What To Do After a Fake-Invoice or BEC Payment (Small Business)
Steps for a small business to take immediately after paying a fraudulent invoice or a business email compromise that redirected a legitimate payment.
Last reviewed: 1 June 2026
First 10 minutes
- Call your bank's fraud line by phone using the number on your bank card or official website — do not use numbers from any email
- Tell them the exact amount, the destination account number and sort code, and the time of the transfer
- Request an emergency payment recall and ask them to contact the receiving bank
- Do not send any further payments to any account linked to this transaction
- Preserve the fraudulent email, the genuine supplier email thread, and your payment records
First 24 hours
- Notify the genuine supplier or client whose invoice or payment details were spoofed, so they can secure their own systems
- Report to your national fraud service and cybercrime unit — BEC is a priority crime for law enforcement
- Alert your IT support or managed service provider to investigate how the email compromise occurred
Contact your bank or payment provider
- Contact your bank by phone immediately and use the word 'business email compromise' to trigger the correct fraud escalation process
- Ask about eligibility under any APP fraud reimbursement scheme for business customers
- Request the destination account details from your bank so you can provide them to law enforcement
Evidence to preserve
- The fraudulent email in full, including full headers (not just the visible sender address)
- Your legitimate email thread with the genuine supplier showing the real bank details
- Bank transfer confirmation and all payment records
Secure your accounts and devices
- Audit your email account for rules that may be forwarding emails to an attacker — delete any you did not create
- Change all business email passwords and enforce multi-factor authentication across the organisation
- Introduce a verbal confirmation process for any change to a supplier's bank details going forward
Report it
- Report to your national fraud/cybercrime service
- Report to the platform, bank, or provider involved
- Keep any reference numbers you're given
Business email compromise (BEC) works by compromising or spoofing a supplier or client email address, then sending amended payment instructions at the point a real invoice is due. The fraudulent account number may differ by only a single digit from the genuine one, making it easy to miss under normal business pressure.
The bank recall window is narrow — most success occurs within the first few hours. Even where funds are not recovered, reporting to law enforcement matters: BEC prosecutions are increasing, and your evidence may contribute to a wider investigation. Review your payment authorisation procedures after any BEC incident to prevent recurrence.
Frequently asked questions
Does business insurance cover BEC losses?
Some business insurance policies include cyber liability or crime coverage that may cover BEC losses. Check your policy documents and contact your insurer promptly — most have time limits for reporting. Even if a claim is unclear, notify your insurer immediately so you preserve your rights.
How can I prevent this happening again?
Introduce a fixed procedure: any change to a supplier's bank details must be confirmed by a phone call to a number you already hold, not one provided in the email requesting the change. Verify payment details verbally before processing any invoice above a threshold amount.