Business Email Compromise: The Fraud Costing UK Businesses Millions
How attackers impersonate your CEO or suppliers to steal money — and how to stop it happening to you.
What is business email compromise?
Business email compromise (BEC) is a type of fraud where attackers impersonate someone your business trusts — your CEO, a supplier, a client, or your bank — to trick you into transferring money or sharing sensitive information.
Unlike ransomware, BEC doesn't rely on technical exploits. It relies on trust, urgency, and the fact that most people don't verify unexpected financial requests carefully enough. It costs UK businesses hundreds of millions of pounds every year.
How it works — the most common types
CEO fraud
An attacker emails your finance team impersonating the CEO. The email asks for an urgent bank transfer — usually to a new account, always with a reason why normal processes should be bypassed. 'I'm in a meeting, please don't call me, just get this done.'
Invoice fraud
An attacker impersonates a supplier you regularly pay, sending an email saying their bank details have changed. You update your records and make your next payment — to the attacker's account.
Payroll fraud
An attacker impersonates a staff member and emails HR or payroll asking to update their bank details before the next pay run.
Solicitor / conveyancer fraud
During a property transaction, an attacker intercepts communications between you and your solicitor and sends fraudulent payment instructions.
Why it's so effective
BEC attacks work because they exploit normal business processes. Finance teams are trained to process payments. HR teams update bank details. People follow instructions from their CEO.
Attackers research their targets carefully — studying LinkedIn, company websites, and social media to understand who reports to whom, who handles payments, and when key people are likely to be unavailable (on holiday, at a conference). A well-timed, well-researched attack can be very convincing.
How to protect your business
Verify any change to payment details by phone
Before updating bank details for any supplier or employee, call them on a number from your existing records — not the one in the email. This single step prevents the vast majority of invoice fraud.
Require two people to authorise large transfers
A second pair of eyes on significant payments makes it much harder for a single fraudulent email to result in a transfer.
Be suspicious of urgency
Legitimate urgent payment requests can almost always wait 10 minutes for a phone verification. If someone is insisting you act immediately without verification, that's a red flag.
Enable MFA on email accounts
Many BEC attacks start with a compromised email account. MFA prevents attackers from accessing email even if they have a password.
Train staff to recognise the patterns
Finance, HR, and anyone who handles payments should know what BEC looks like. A brief briefing covering the common scenarios makes a significant difference.
If you've been a victim
Act immediately — speed is critical.
- Call your bank immediately and ask them to recall the payment — this is possible in some cases if done quickly
- Report to Action Fraud: 0300 123 2040 or actionfraud.police.uk
- Report to your bank's fraud team
- Notify your cyber insurer if you have one
- Keep all evidence — emails, bank statements, correspondence
BEC prevention starts with good access controls and staff awareness — two of the five areas covered in our free security assessment.
Find out where your business stands
Complete our 10-minute plain-English assessment and get a professional security report aligned to Cyber Essentials.
Start Your Free Assessment →£49 for the full report · No account required