Business Email Compromise: The New UK Guidance

Business Email Compromise (BEC) has emerged as a critical concern for organisations, becoming one of the most financially devastating cyber threats in the UK and globally.

As BEC tactics evolve, they pose an increasing challenge not only for cybersecurity professionals but also for employees who are often the first line of defence.

Government reporting on cyber attacks has revealed that 84% of businesses and 83% of charities have experienced a phishing attack in the past 12 months (2023/24).

Recognising this, the National Cyber Security Centre has issued new guidance to help organisations strengthen their defences.

We’ll explore the nuances of BEC, the latest UK recommendations, and how you can protect your communications from this growing threat.

Understanding Business Email Compromise

Business Email Compromise (BEC), also known as Email Account Compromise (EAC), is a targeted form of phishing where criminals use email to deceive employees into transferring funds or sharing sensitive information.

Unlike broad phishing campaigns, BEC attacks are highly specific. They often involve meticulous research to convincingly impersonate trusted individuals or organisations.

BEC Attack Forms

BEC attacks can take several forms:

• Executive impersonation: Attackers pose as high-ranking executives, requesting urgent wire transfers or access to confidential data.
• Vendor fraud: Criminals impersonate legitimate suppliers, requesting changes to payment details.
• Data theft: Attackers seek to obtain sensitive information such as employee tax forms or customer data.
• Legal impersonation: Scammers pose as lawyers or legal representatives, often citing urgent, confidential matters.

What makes BEC especially dangerous is its ability to evade traditional email security measures.

These attacks often contain no malicious attachments or links, making them difficult for standard filters to detect.

“The sophisticated nature of BEC attacks means that organisations must adopt a multi-layered approach to email security. It's not just about technology but also about vigilance among staff.”

Michael Wakefield, CTO, Beyond Encryption

The Scale of the Problem

Recent statistics highlight the significant impact of BEC on UK and global organisations:

• Global losses: The FBI reports that losses from BEC or EAC have surpassed $43 billion globally.
• UK impact: According to the Cyber Security Breaches Survey 2024, 83% of UK businesses that suffered a cyber attack in 2022 identified phishing as the cause - with BEC playing a major role.
• Growing threat: Losses from BEC attacks increased by 65% between July 2019 and December 2021.
• Widespread issue: In 2021, the FBI’s Internet Crime Complaint Center received 19,954 BEC/EAC email complaints.
• Cost of breaches: The average cost of a data breach is over $4.45 million, with BEC being a leading cause.

Real-World Examples of BEC Attacks

To understand the scale and variety of BEC threats, consider these real incidents:

• Facebook and Google: Defrauded of more than $100 million by a fraudster impersonating a hardware vendor.
• Ubiquiti Networks: Lost $46.7 million in a vendor fraud scheme.
• Toyota: Lost $37 million to BEC in 2019.
• Manuscript theft: A Simon & Schuster employee impersonated publishing professionals to steal over 1,000 unpublished manuscripts.
• Real estate fraud: Developer Sefri-Cime lost €38 million in a scam by an international fraud ring.

“BEC attacks are highly targeted and can cause significant financial losses. Companies need to enhance their verification processes, especially when dealing with high-value transactions.”

Paul Holland, CEO, Beyond Encryption

The New UK Guidance

In response to the rising threat of BEC, the UK government released new recommendations as part of its Cyber Security Breaches Survey 2024.

The guidance helps organisations boost cyber resilience, particularly in combating impersonation and fraud attempts.

1. Prioritising Cyber Security

The report found that 80% of UK businesses continue to rate cyber security as a high priority.

However, charity sector prioritisation has dropped significantly - from 82% in 2022 to 63% in 2024.

2. Implementing Technical Controls

The new guidance encourages several technical improvements:

• 83% of firms now use up-to-date malware protection (up from 76%).
• 73% apply admin rights restrictions (up from 67%).
• 75% use network firewalls (up from 66%).
• 54% have phishing response processes (up from 48%).

These figures reverse a trend of declining controls, especially among small businesses.

3. Staff Training and Awareness

Employee education is vital for preventing BEC:

• Deliver frequent cyber awareness training.
• Run simulated phishing tests.
• Set policies for email and financial request handling.

4. Multi-Factor Authentication (MFA)

MFA is essential for protecting email accounts, particularly those of senior executives or finance teams.

Implementing MFA across accounts limits the risk of email account compromise - a common first step in BEC.

5. Email Authentication Protocols

To help prevent spoofed email messages, the guidance recommends implementing:

• SPF (Sender Policy Framework)
• DKIM (DomainKeys Identified Mail)
• DMARC (Domain-based Message Authentication, Reporting, and Conformance)

6. Vendor Management

Since vendor fraud is a common BEC tactic, organisations should:

• Verify any changes to supplier payment details via a secondary channel.
• Use different communication channels for financial approvals.
• Review and audit vendor communications regularly.

7. Incident Response Planning

Incident response plans should include procedures for:

• Reporting suspicious messages and behaviour.
• Freezing or reversing unauthorised payments.
• Notifying internal stakeholders and law enforcement.

8. Regular Security Assessments

Security assessments help identify gaps in BEC readiness:

• Conduct regular vulnerability scans and penetration tests.
• Review email protection configurations.
• Assess staff knowledge and adherence to processes.

