Business Email Compromise: The Fraud Costing UK Small Businesses Millions

Business email compromise — BEC — doesn't get the same attention as ransomware. There are no dramatic recovery stories, no visible operational disruptions, no ransom notes. Instead, there's a bank transfer that went to the wrong account. An invoice paid to a fraudster. A payroll change that redirected salary payments for weeks before anyone noticed. By the time the fraud is discovered, the money is usually gone and recovery is rarely complete.

The FBI consistently reports BEC as the costliest cybercrime category globally, generating more direct financial loss than ransomware. In the UK, Action Fraud receives thousands of BEC reports annually, and the real figure is significantly higher because many incidents go unreported. This guide explains how BEC works, why it bypasses most defences, and what actually stops it.

How Business Email Compromise Works

BEC is a social engineering attack that manipulates people with payment authority into making fraudulent transfers. It takes several distinct forms:

CEO Fraud

An email arrives from what appears to be the CEO or MD, addressed to the finance function, requesting an urgent payment — typically to a new supplier, as part of a confidential acquisition, or in connection with a time-sensitive regulatory requirement. The email instructs the recipient not to discuss the request with anyone else due to its confidentiality, and to confirm completion by email only. The email is either sent from a spoofed domain that looks almost identical to the real company domain, or — in more sophisticated attacks — from the CEO's genuine compromised email account.

Invoice Fraud

An email arrives from a known supplier, informing your accounts payable function that the supplier has changed its bank account details. The new account details are included. Subsequent invoices are then paid to the fraudster's account until the fraud is discovered — which can be weeks or months later, when the genuine supplier chases for payment. In many cases, the email is sent from a domain very similar to the real supplier's domain; in some, the supplier's genuine email account has been compromised.

Payroll Fraud

An email to HR or payroll, appearing to come from an employee, requesting a change of bank account details for salary payments. The fraudster has researched the organisation to know the employee's name, their manager's name, and the payroll submission schedule. Payments made before the genuine employee notices the change are lost.

Lawyer or Solicitor Impersonation

Particularly common in property transactions. An email from what appears to be a solicitor, sent near the completion of a property purchase, provides new bank account details for the completion payment. In conveyancing fraud, the sums involved are typically the entire purchase price of a property.

Why BEC Bypasses Most Defences

Antivirus doesn't detect it — there's no malware. Email security filters struggle with it — the emails often contain no malicious links or attachments, just text and bank account details. Training helps, but time pressure and authority are powerful enough to override caution even in well-trained staff.

The most sophisticated BEC attacks use genuine compromised accounts rather than spoofed addresses. When an email genuinely comes from your CEO's email account — because that account has been compromised via credential phishing — no amount of header inspection will reveal it as fraudulent. The only defence in this scenario is a procedural one: verifying payment requests via a separate channel, regardless of how legitimate the email appears.

The Controls That Stop BEC

Verification Procedures for Payment Changes

The single most effective control is a mandatory verbal verification requirement: any request to change payment details, authorise an unusual payment, or update payroll banking must be verified by calling the requestor on a known, pre-existing phone number — not a number provided in the requesting email. This procedure should be written into your finance policy and applied without exception, regardless of who is making the request or how urgent they claim it is.

"The email looked genuine" is not a defence when the control required a phone call. "The CEO said it was urgent and told me not to tell anyone" is a social engineering technique — not a reason to bypass controls.

DMARC, DKIM, and SPF

These email authentication standards, properly configured, prevent attackers from successfully spoofing your domain when targeting your clients, suppliers, and partners. A fully enforced DMARC policy — set to "reject" rather than just "monitor" — means that emails purporting to come from your domain but not sent through your authorised mail servers will be rejected before they reach the recipient. This prevents your domain being used in BEC attacks against your clients, and signals to partners that emails from your domain are authenticated.

Mailbox Monitoring

Compromised email accounts used in BEC attacks leave traces: mailbox rules that forward copies of emails, unusual login locations and times, access from unexpected devices. Continuous monitoring of Microsoft 365 or Google Workspace sign-in logs and mailbox configuration changes can detect a compromised account within hours of compromise — well before the attacker has been able to use it to commit fraud.

Multi-Factor Authentication on Email

The scenario where an attacker uses a genuinely compromised email account requires first compromising that account. MFA on email makes credential theft insufficient — the attacker also needs the MFA token. Enforcing MFA on all email accounts, particularly those held by senior staff and the finance function, directly reduces the probability of the most sophisticated form of BEC.

Recovery When BEC Occurs

Act immediately. The payment systems that fraudulent transfers move through — primarily Faster Payments in the UK — can sometimes be recalled if the receiving bank is contacted quickly enough. Call your bank's fraud team the moment you discover the fraud, before doing anything else. The SWIFT network provides a mechanism for recovering international wire transfers if action is taken within hours. Time is the critical factor: every hour of delay reduces recovery probability significantly.

Report to Action Fraud (actionfraud.police.uk). Provide all available evidence: the email thread, the account details used, the amounts and timing of transfers. This information feeds intelligence that may assist in identifying and disrupting criminal networks.