How to Protect Your Business from Business Email Compromise

Business Email Compromise — commonly abbreviated to BEC — has become the single most financially devastating form of cyber crime affecting UK organisations. Unlike the ransomware attacks that dominate newspaper headlines, BEC operates through deception rather than technical exploitation. There are no encrypted files, no dramatic ransom demands, and no obvious signs that anything is wrong — until the money is gone and the trail has gone cold. The UK's National Crime Agency and Action Fraud consistently report BEC as one of the highest-value cyber crimes in the country, with individual incidents regularly resulting in losses of tens or hundreds of thousands of pounds.

BEC attacks exploit the fundamental trust that underpins business communication. An attacker impersonates a senior executive, a trusted supplier, a solicitor handling a property transaction, or a colleague in the finance department, and instructs the victim to make an urgent payment, redirect a scheduled transfer, or share sensitive information. The emails are carefully crafted to appear entirely legitimate — they use correct names, reference real transactions, mirror the communication style of the impersonated individual, and create a sense of urgency that discourages the recipient from questioning the request or following normal verification procedures.

This guide explains how BEC attacks work in practice, why UK businesses are particularly vulnerable to certain variants, and provides a comprehensive set of technical and procedural defences that significantly reduce your risk of becoming a victim.

How Business Email Compromise Attacks Work

BEC attacks follow a recognisable pattern, though the specific tactics vary depending on the target and the attacker's sophistication. Understanding this pattern is the first step toward building effective defences.

The attack typically begins with reconnaissance. Attackers research the target organisation using publicly available information — company websites, LinkedIn profiles, Companies House filings, press releases, and social media posts. They identify key individuals including the CEO, finance director, and accounts payable staff. They study the organisation's suppliers, clients, and business relationships. In more sophisticated campaigns, attackers may compromise a low-level email account first through phishing, then spend weeks silently reading email threads to understand communication patterns, transaction processes, and relationships before launching their main attack.

The attack itself takes several common forms. CEO fraud involves impersonating a senior executive and instructing a finance team member to make an urgent payment. Supplier invoice fraud involves intercepting or impersonating a genuine supplier and requesting that future payments be sent to a new bank account. Solicitor impersonation specifically targets property transactions and completion payments, which are particularly prevalent in the UK property market. Payroll diversion requests that an employee's salary be redirected to a new bank account, impersonating the employee via email to the HR or payroll team.

Technical Defences Against BEC

Email Authentication: SPF, DKIM, and DMARC

Implementing email authentication protocols is one of the most effective technical measures against BEC. These three complementary protocols — SPF, DKIM, and DMARC — work together to prevent attackers from sending emails that appear to come from your domain.

Sender Policy Framework (SPF) publishes a DNS record specifying which mail servers are authorised to send email on behalf of your domain. DomainKeys Identified Mail (DKIM) adds a cryptographic signature to outgoing emails, allowing the recipient's mail server to verify that the email was genuinely sent by your domain and has not been modified in transit. Domain-based Message Authentication, Reporting, and Conformance (DMARC) ties SPF and DKIM together with a policy that tells receiving mail servers what to do when authentication fails — monitor, quarantine, or reject the email entirely.

Implementing DMARC with a reject policy means that any email claiming to come from your domain but sent from an unauthorised server is automatically rejected by the recipient's mail system. This prevents attackers from impersonating your organisation when targeting your customers, suppliers, and partners. The UK government's own NCSC actively promotes DMARC adoption and provides free tools to help UK organisations implement it correctly.

Multi-Factor Authentication on All Email Accounts

Many BEC attacks begin with the compromise of a legitimate email account, which the attacker then uses to send convincingly authentic emails to colleagues, clients, and suppliers. The most common method of account compromise is credential theft through phishing — the attacker tricks the user into entering their email password on a fake login page.

Multi-factor authentication (MFA) on all email accounts dramatically reduces the risk of account compromise. Even if an attacker obtains a user's password through phishing, they cannot access the account without the second authentication factor. MFA should be mandatory for every user in your organisation without exception — especially senior executives and finance team members who are the primary targets of BEC attacks. Use authenticator applications or hardware security keys rather than SMS-based MFA, which is vulnerable to SIM-swapping attacks.

Advanced Email Security Solutions

Deploy advanced email security solutions that go beyond basic spam filtering to detect BEC-specific attack patterns. Modern email security platforms such as Microsoft Defender for Office 365, Proofpoint, Mimecast, and Abnormal Security use artificial intelligence and behavioural analysis to identify emails that exhibit BEC characteristics — impersonation attempts, unusual sender behaviour, financial language combined with urgency, and requests that deviate from established communication patterns.

Deploy external email warning banners that automatically prepend a visible notice to every email received from outside your organisation. A simple banner stating "CAUTION: This email originated from outside your organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe" provides a constant visual reminder that helps employees maintain vigilance. This is particularly effective against BEC attacks where an external attacker impersonates an internal colleague — the external email banner immediately reveals that the email did not come from within the organisation, regardless of how convincing the display name or signature appears.

Configure anti-impersonation policies that specifically protect your senior executives and finance team. These policies flag or quarantine emails from external senders that closely mimic the display names or email addresses of protected individuals. For example, an email from "john.smith@yourc0mpany.com" (with a zero instead of the letter O) would be flagged before reaching the intended recipient.

Technical Defence	What It Prevents	Implementation Priority
DMARC (with reject policy)	Domain spoofing — attackers sending as your domain	Critical
Multi-Factor Authentication	Account takeover from stolen credentials	Critical
Advanced Email Filtering	BEC emails reaching user inboxes	High
Anti-Impersonation Policies	Display name and lookalike domain attacks	High
External Email Banners	Users mistaking external emails for internal	Medium

Procedural Defences and Employee Training

Technical controls alone cannot prevent BEC because the most sophisticated attacks use legitimate compromised accounts to send genuine-looking emails that pass every technical check. Procedural defences — verification processes that must be followed before any financial action is taken — provide a critical additional layer of protection.

