Business Email Compromise on Email
Criminals hijack or spoof corporate email accounts to impersonate executives, suppliers, or finance staff and trick a company into making fraudulent payments.
Part of: Business Email Compromise (BEC)
Last reviewed: 1 June 2026
Email is the native environment for business email compromise (BEC). It is where invoices arrive, where payment approvals happen, and where staff are conditioned to act on written instructions from people they recognise. Fraudsters exploit that trust by either compromising a genuine mailbox or crafting a near-identical lookalike address.
Because email lacks built-in identity verification, a message that appears to come from a known colleague or vendor can carry enormous authority. A single convincing email asking for a wire transfer or a change of bank details can move large sums before anyone notices something is wrong.
How this scam works on Email
An attacker first studies the organisation, often by reading public information about its leadership and finance team. They then either gain access to a real inbox through stolen credentials or register a domain that differs by one character from the legitimate one. From there they insert themselves into an existing email thread or start a fresh one.
The email typically requests an urgent payment, a change to supplier banking details, or the release of sensitive data. Language mirrors normal internal correspondence, and the sender may reference real projects to appear authentic. Pressure is applied through deadlines or claims of confidentiality.
When finance staff comply, funds are routed to an account controlled by the criminal and quickly moved onward. The breach is often discovered only when the genuine supplier chases an unpaid invoice or the impersonated executive denies sending the request.
Common red flags
- Sender email address differs subtly from the real domain or display name
- A sudden request to change a supplier's bank account details
- Urgency and secrecy framed as a confidential executive instruction
- Reply-to address differs from the visible sender address
- Requests that bypass normal payment-approval procedures
- Slightly unusual phrasing or tone compared with the person's normal emails
- Pressure to complete a wire transfer before a fast-approaching deadline
How to protect yourself
- Verify any change of bank details by calling a known, pre-saved phone number
- Require dual authorisation for payments above a defined threshold
- Enable multi-factor authentication on all corporate mailboxes
- Configure email banners that flag messages from outside the organisation
- Train finance staff to treat urgency and secrecy as warning signs
- Confirm executive payment requests through a second, independent channel
How to report it
- Report the incident to your national cybercrime or fraud reporting centre
- Notify your bank immediately to attempt recall of any transferred funds
- Preserve the original emails and headers, and alert your IT security team
Frequently asked questions
How can a BEC email look exactly like it came from my boss?
Attackers either take over the genuine mailbox using stolen credentials or register a lookalike domain that is almost identical. Display names are easy to fake, so the visible 'From' name alone is never proof of identity. Always verify unusual requests through a separate channel.