How does a business email compromise (invoice redirection) scam work?
In BEC fraud, criminals compromise or impersonate a business email account and intercept payment instructions, swapping real bank details for their own so funds are wired directly to them.
Last reviewed: 10 June 2026
Explanation
The attack begins with intelligence gathering. Criminals research the target company through LinkedIn, public filings, websites, and sometimes a phishing email that harvests real email credentials. They identify key relationships — which supplier the finance team pays regularly, who approves large transfers, and what the normal email style looks like.
Armed with that knowledge, they either log into a compromised real mailbox or create a look-alike domain (e.g. adding an extra letter or swapping a character). When a legitimate invoice arrives, they intercept it and resend a modified version with their bank account in place of the supplier's. Alternatively they proactively email the finance team impersonating a supplier announcing a 'bank account change'.
The payment is typically a large, one-time wire transfer — chosen because wires are harder to reverse than card payments. By the time the real supplier chases the overdue invoice and the fraud is discovered, the money has been forwarded through multiple accounts or converted. The average BEC transfer is far larger than most other fraud types.
Small and medium businesses are as frequently targeted as large ones. Prevention depends on a simple verbal call-back procedure: whenever bank details change, the finance team calls the supplier on a number they already have on record — not one provided in the same email — to confirm.
Common red flags
- An email arrives from a known contact asking to update bank account details
- The sender's email domain differs from the usual one by one or two characters
- Urgency is stressed — 'pay before end of day' or 'deal falls through if not paid today'
- The request bypasses normal approval channels or specifically asks for secrecy
- A follow-up call comes from someone who seems to already know your internal processes
What to do now
- Never change payment details based solely on an email — always call-back on a verified number
- If a suspicious transfer has been made, call your bank's fraud line immediately; wire recalls are time-sensitive
- Report to your national cybercrime unit and financial regulator
- Investigate how the email account was compromised and change all credentials
- Notify the real supplier so they can also investigate and warn other clients
- Review and document your payment-authorisation procedures to add verification steps
Frequently asked questions
Is BEC only a risk for large companies?
No. Small businesses are frequently targeted because they are less likely to have formal verification procedures and the sums are still worth the effort for criminals.
Can a bank reverse a wire transfer made to a BEC fraudster?
Sometimes, if reported within hours. Banks can send a SWIFT recall request, but success depends on how quickly the receiving bank acts and whether funds have already been moved.
What is a 'man-in-the-email' attack?
A variant where criminals silently forward all mail from a compromised inbox, monitor conversations in real time, and insert fraudulent instructions at exactly the right moment.