Breaches Survey 2025). BEC represents the most targeted and dangerous end of the phishing spectrum, where the attacker invests significant effort into a single, high-value deception.

Real-World BEC Scenarios

Consider a UK professional services firm with forty employees. The finance manager receives an email that appears to come from the managing director, requesting an urgent transfer of £28,000 to a new supplier. The email references a genuine project and uses the managing director's usual sign-off. The finance manager processes the payment. It later transpires that the managing director's email account had not been compromised — the attacker had simply registered a lookalike domain and spent two weeks studying the firm's email patterns.

In another scenario, a property management company receives a notification from what appears to be their maintenance contractor, advising that their bank details have changed. The accounts team updates the payment record without verbal verification. Three months of payments — totalling over £15,000 — are diverted before the genuine contractor queries the missing funds.

These scenarios are not hypothetical. They reflect the types of BEC incident that UK businesses report to Action Fraud every week. The common thread is the absence of a secondary verification step.

How to Prevent Business Email Compromise

Technical Controls

Deploying DMARC, DKIM, and SPF email authentication records prevents criminals from spoofing your domain to attack your customers or partners. Publishing a DMARC record at p=reject is the gold standard recommended by the NCSC. Microsoft Defender for Office 365 includes anti-impersonation protection that flags emails where the display name matches a known executive but the sending domain does not. Advanced email filtering can also detect lookalike domains and suspicious sending patterns before messages reach user inboxes. AMVIA deploys and manages all of these controls as part of its managed email security service.

Multi-Factor Authentication

If an attacker gains access to a genuine email account through credential theft, they can send BEC emails from a trusted address — making detection far more difficult. Enforcing multi-factor authentication (MFA) on all email accounts significantly reduces the risk of account compromise. MFA should be treated as non-negotiable for all users, particularly finance, HR, and senior leadership.

Multi-Step Payment Verification

No payment instruction received by email alone should be acted upon without a secondary verification step. Call the requester on a known telephone number — not a number provided in the suspicious email — to confirm the request. This single procedural control prevents the majority of BEC attacks that reach the payment stage. The verification process should be documented in a written policy, and all staff involved in financial transactions should be trained on it.

Staff Training and Awareness

Finance, HR, and senior PA staff are the most common BEC targets. Regular training helps staff recognise the hallmarks of BEC — urgency, secrecy, unusual requests, and pressure to bypass normal process. Simulated BEC exercises test whether staff apply verification procedures under realistic pressure. Training should cover not only how to spot suspicious emails but also the correct reporting procedure when one is identified. The DSIT Cyber Security Breaches Survey 2025 found that only 14% of UK businesses have a formal incident response plan (DSIT Cyber Security Breaches Survey 2025), which means most organisations lack a defined process for what happens after a suspicious email is reported.

Supplier Onboarding and Change Controls

Implement a formal process for adding new suppliers and changing existing supplier bank details. Any request to change payment details should require verification through a pre-agreed channel — typically a telephone call to a number held on file. This control should be part of your standard accounts payable procedures and enforced consistently regardless of who appears to be making the request.

What to Do If You Suspect a BEC Attack

If you believe your organisation has been targeted by a BEC attack, act immediately. Contact your bank to request a recall of any transferred funds — speed is critical, as funds are often moved through multiple accounts within hours. Report the incident to Action Fraud (the UK's national fraud reporting centre) and to the NCSC. Preserve all relevant emails as evidence. If an email account has been compromised, reset the password immediately, revoke all active sessions, and review recent sent items and mailbox rules for signs of attacker activity.

How AMVIA Helps UK Businesses Prevent BEC

AMVIA deploys Microsoft Defender for Office 365 to detect BEC patterns including lookalike domain spoofing, impersonation of internal executives, and unusual sending behaviour. We configure DMARC policies at p=reject to protect your domain from being used in outbound fraud. Our managed email security service includes ongoing monitoring, alerting, and staff awareness support — giving your business layered protection against one of the most costly threats in the UK today. With 67% of medium businesses and 74% of large businesses reporting breaches in 2025 (DSIT Cyber Security Breaches Survey 2025), proactive protection against BEC is not optional — it is a business necessity.