9. Collaboration With Law Enforcement

The guidance encourages reporting BEC attempts to law enforcement such as Action Fraud.

This helps authorities track, investigate, and recover funds where possible.

“It's crucial for organisations to report BEC incidents to law enforcement quickly. This not only helps in potentially recovering lost funds but also aids in understanding and mitigating the broader threat landscape.”

Adam Byford, CCO, Beyond Encryption

Implementing the New Guidance: Challenges and Best Practices

Putting the new BEC guidance into action can be complex. Here’s how to overcome common hurdles and adopt best practices.

1. Secure Leadership Buy-In

Gaining senior support is key:

• Present data on BEC financial impact.
• Explain potential reputational harm.
• Show the return on investment from mitigation efforts.

2. Tailor Solutions to Organisational Size

Small and medium-sized enterprises (SMEs) may need to:

• Focus on cost-effective, high-impact solutions.
• Outsource security functions to managed providers if necessary.
• Prioritise foundational controls before expanding further.

3. Address the Human Factor

Since BEC attacks often rely on human error, organisations should:

• Promote a culture of security awareness.
• Share clear guidance for handling emails and payment requests.
• Encourage employees to question suspicious or unusual instructions.

4. Leverage Technology

Technology complements human vigilance:

• Use secure email tools with built-in BEC protection.
• Deploy email filtering and quarantining systems.
• Implement endpoint detection and response (EDR) to flag anomalies.

5. Continuously Refine

Cyber threats evolve - so should your defences:

• Review policies and training regularly.
• Stay current on new scam techniques.
• Conduct post-incident reviews and adjust controls as needed.

Compliance With Existing Regulations

In regulated industries, integrating the new BEC guidance with existing compliance frameworks is essential.

Financial Services

The Financial Conduct Authority (FCA) requires firms to maintain strong cyber resilience and protect sensitive financial data.

BEC countermeasures should be part of operational risk frameworks and align with FCA standards.

Healthcare

Healthcare organisations such as the NHS must comply with the Data Protection Act and GDPR.

Implementing BEC safeguards helps protect patient information and maintain regulatory compliance.

Legal Services

Law firms are bound by the SRA Code of Conduct to protect client data.

BEC prevention is crucial for securing sensitive legal correspondence and transactions.

Compliance teams should work closely with IT and security leaders to make sure cyber controls meet both regulatory and operational needs.

Securing Email Threads to Prevent Impersonation

Securing email threads between your team and customers is critical for preventing BEC.

Secure email solutions with end-to-end encryption and multi-factor authentication (MFA) prevent impersonation by verifying identity at every step.

End-to-end encryption: Scrambles the content of emails and attachments, ensuring that only authorised recipients can read them - protecting against eavesdropping and impersonation.

Multi-factor authentication (MFA): Adds extra verification layers like SMS codes or custom Q&A prompts to confirm identity before access is granted.

This ensures that even if credentials are compromised, only verified individuals can read or respond to messages - making email threads secure and trusted.

These controls not only reduce BEC risk but also improve customer confidence in your communication security.

Key Takeaways

Business Email Compromise (BEC) continues to pose a major risk to UK organisations across sectors.

The financial and reputational consequences of a successful attack can be severe, making it critical to act.

UK government guidance offers a valuable roadmap for protection. Key takeaways include:

• Prioritise cyber security organisation-wide.
• Apply technical controls to stop impersonation attempts.
• Train employees to recognise and report suspicious activity.
• Use MFA and email authentication protocols.
• Build secure vendor verification processes.
• Develop and rehearse incident response plans.
• Adopt advanced technology to bolster defences.

Cyber security is an ongoing process. Stay proactive, conduct regular reviews, and empower your people with knowledge and tools to stay secure.

References

UK Cyber Security Statistics for 2024, Agility Cyber, 2024

Business Email Compromise Examples, Tessian, 2024

Defending Your Business from Email Compromise, Brearley & Co, 2024

The Cost of a Data Breach, IBM, 2023

Franco-Israeli Gang Linked to $40 Million CEO Scam, HackRead, 2023

NCSC Blog on BEC Guidance, NCSC, 2024

NCSC Guidance on Defending Against BEC, NCSC, 2024

Business Email Compromise: The $43 Billion Scam, FBI, 2022

Toyota Parts Supplier Hit by $37 Million Email Scam, Forbes, 2019

Internet Crime Report, FBI, 2021

Cyber Security Breaches Survey 2024, Gov.uk, 2024

Business Email Compromise, Mesh Security, 2024

The Latest Phishing Statistics, AAG IT Services, 2024

Protect Against BEC Scams, Sentio Insurance, 2024

How to Defend Your Business from Email Compromise, Ross-Brooke, 2024

Real-World Business Email Compromise Scams, Proofpoint, 2024

NCSC's New Guidance on BEC, 4th Platform, 2024

UK NCSC Guidance on BEC, DataGuidance, 2024

Ubiquiti Networks Victim of $39 Million Attack, CSO Online, 2015

Man Pleads Guilty to Stealing 1,000 Manuscripts, The Guardian, 2023

Reviewed by

Sam Kendall, 02.07.24

Meta Description: Learn how to prevent Business Email Compromise with new UK guidance and practical steps to protect your organisation from email impersonation threats.