A finance team receives an urgent payment request from what looks like the CEO's inbox. The address is almost right, the tone matches previous messages, and there is no malicious link for filters to catch.
That is how Business Email Compromise (BEC) often works: targeted impersonation designed to bypass everyday email controls and push staff into approving transfers or sharing sensitive data.
The Cyber Security Breaches Survey 2024 found that 84% of businesses and 83% of charities had experienced a phishing attack in the past 12 months (2023/24).
Business Email Compromise (BEC), also known as Email Account Compromise (EAC), is a targeted form of phishing where criminals use email to deceive employees into transferring funds or sharing sensitive information.
Unlike broad phishing campaigns, BEC attacks are highly specific. They often involve research to convincingly impersonate trusted individuals, suppliers, or advisers.
BEC attacks often look legitimate because they mimic real relationships and rarely carry obvious malware.
Recognising the main attack forms helps teams spot when a message is trying to exploit trust rather than exploit a technical flaw.
BEC Attack Forms
BEC attacks can take several forms:
Executive impersonation: Attackers pose as high-ranking executives, requesting urgent wire transfers or access to confidential data.
Data theft: Attackers seek sensitive information such as employee tax forms or customer records.
Legal impersonation: Scammers pose as lawyers or legal representatives, often citing urgent, confidential matters.
What makes BEC especially dangerous is its ability to evade traditional email security measures.
These attacks often contain no malicious attachments or links, which makes them harder for standard filters to detect.
"BEC succeeds when technology, process, and staff awareness do not line up. Organisations need layered email controls and clear verification steps for payment and data requests."
The scale of reported losses explains why BEC sits near the top of many risk registers.
The Scale of the Problem
Reported losses and incident volumes show why BEC remains a priority for security and finance teams:
Global losses: The FBI reports that losses from BEC or EAC surpassed $43 billion globally in reported incidents between June 2016 and December 2021.
UK phishing exposure: The Cyber Security Breaches Survey 2024 found that 84% of businesses and 83% of charities experienced phishing in the past 12 months.
Growing threat: The FBI reported that BEC losses increased by 65% between July 2019 and December 2021.
Widespread issue: In 2021, the FBI's Internet Crime Complaint Center received 19,954 BEC/EAC complaints.
Cost of breaches: IBM's research puts the average cost of a data breach at more than $4.45 million, with phishing and social engineering among the common attack paths.
These figures come from different reporting routes, but together they show why finance and security teams treat BEC as a priority.
Where The Data Comes From
UK survey data shows how common phishing remains, while FBI reporting highlights the financial scale of BEC and EAC incidents globally.
High-value incidents show how BEC tactics vary by sector, target, and fraud method.
Real-World Examples of BEC Attacks
These incidents show how varied BEC tactics can be:
Facebook and Google: Defrauded of more than $100 million by a fraudster impersonating a hardware vendor.
Ubiquiti Networks: Lost $46.7 million in a vendor fraud scheme.
Real estate fraud: Developer Sefri-Cime lost €38 million in a scam linked to an international fraud ring.
"BEC attacks are highly targeted and can cause significant financial losses. Firms need stronger verification before approving payment changes or releasing sensitive information."
Paul Holland, Founder and CEO, Beyond Encryption (Mailock)
UK guidance brings those risks into a practical control framework for organisations of different sizes.
UK Guidance on Business Email Compromise
The NCSC published dedicated BEC guidance to help organisations reduce impersonation, payment fraud, and account takeover risk.
That guidance sits alongside wider UK reporting such as the Cyber Security Breaches Survey 2024, which shows how common phishing remains and where control adoption is improving.
1. Prioritising Cyber Security
The survey found that 80% of UK businesses continue to rate cyber security as a high priority.
However, charity sector prioritisation has dropped significantly - from 82% in 2022 to 63% in 2024.
2. Implementing Technical Controls
Survey data also shows several technical controls becoming more common among UK organisations:
83% of firms now use up-to-date malware protection (up from 76%).
73% apply admin rights restrictions (up from 67%).
75% use network firewalls (up from 66%).
54% have phishing response processes (up from 48%).
These figures reverse a trend of declining controls, especially among small businesses.
3. Staff Training and Awareness
Employee education remains central to BEC prevention:
Deliver frequent cyber awareness training.
Run simulated phishing tests.
Set policies for email and financial request handling.
Payment diversion requests deserve extra scrutiny because they are a common BEC payout route.
Checks Before Approving Payment Requests
Does the request match your usual approval process?
Has payment detail change been verified on a separate channel?
Would a senior executive normally send this request in this way?
Technical controls then add another layer against account takeover and spoofed sender activity.
4. Multi-Factor Authentication (MFA)
MFA helps protect email accounts, particularly those used by senior executives or finance teams.
Implementing MFA across accounts limits the risk of email account compromise, which is a common first step in BEC.
5. Email Authentication Protocols
To help prevent spoofed email messages, the NCSC guidance recommends implementing:
SPF (Sender Policy Framework)
DKIM (DomainKeys Identified Mail)
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
Since vendor fraud is a common BEC tactic, organisations should:
Verify any changes to supplier payment details via a secondary channel.
