Business Email Compromise: What You Need to Know

Introduction:

The Most Costly Threat You’ve Never Heard Of Business Email Compromise (BEC) doesn’t make headlines like ransomware, but it’s one of the most financially devastating types of cyberattacks facing small businesses today.

It’s silent.
It’s sneaky.
And it works — to the tune of billions every year.

This blog breaks down what BEC is, how it works, and how to stop it before it costs your business money, trust, or both.

What is Business Email Compromise (BEC)?

BEC is when cybercriminals gain access to (or convincingly impersonate) a legitimate business email account in order to:

• Steal money

• Intercept sensitive information

• Redirect payments

• Spoof employee or vendor communications

They don’t always break in. Some attackers gain full access to real email accounts, usually through phishing or password reuse — this is a true compromise, and it allows them to silently monitor communications, set up forwarding rules, and strike at the perfect moment.

Other times, they don’t need access at all — just a convincing spoofed address or domain and a little social engineering. These attacks are faster to launch and often just as effective.

So whether it's a full account takeover or clever impersonation, BEC works by manipulating people — not systems.

3 Common Types of BEC Attacks

1. CEO Fraud

A hacker impersonates a senior leader (like the Managing Director) and asks an employee to make an urgent wire transfer or send sensitive data.

“Hi Sarah — can you send £9,950 to this new supplier today before COB? We’re behind on payment and I don’t want the project delayed. I’m in a meeting all day so just sort it, please.”

2. Vendor Email Compromise

Attackers hack or spoof a real supplier's email and send an invoice with “new” banking details — straight to your finance team.

Looks 100% legit. Right logo. Right invoice number. Wrong bank account.

3. Employee Impersonation

An attacker pretends to be a staff member requesting payroll changes or access to systems.

Why BEC is So Dangerous for Small Businesses

1. It’s Highly Targeted

These aren't spray-and-pray spam emails. BEC scams are researched, personalised, and convincing.

2. It’s Low-Tech but High Impact

No malware required. Just tricking someone into doing what they’d normally do — like paying invoices or updating banking info.

3. It’s Hard to Spot

The emails come from real or lookalike accounts. There's no bad link, no suspicious attachment. Just a very believable message.

4. Banks May Not Refund You

Unlike credit card fraud, many BEC losses aren’t covered by banks or insurers. Once the money’s gone — it’s gone.

Real Story: A £12,000 Mistake

One of our clients was hit by BEC after receiving what looked like a legitimate invoice from a regular vendor.

It had:

• The correct logo

• Familiar formatting

• A subject line matching their prior invoices

Except this time…
The bank account was fake.

They paid the invoice, and the real vendor chased them a week later for payment.
The money was gone — transferred overseas.

They recovered financially — but it cost them time, trust, and credibility.

7 Red Flags That Could Signal BEC

1. Unexpected urgency in a routine email

2. Changes to payment instructions (especially if not confirmed by phone)

3. Slight changes in the email address (e.g. @vendor.com → @vemdor.com)

4. Unusual requests from staff on leave or unavailable

5. Emails sent outside of work hours

6. Misspellings or grammatical errors in professional emails

7. Pushback when you ask to verify the request

How to Prevent Business Email Compromise

1. Use Multi-Factor Authentication (MFA)

Make it harder for hackers to log in — even if they steal a password.

2. Train Your Team

Educate staff regularly on how to spot suspicious emails.
Run phishing simulations and reward cautious behaviour.

3. Always Verify Banking Changes by Phone

Make it a policy: No payments are ever processed without verbal confirmation.

4. Use Domain Monitoring Tools

Spot lookalike domains and impersonation attempts early.

5. Monitor Mail Rules

Hackers often set up auto-forwarding rules to monitor inboxes silently.

6. Keep Email Signatures Consistent

Standardised signatures make it easier to spot forged messages.

Recovery: What to Do If You Fall for a BEC Scam

If your business gets caught:

1. Contact your bank immediately – request a reversal or freeze

2. Report it to Action Fraud (UK) or your national cybercrime unit

3. Inform your clients if any data or funds are affected

4. Contact Systems Secure – we’ll assess the damage and help secure your systems