Business Email Compromise (BEC)
Compromised or spoofed business email accounts used to redirect payments and steal data.
Last reviewed: 1 June 2026
What this scam is
Business email compromise (BEC) is a category of fraud in which a criminal either gains unauthorised access to a genuine business email account or creates a highly convincing imitation of one, then uses it to deceive staff, customers, or suppliers into transferring money or sensitive data. It is consistently ranked as one of the highest-value fraud types targeting organisations of every size.
BEC covers a spectrum of attack types. At one end, a criminal phishes an employee's email credentials, logs into their account, and uses it to send fraudulent payment instructions to the finance team — from an address that is entirely real. At the other end, a criminal registers a look-alike domain (e.g. replacing a letter with a similar character, or adding a word like 'accounts' or 'finance') and sends correspondence designed to be mistaken for a legitimate internal or supplier email.
Between these poles lie man-in-the-middle attacks, where the criminal monitors a real compromised email account without the victim's knowledge, waits for an active payment conversation, and then injects fraudulent banking details at a precisely chosen moment. Because the surrounding conversation is genuine, the tampered instruction is extraordinarily difficult to detect.
The financial impact of a single BEC incident can be severe — ranging from thousands to millions, depending on the organisation's payment volumes. Unlike card fraud, bank transfers are difficult to reverse, and recovery is far from guaranteed.
How it works
Most BEC attacks begin with credential theft. A phishing email, a credential-stuffing attack against a reused password, or malware installed through a malicious attachment gives the attacker access to a genuine business email account. Rather than acting immediately, the attacker often spends time silently monitoring the inbox — reading ongoing conversations, understanding supplier relationships, payment processes, and the language and sign-off conventions used by legitimate staff.
When a suitable opportunity arises — an active supplier payment conversation, a pending property transaction, a payroll run — the attacker acts. They may send a message directly from the compromised account changing payment details; insert fraudulent banking information into an ongoing thread; or use the intelligence gathered to send a convincing spoofed email from a look-alike domain at exactly the right moment.
In parallel, some BEC attacks focus on data rather than money: using a compromised HR or payroll email to redirect salary payments, or extracting sensitive company or personal data for use in subsequent attacks. Others combine payment diversion with data theft in coordinated campaigns targeting multiple contacts in the same organisation.
Why this scam works
BEC is effective for a fundamental reason: it attacks the identity layer of business communication. When an email appears to come from a known colleague, a trusted supplier, or a senior executive — whether via a compromised real account or a convincing look-alike — recipients apply a level of trust that bypasses normal scepticism.
The fraud also exploits the speed and volume of modern email-based business. Finance teams process large numbers of payment instructions daily; verifying each one via an independent channel would be operationally impractical without a structured control framework. BEC thrives in the gap between the trust placed in email identity and the effort required to verify it.
For compromised-account attacks in particular, detection is genuinely difficult. The email address is correct, the thread is real, the writing style may match, and the only evidence of fraud is a small change to bank account details embedded in an otherwise normal exchange.
A typical pattern
A supplier's email account is compromised following a phishing attack. The attacker monitors correspondence for several weeks and identifies that a significant invoice payment is expected. Shortly before the payment run, the attacker sends an email from the real supplier address explaining that a bank account has changed, providing new details. The finance team, dealing with a familiar supplier via a real email address, updates the payment details. The payment is processed to the fraudster's account. The real supplier follows up on the unpaid invoice and the fraud is discovered.
Common red flags
- Payment or bank-detail change instructions arriving mid-email-thread
- Email address where the display name matches but the actual address differs
- Domain that closely resembles a known supplier or internal address but is not identical
- Urgency framing and requests to bypass normal approval procedures
- Unexpected login alerts on business email accounts
- New email inbox rules you don't recognise (forwarding, deletion)
- A supplier's payment details change shortly before a large invoice is due
- Message instructs the recipient not to discuss the change with anyone else
- Account details provided differ from those used in all previous payments
- Supplier follows up on an invoice they say is unpaid — but you paid it
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Please update the payment for invoice [invoice number] ([amount]) to our new account details below. Our previous account is no longer active.
(Appearing to come from an internal finance address) Hi [name], please process payment of [amount] to the revised account below as discussed with [colleague name].
Our bank has recently changed. Please make sure all pending payments — including [invoice number] — go to the new details. I've updated the invoice and attached it here.
This is [supplier contact]. There's been an urgent change to our account — please use these details for the payment due this week. The old account is frozen.
Hi, I'm messaging from [company] accounts. Please send the remittance for [invoice number] to [new account]. Please discard the previous bank details.
