Business Email Compromise via Bank Transfer
How BEC fraud intercepts or impersonates business email to redirect legitimate bank transfers to scammer-controlled accounts, and the verification steps that prevent it.
Part of: Business Email Compromise (BEC)
Last reviewed: 1 June 2026
Business email compromise (BEC) fraud is distinct from most online scams in that it does not rely on tricking someone into an unusual transaction — it intercepts a payment that was already going to happen. By compromising or impersonating a finance contact, supplier, or executive, the attacker simply changes the bank account details in a routine transfer instruction. The victim believes they are paying a known counterparty; the funds go to the scammer.
Bank transfer is the target payment method because it is how most large business payments move, and because business bank transfers typically lack the chargeback rights available on card payments. This guide covers how BEC attacks are structured, the email red flags, and the verification protocols that stop them.
How this scam works on bank transfer
The attack usually begins with access to a legitimate email account — gained through phishing, credential stuffing, or a compromised mail server — or through creation of a convincing lookalike domain (company-name.com vs companyname.com). The attacker monitors email for scheduled payments and times an intervention.
A typical scenario: a supplier sends a genuine invoice; the attacker intercepts it and replies (or sends a separate email from a near-identical address) with 'updated bank details' citing a routine reason — account migration, auditor request, banking change. The finance team, under routine time pressure, processes the transfer to the new account without calling the supplier to verify.
Executive impersonation (sometimes called 'CEO fraud') is a variant: an email appearing to come from the CEO or CFO requests an urgent confidential transfer, often citing a merger, regulatory matter, or time-sensitive deal. The instruction to keep it confidential is specifically designed to bypass the normal approval process.
Common red flags
- An email requesting a change to bank account details, especially shortly before a scheduled payment
- Executive instruction for an urgent, confidential bank transfer outside normal process
- Email address that is slightly different from the known contact's address
- Unusual urgency, appeals to authority, or requests to bypass standard approval steps
- Invoice or payment instruction arriving via email rather than through the normal procurement channel
- Any pressure not to call or verify the change through other means
How to protect yourself
- Establish a policy: any bank account change requires a voice call to a pre-known number — never the number in the email
- Implement dual authorisation for all transfers above a set threshold
- Train finance staff to recognise domain lookalikes (e.g., rn vs m in a domain name)
- Enable DMARC, DKIM, and SPF on your domain to reduce impersonation of your own email
- Keep supplier account details in a separate system and require formal change requests, not email
- Encourage staff to report unusual payment requests without fear of seeming uncooperative
How to report it
- Contact your bank immediately — some domestic transfers can be recalled within hours through the bank's fraud team
- Report to the FBI IC3 at ic3.gov (US), Action Fraud at actionfraud.police.uk (UK), or your national equivalent
- Notify your cyber insurer if you have a policy covering BEC losses
- Report to your national cybersecurity agency — CISA (US), NCSC (UK) — as this helps broader threat intelligence
Frequently asked questions
What is the fastest way to try to recover funds after a BEC bank transfer?
Call your bank's fraud line immediately — within the same business day if possible. Request a payment recall. Also contact the receiving bank through your bank. In the US, notify the FBI IC3 and ask about the Financial Fraud Kill Chain, a rapid-response process for large BEC transfers.
Do business bank transfers have the same protection as personal ones?
In many jurisdictions, businesses have fewer automatic protections than consumers. However, the Confirmation of Payee system (UK) and similar measures in other countries add a verification layer. Always call your bank to understand what protections apply to your account type.