Business Email Compromise Response
If a fraudulent email redirected a payment or impersonated your business, act quickly to contain the fraud and protect your reputation.
Last reviewed: 1 June 2026
First 10 minutes
- Call your bank's fraud line and request an urgent wire recall if funds were transferred
- Contact the counterparty (supplier, client, or employee) by phone — not email — to alert them
- Isolate the compromised email account by changing the password from a clean device
- Do not use the compromised account to communicate until it is fully secured
- Alert your IT team or IT support provider immediately
First 24 hours
- Conduct a full audit of the compromised email account for rules, forwarding, and sent items
- Notify all relevant internal staff, suppliers, and clients through verified channels
- Report to your national fraud/cybercrime service and preserve all evidence
- Notify your cyber insurance provider if you have coverage
- Engage an IT security professional for forensic analysis if the breach was significant
Contact your bank or payment provider
- Request an urgent wire recall immediately — every minute matters
- Notify the receiving bank if you can identify it
- Ask your bank about any fraud insurance or reimbursement schemes
- Implement additional verification procedures for future wire instructions
Evidence to preserve
- Export the compromised email account's full activity log
- Preserve fraudulent emails with full headers intact
- Document all wire or payment instructions that may have been tampered with
- Record a timeline of events from first suspicious activity to discovery
- Keep a log of all internal and external communications about the incident
Secure your accounts and devices
- Reset passwords on the compromised account and all shared or related accounts
- Enable multi-factor authentication on all email accounts in the organisation
- Audit and remove unexpected email forwarding rules and inbox delegates
- Review DNS records for unauthorised changes (SPF, DKIM, DMARC)
- Brief staff on recognising payment-redirection fraud and internal verification procedures
Report it
- Report to your national fraud/cybercrime service
- Report to the FBI IC3 at ic3.gov (US) or equivalent national authority
- Notify affected counterparties formally in writing
- Keep all reference numbers and correspondence
Business email compromise (BEC) typically involves either hacking a legitimate email account to intercept and redirect payment instructions, or impersonating an executive, supplier, or client to trick staff into transferring funds. Losses can be significant, and the attack may go undetected until a payment is missed or a supplier queries it.
The first priority is always the wire recall — funds can sometimes be returned if the receiving bank is alerted before disbursement. The second is securing the compromised account and understanding the full scope of the intrusion: attackers often watch an inbox for weeks before striking.
Staff training is the most effective long-term control. Any instruction to change payment details should be verified by phone using a pre-existing, verified number — never by replying to the email containing the new instructions.
Frequently asked questions
How do BEC attackers know when to strike?
They often monitor the inbox silently for days or weeks to learn payment patterns, supplier relationships, and deal timing — then inject fraudulent instructions at the right moment.
Is the business liable for the loss?
Liability depends on jurisdiction and the specific facts. Banks may have some responsibility if fraud controls failed. Cyber insurance may cover the loss. Legal advice is worth seeking for significant amounts.
How can we prevent BEC in future?
Implement a call-back verification policy for all payment instruction changes, enforce MFA on all email accounts, use DMARC/DKIM/SPF to reduce impersonation, and run regular staff awareness training.
What is the difference between BEC and phishing?
Phishing uses mass fake emails to harvest credentials. BEC is a targeted attack that either compromises a real account or convincingly impersonates a trusted party to redirect payments — it is more precise and often higher value.