(Sent from a look-alike domain) Following up on the payment for [invoice number]. Please note our account details have changed as below.
Common variations
- Compromised supplier email account used to inject fraudulent bank details
- Compromised internal email account used to issue payment instructions
- Look-alike domain (typosquatted) mimicking a known supplier or colleague
- Man-in-the-middle email thread hijacking mid-conversation
- Payroll diversion using compromised HR email
- Property transaction fraud using compromised conveyancer or estate agent email
- Data-theft BEC targeting HR for employee personal information
How to verify before you act
Defending against BEC requires controls at both the technical and procedural levels:
Technical controls: - Enable multi-factor authentication (MFA/2FA) on all business email accounts using an authenticator app rather than SMS. This prevents credential theft from leading to account access. - Configure email authentication protocols (SPF, DKIM, DMARC) to reject or flag emails from spoofed or look-alike versions of your domain. - Enable login alerts on email accounts so that unusual access attempts are flagged immediately. - Consider email gateway tools that flag first-time-sender domains or external emails mimicking internal addresses.
Procedural controls: - Mandate an out-of-band callback — using a phone number from your own records — for any payment instruction that changes banking details or involves an unusual request. - Apply dual authorisation for all payments above a threshold. - Brief staff to slow down when urgency and secrecy accompany a payment change — these are consistent BEC signals.
Payment methods used
- Bank transfer
Who is usually targeted
- Finance teams
- Executives
- Suppliers and customers
What to do immediately
- Do not action any payment-detail change without verbal out-of-band verification
- Call the supplier or colleague on a phone number from your own records — not from the suspicious email
- If the account appears compromised, immediately change credentials, enforce MFA, and check for unusual inbox rules
- If payment has already been sent, call your bank's fraud line immediately to request a recall
- Preserve all emails with full headers before making any changes to your account
- Report the incident to your national fraud authority and your bank
- Notify the organisation whose email was used — their account may still be compromised
How to prevent it
- Enforce MFA/2FA with an authenticator app on every business email account
- Deploy SPF, DKIM, and DMARC on your email domain to reduce spoofing
- Require verbal out-of-band confirmation before processing any payment-detail change
- Implement dual authorisation for all significant payments
- Train staff to check the full 'from' address — not just the display name — on any payment-related email
- Enable suspicious-login alerts on email accounts and act on them promptly
- Periodically review email account rules and forwarding settings for any set up without the user's knowledge
- Brief new staff on BEC as part of onboarding, since new employees are disproportionately targeted
Evidence to preserve
- Original emails with full headers (not just display information)
- Account login logs and any inbox rules found
- Bank payment records and account details used
- Comparison of fraudulent bank details against previous legitimate payment records
- Any phishing email that preceded the compromise
- Timeline of when the suspicious email rules or forwards were set up
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How do we reduce BEC risk?
Enforce strong app-based 2FA on all email accounts, verify payment changes by phone to known contacts using independently sourced numbers, deploy SPF/DKIM/DMARC, and train staff to slow down when urgency accompanies any payment-detail change.
What is the difference between a compromised account and a spoofed email?
A compromised account uses the real email address — the attacker has the password and logs in legitimately. A spoofed email creates the appearance of a real address using a look-alike domain or a forged 'from' header. Both are used in BEC; compromised accounts are harder to detect.
How do attackers get access to business email accounts?
Most commonly through phishing (a fake login page that captures credentials), malware that logs keystrokes, or credential-stuffing attacks that test passwords leaked in data breaches at other services. Reusing passwords across personal and business accounts is a significant risk factor.
Our supplier's account was compromised and we lost money. Are we at fault?
Responsibility varies by jurisdiction and circumstance. Banks may be able to recall funds if notified quickly. From an internal perspective, the priority is establishing better verification controls so that even a compromised sender account does not result in an unauthorised payment.
How does DMARC protect against BEC?
DMARC (along with SPF and DKIM) instructs receiving email servers to reject or flag messages claiming to come from your domain if they fail authentication checks. It prevents criminals from spoofing your domain to deceive your customers or suppliers, though it does not protect against look-alike domain attacks.
What are inbox rules and why do they matter for BEC?
An attacker who has compromised an email account may set up rules to automatically forward copies of emails to an external address, or to delete incoming messages that might alert the user (such as login notifications). Periodically checking your inbox rules for any you don't recognise is an important security habit.
How quickly do we need to act if we've sent money to a fraudulent account?
Immediately. Contact your bank's fraud line the same day. Many banks participate in payment recall schemes, but the window of opportunity is narrow — funds are often moved within hours. Speed is the most important factor in any chance of recovery.