How To Respond to Business Email Compromise (BEC)
Immediate steps a business must take after discovering a BEC attack, from recalling wire transfers to notifying affected parties.
Last reviewed: 1 June 2026
First 10 minutes
- Call your bank's fraud line immediately to attempt to recall any wire transfer
- Isolate the compromised email account — change the password and sign out all sessions
- Brief your finance and legal teams that a BEC incident is in progress
- Identify which invoices, payments, or bank-detail change requests may have been sent fraudulently
- Do not delete any emails — they are evidence
First 24 hours
- Report to the FBI IC3 at ic3.gov (US) or Action Fraud (UK) — include wire transfer details for the fastest possible intervention
- Notify any affected suppliers or clients whose payment details may have been fraudulently changed
- Engage your IT security team or an incident response firm to investigate the full extent of the breach
Contact your bank or payment provider
- Request a formal SWIFT recall and provide the receiving bank name and account details
- Ask for an emergency hold on your own outgoing wire authorisation while the investigation is ongoing
- Brief your relationship manager on the incident for case continuity
Evidence to preserve
- Preserve all relevant emails including full message headers
- Note all wire transfer details: amount, beneficiary, receiving bank, SWIFT reference
- Document who sent and received the fraudulent emails and the timeline of events
Secure your accounts and devices
- Audit email forwarding rules and auto-forward settings on all business accounts
- Enable multi-factor authentication on all email accounts — prioritise finance, CEO, and IT
- Implement a verbal callback policy for all bank-detail change requests
Report it
- Report to your national fraud/cybercrime service
- Report to the platform, bank, or provider involved
- Keep any reference numbers you're given
Business Email Compromise is one of the costliest cybercrime categories globally. Attackers often sit silently inside a compromised inbox for weeks, learning payment schedules and supplier relationships before striking. The damage is not always discovered until a legitimate supplier chases an unpaid invoice.
The most effective long-term controls are procedural: require a phone call to a known number to verify any supplier bank detail change, and implement dual authorisation for wire transfers above a threshold. Technology alone cannot stop a well-crafted social engineering email — the process is the protection.
Frequently asked questions
Should we notify our clients that our email was compromised?
Yes, if there is any chance your email was used to send fraudulent messages to clients — for example, fake invoices with changed bank details. Prompt notification lets them reverse any misdirected payments and protects your relationship.
Do we need to report BEC to data protection regulators?
If personal data was accessed or exfiltrated as part of the compromise, you may have a legal obligation to report to your data protection authority. Take legal advice promptly.