Implement a mandatory payment verification procedure that requires out-of-band confirmation for all payment requests above a defined threshold. Out-of-band means using a different communication channel from the one through which the request was received — if the request came by email, verify it by phone call to a known number. Never verify a payment request by replying to the email or calling a number provided in the email itself, as the attacker controls those channels. This single procedural control, consistently enforced, prevents the majority of BEC financial losses.

Establish a dual-authorisation requirement for all payments above a defined value — for example, any payment over £5,000 requires approval from two authorised individuals. This ensures that no single person can be socially engineered into making a fraudulent payment without a second pair of eyes reviewing the request. For changes to supplier bank details, implement a mandatory cooling-off period of 48 to 72 hours during which the change is verified through multiple independent channels before any payment is made to the new account.

Create a clear escalation path for employees who receive suspicious payment requests. Employees should know exactly who to contact — whether it is their line manager, the finance director, or the IT security team — when they receive a request that feels unusual, unexpected, or pressured. Crucially, the organisational culture must support and encourage employees who escalate suspicious requests, even when those requests turn out to be legitimate. An employee who delays a genuine payment by a few hours whilst verifying its authenticity is demonstrating exactly the caution your organisation needs. Punishing or criticising such behaviour — explicitly or implicitly — will discourage the vigilance that protects your business from BEC losses.

Conduct regular BEC-specific security awareness training for all employees, with particular focus on finance, HR, and executive assistant roles. Training should include realistic simulations of BEC scenarios — not just generic phishing tests, but carefully crafted impersonation attempts that mirror the actual tactics used against UK businesses. Employees who can recognise the pressure tactics, urgency language, and subtle red flags common to BEC attacks are your most effective last line of defence when technical controls fail to catch a sophisticated attack.

Supply Chain and Third-Party BEC Risks

One of the most insidious forms of BEC involves the compromise of a trusted third party — a supplier, a solicitor, an accountant, or a business partner whose email account is taken over by an attacker. Because the emails genuinely originate from the third party's legitimate email address and reference real ongoing transactions, they pass virtually every technical and human credibility check. The recipient has no reason to suspect that the email is fraudulent because, from a technical standpoint, it is not — it was genuinely sent from the expected email address by an attacker who now controls that account.

Protecting against supply chain BEC requires extending your security mindset beyond your own organisation's boundaries. Implement verification procedures that apply equally to internal and external payment requests. Require bank detail changes from suppliers to be confirmed through a phone call to a known, pre-established contact number — not a number provided in the email requesting the change. Maintain a register of verified bank details for all regular suppliers and flag any payment instruction that does not match the registered details for manual verification before processing.

Consider requiring your key suppliers and professional service firms to demonstrate their own email security measures. Ask whether they have implemented DMARC, whether they enforce multi-factor authentication on their email accounts, and whether they have cyber security insurance and incident response procedures. A supplier whose email security is weak represents a direct risk to your organisation, regardless of how strong your own defences are. For high-value relationships — solicitors handling property transactions, accountants with access to financial data, IT providers with privileged access to your systems — include email security requirements in your contracts and conduct periodic reviews of their compliance.

The NCSC's supply chain security guidance provides a practical framework for assessing and managing these third-party risks. For UK businesses operating in regulated sectors, demonstrating that you have assessed and mitigated supply chain cyber risks is increasingly becoming a regulatory expectation rather than simply best practice.

Responding to a BEC Incident

Prepare a BEC incident response plan before you need it. If your organisation falls victim to a BEC attack, speed is absolutely critical. The chances of recovering stolen funds decrease dramatically with every hour that passes. Contact your bank immediately — most UK banks have dedicated fraud teams that can attempt to freeze and recall transferred funds if notified within 24 to 48 hours of the transfer. Report the incident to Action Fraud (the UK's national fraud and cyber crime reporting centre) and to your local police force. If the attack involved compromised email accounts, immediately change all passwords, revoke all active sessions, and review email forwarding rules that the attacker may have configured to maintain access or redirect communications.

Engage your cyber insurance provider at the earliest possible stage if you hold a cyber insurance policy. Many policies provide access to incident response specialists, forensic investigators, and legal advisers who can assist with the technical and regulatory aspects of responding to the attack. Some policies also cover the direct financial losses from BEC incidents, subject to policy terms and conditions — but claims must typically be notified within strict timeframes to maintain coverage eligibility.

Conduct a thorough post-incident investigation to understand exactly how the attack succeeded. Was it an external impersonation or a compromised internal account? What social engineering techniques were used? Which verification procedures were bypassed and why? Use the findings to strengthen your defences — update training materials, tighten verification procedures, and implement additional technical controls to address the specific vulnerability that was exploited.

Preserve all evidence from the incident for potential law enforcement investigation and insurance claims. Do not delete the fraudulent emails, and retain complete email headers and any associated attachments. If the attack involved a compromised internal account, work with your IT team or managed service provider to capture forensic logs including login times, source IP addresses, email forwarding rules that were created, and any data that was accessed or exfiltrated during the period of compromise. This evidence may be critical for law enforcement investigation, insurance claims, and for understanding the full scope of the breach beyond the immediate financial loss.

Finally, consider your notification obligations under UK GDPR. If the BEC incident involved personal data — for example, if employee bank details were shared with the attacker as part of a payroll diversion, or if customer information was exposed through a compromised email account — you may be required to notify the ICO within 72 hours and affected individuals without undue delay. Document the incident thoroughly, including the timeline, the data affected, and the remedial actions taken.