Business Email Compromise: How to Protect Your Business from Costly Wire Fraud

TL;DR:

• Business email compromise is the most costly cybercrime type — average losses run into tens of thousands of pounds per incident
• Red flags include unexpected bank detail changes, urgent payment requests, and slight domain misspellings
• SPF, DKIM, and DMARC are free DNS records that stop criminals spoofing your email address

Business email compromise (BEC) is fraud that uses email — real or fake — to trick your team into transferring money or sharing sensitive information. Unlike ransomware, there’s no dramatic system lockdown. BEC is quiet, sophisticated, and extremely expensive. Action Fraud receives thousands of BEC reports from UK businesses every year, and small businesses are common targets precisely because they lack the verification processes that larger organisations have.

Here’s the thing: these attacks don’t require any hacking in the traditional sense. They’re social engineering dressed up as legitimate business.

How BEC attacks work

There are several variations, but the pattern is consistent: an attacker impersonates someone your business trusts and creates urgency around a payment or data request.

CEO fraud — an employee receives an email that appears to be from the owner or a senior manager, asking them to urgently process a wire transfer or buy gift cards. The email may come from a convincing lookalike domain (yourcompany-ltd.co instead of yourcompany.co.uk), or in more sophisticated attacks, from the actual compromised email account.

Supplier impersonation — an attacker monitors email communications, then sends a message appearing to be from a real supplier claiming their bank details have changed. Payments go to a fraudster’s account. The legitimate supplier has no idea until the invoice goes unpaid.

Payroll diversion — someone impersonating a colleague emails your HR or payroll contact to request a bank account change for their salary payment.

What makes BEC so effective is that these emails look completely legitimate. They reference real projects, real people, and real relationships. There’s no malware to detect — just a convincing story.

Red flags your team should know

Train everyone who handles payments to pause when they see any of these:

Unexpected change of bank details. Any request to update payment information to a new account, regardless of who it appears to come from, should trigger a verification call.

Urgency and secrecy. “Process this before end of day,” “don’t mention this to anyone,” “I’m in a meeting and can’t be reached by phone.” These phrases are manipulation tactics.

Requests to bypass normal process. “Skip the usual approval this time,” “I need this done differently today.” If someone’s asking you to go around your normal process, that’s a flag.

Subtle email address differences. Check the actual sending address, not just the display name. Criminals use addresses like j.smith@yourcompany.co or accounts@yourclient-billing.com — close enough to fool a quick glance.

The single most important rule: any request to change payment details or bank account information must be verified with a phone call to a known, pre-existing number — not a number provided in the same email.

Technical defences: SPF, DKIM, and DMARC

These three free DNS records work together to prevent criminals from spoofing your email domain — sending emails that look like they’re from you@yourbusiness.co.uk when they’re not.

SPF (Sender Policy Framework) is a DNS record that lists which mail servers are authorised to send email for your domain. Any mail from an unlisted server fails the check.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing emails. Receiving mail servers can verify the signature to confirm the email genuinely came from you.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving mail servers what to do with email that fails both checks — quarantine it or reject it entirely.

Check your current status for free at mxtoolbox.com/dmarc. Your domain registrar or IT contact can add all three records in about 30 minutes. Start DMARC in “none” mode (monitoring only), review the reports for a week, then move to “quarantine” and eventually “reject.”

Email filtering and security tools

Google Workspace and Microsoft 365 both include built-in spam and phishing filters. Make sure these are properly configured — Google Workspace admins should check the “Advanced Phishing and Malware” settings under the admin console.

Proofpoint Essentials and Mimecast are dedicated email security platforms that sit on top of Google or Microsoft. They use AI to detect BEC patterns and flag suspicious emails before they reach the inbox. Proofpoint Essentials starts at around £2.50–3 per user per month and is well worth considering if you handle regular payments or work with multiple suppliers.

Many IT platforms can also insert a visible banner on any email that originates outside your organisation. This simple visual cue helps staff pause before acting on requests from “internal” accounts that are actually external.

What to do if you’re hit

Speed matters. If you realise a fraudulent payment has been made:

Call your bank immediately and request a recall or freeze. If done within hours, recovery is sometimes possible — the Authorised Push Payment (APP) fraud reimbursement rules in the UK have improved protections for businesses, so don’t assume the money is gone without asking.

Report to Action Fraud (actionfraud.police.uk) — the UK’s national fraud reporting centre. Recovery is rare without a report, and it creates a record for your insurance claim.

Preserve all emails — don’t delete anything. The chain of communication is evidence. Notify your cyber insurance carrier promptly, as most policies have a notification window of 24–72 hours. And investigate how access was gained — if a real account was compromised, change passwords, enable MFA, and check for email forwarding rules.

Bottom line

BEC is the most financially damaging cybercrime targeting small UK businesses — and it works primarily through social engineering, not technical exploits. Set up DMARC on your domain, train anyone who handles payments to verify any bank detail change by phone, and add a standard verification step for all wire transfers. The process change costs nothing but prevents losses that can cripple a small business.