Use different communication channels for financial approvals.
Review and audit vendor communications regularly.
7. Incident Response Planning
Incident response plans should include procedures for:
Reporting suspicious messages and behaviour.
Freezing or reversing unauthorised payments.
Notifying internal stakeholders and law enforcement.
Clear communication protocols for notifying relevant stakeholders can reduce confusion during a suspected BEC incident.
8. Regular Security Assessments
Security assessments help identify gaps in BEC readiness:
Conduct regular vulnerability scans and penetration tests.
Review email protection configurations.
Assess staff knowledge and adherence to processes.
9. Collaboration With Law Enforcement
The guidance encourages reporting BEC attempts to law enforcement such as Action Fraud.
Reporting helps authorities track patterns, investigate incidents, and support recovery efforts where possible.
"When a BEC incident happens, speed matters. Reporting quickly gives law enforcement a better chance of tracing funds and helps firms build a clearer picture of what went wrong."
Guidance only helps when it is translated into day-to-day process, ownership, and review.
Implementing the Guidance: Challenges and Best Practices
Putting BEC guidance into action takes coordination across leadership, IT, finance, and frontline teams. These steps help address common implementation hurdles.
1. Secure Leadership Buy-In
Gaining senior support is key:
Present data on BEC financial impact.
Explain potential reputational harm.
Show the return on investment from mitigation efforts.
2. Tailor Solutions to Organisational Size
Small and medium-sized enterprises (SMEs) may need to:
Focus on cost-effective, high-impact solutions.
Outsource security functions to managed providers if necessary.
Prioritise foundational controls before expanding further.
3. Address the Human Factor
Since BEC attacks often rely on human error, organisations should:
Promote a culture of security awareness.
Share clear guidance for handling emails and payment requests.
Encourage employees to question suspicious or unusual instructions.
Process and culture changes work best when they are supported by the right tooling.
A questioning culture helps most when payment and data requests have a clear verification route.
Technology should reinforce those checks rather than replace them.
4. Leverage Technology
Technology complements human vigilance:
Use secure email tools that add encryption, authentication, and delivery evidence.
Deploy email filtering and quarantining systems.
Implement endpoint detection and response (EDR) to flag anomalies.
5. Continuously Refine
Cyber threats evolve - so should your defences:
Review policies and training regularly.
Stay current on new scam techniques.
Conduct post-incident reviews and adjust controls as needed.
Compliance With Existing Regulations
In regulated industries, BEC controls should sit within existing compliance and data protection frameworks. This section is general guidance, not legal advice.
Financial Services
FCA-regulated firms are expected to manage operational and cyber risks proportionately and protect sensitive financial data.
BEC countermeasures can support those expectations when they are built into payment verification, access control, and incident reporting workflows.
Healthcare
Healthcare organisations must comply with the Data Protection Act 2018 and UK GDPR requirements.
BEC safeguards can help reduce the risk of unauthorised disclosure of patient information.
Compliance teams should work closely with IT and security leaders to make sure cyber controls meet both regulatory expectations and day-to-day operational needs.
Securing Email Threads to Prevent Impersonation
Securing email threads between your team and customers helps reduce impersonation risk when sensitive information or payment instructions are exchanged by email.
Secure email solutions with AES-256 encryption, recipient authentication, and multi-factor verification can add safeguards by controlling who can open a message and creating evidence of access.
Advanced encryption helps protect email content and attachments in transit and at rest, so only intended recipients with the right access can read them.
Recipient authentication and MFA: SMS codes, Q&A challenges, and other verification steps can confirm identity before access is granted.
Even if credentials are compromised, these controls can reduce the chance that an impersonator can read or respond to sensitive messages.
Mailock is relevant where firms want to keep email as the delivery route while adding encryption, recipient authentication, secure replies, and message tracking for sensitive customer communications.
What To Do Next
BEC remains a major risk for UK organisations because it targets trust, urgency, and routine payment workflows.
Practical priorities include:
Prioritise cyber security organisation-wide.
Apply technical controls to reduce spoofing and account takeover.
Train employees to recognise and report suspicious activity.
Adopt secure email controls where sensitive information is sent outside the organisation.
Review controls regularly, stay current on impersonation tactics, and make verification steps easy for staff to follow under pressure.
FAQs
What Is Business Email Compromise?
Business email compromise is a fraud pattern where attackers use email accounts or impersonation to redirect payments, data, or decisions.
Which Controls Does UK Guidance Emphasise?
The article highlights cyber security ownership, technical controls, MFA, staff awareness, and incident response planning.
Why Does Outbound Email Matter in BEC Risk?
Payment instructions, documents, and sensitive requests often leave the organisation by email, so verification and secure sending can reduce opportunities for impersonation.
Sabrina McClune writes about cybersecurity, data protection, digital identity, and digital transformation for Beyond Encryption, helping regulated sectors understand complex technology and compliance topics with greater clarity.
Sabrina McClune
.svg)
Previous post