Imagine getting an email from your managing director asking you to urgently transfer £38,000 to a new supplier. The email address looks right, the tone is spot on, and there is a deadline. So you pay it. Except your MD never sent that email. A criminal did.
This is Business Email Compromise, or BEC for short. It is the single most costly type of cyber attack hitting small and medium-sized businesses today - and most business owners have never even heard the term.
What exactly is BEC?
BEC is a type of targeted email scam. Unlike the obvious spam that lands in your junk folder, BEC emails are carefully crafted to look like they come from someone you trust - your boss, your accountant, or a long-standing supplier.
Criminals either hack into a real email account or create a convincing lookalike address. Then they send a message designed to trick someone in your team into transferring money or sharing sensitive information.
Think of it like a con artist who has studied your business, learned your staff names, and knows exactly which buttons to press.
The three most common BEC tricks
1. The fake invoice You receive what looks like a normal invoice from a supplier you use regularly. Everything matches - the logo, the format, the contact details. But the bank account number has been quietly changed. Your payment goes straight to the criminal.
2. CEO impersonation A staff member gets an urgent email appearing to come from the business owner or a senior manager. It asks them to process a payment quickly and keep it confidential. The urgency and authority make people act before they think.
3. Supplier payment redirect A criminal poses as one of your regular suppliers and sends a polite email explaining they have changed their bank details. Future payments then flow to a fraudulent account - sometimes for months before anyone notices.
How much is this actually costing?
The numbers are stark. Globally, the FBI recorded £2.2 billion in BEC losses in 2024 alone. In the UK, fraud losses topped £1.1 billion in 2024, with payment redirection fraud - the category BEC falls under - accounting for £450 million of that.
The government’s own Cyber Security Breaches Survey 2025 found that 85% of businesses that suffered a cyber attack experienced phishing, and the average cost of cyber-enabled fraud was £5,900 per business. For those without the resources to absorb that kind of hit, it can be devastating.
Smaller organisations are particularly vulnerable. Businesses with fewer than 1,000 employees face a 70% chance of receiving at least one BEC attempt every single week. And with 40% of BEC emails now generated using artificial intelligence, these scams are becoming harder to spot than ever.
BEC attacks rose 15% in 2025 compared to the year before, and they are still climbing.
Why it works so well
BEC does not rely on viruses or hacking in the traditional sense. It exploits something far harder to patch - human trust. When an email appears to come from your boss or a supplier you have worked with for years, your natural instinct is to act on it.
Criminals count on that. They also count on busy offices where people are juggling multiple tasks and do not have time to double-check every email.
Simple steps that stop BEC in its tracks
The good news is that BEC is one of the most preventable cyber threats. Here is what you can do right now.
Verify payment changes by phone. If anyone - supplier, colleague, or director - asks you to change bank details or make an unusual payment, pick up the phone and call them on a number you already have on file. Not the number in the email. This single step prevents the vast majority of BEC losses.
Set up approval rules for payments. No single person should be able to authorise a large payment without a second pair of eyes. Even a simple two-person sign-off process adds a layer of protection.
Turn on Multi-Factor Authentication (MFA). MFA is an extra security step when logging in - usually a code sent to your phone alongside your password. It makes it much harder for criminals to break into your email accounts in the first place. The NCSC found that 76% of BEC victims had not set this up.
Train your team regularly. Make sure every person who handles payments or sensitive data knows what BEC looks like. Run through real examples. The five minutes it takes could save your business thousands.
Check email addresses carefully. Criminals often use addresses that are just one letter different from the real thing. Encourage staff to hover over sender names and look for subtle changes.
Use email security tools. Ask your IT provider about DMARC - a system that helps prevent criminals from sending emails that appear to come from your domain. It works quietly in the background and is recommended by the National Cyber Security Centre.
What to do if you fall victim
Act immediately. Contact your bank and ask them to recall the payment - speed matters here. Report it to Report Fraud (the service that replaced Action Fraud) online at reportfraud.police.uk or by calling 0300 123 2040. Then notify the National Cyber Security Centre.
The faster you act, the better your chances of recovering the money.
The bottom line
BEC is not glamorous. It does not make headlines the way ransomware does. But it is quietly draining millions from UK businesses every year, and small firms bear the brunt.
The defences are straightforward - verify by phone, require dual sign-off, switch on MFA, and make sure your team knows what to look for. None of this requires a big budget or technical expertise. It just requires awareness and a few good habits.
Want help protecting your business from email threats? Talk to our team about email security and staff awareness training.
Learn more →Topics