What Is Business Email Compromise (BEC)? UK SME Guide
A practical guide for UK businesses — explaining what this means, why it matters, and what you should do about it.
Overview
43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, equating to approximately 612,000 businesses (DSIT Cyber Security Breaches Survey 2025). 67% of medium businesses and 74% of large businesses reported breaches in 2025.
Learn moreBEC is the most financially damaging end of the phishing spectrum and the costliest email threat facing UK SMEs today. This page explains how the attacks work, why standard filters miss them, and the technical and procedural controls that stop them — backed by AMVIA's managed cybersecurity team and specialist email security service.
What is business email compromise?
Business email compromise is a social-engineering attack in which a criminal poses as someone the victim trusts — usually a senior leader, supplier or legal representative — and requests an urgent payment or change of bank details. Unlike mass phishing, BEC is highly targeted and often follows weeks of reconnaissance into the target organisation.
Industry data indicates UK businesses lost an average of £109,000 per BEC incident, and nearly 30% of BEC incidents lead to a direct funds transfer fraud event. According to the DSIT Cyber Security Breaches Survey 2025, 43% of UK businesses experienced a breach or attack in the past 12 months — around 612,000 businesses — with impersonation reported by 35% of those experiencing breaches. For a small firm, a single successful BEC attack can be catastrophic.
What are the common types of BEC attack?
BEC takes several forms, but all share one trait: a believable impersonation that pressures staff to move money fast. The five patterns below account for the overwhelming majority of UK incidents, and each targets a specific business process — payments, payroll or supplier onboarding.
| BEC variant | How it works | Primary target |
|---|---|---|
| CEO fraud | Attacker poses as a senior leader demanding an urgent, confidential transfer that bypasses approval | Finance team |
| Invoice redirection (mandate fraud) | Spoofed supplier email claims bank details have changed; payments divert to the criminal | Accounts payable |
| Supplier impersonation | Lookalike domain (e.g. amvia-invoices.com) sends convincing invoices mirroring real branding | Accounts payable |
| Payroll diversion | Attacker impersonates an employee to change payroll bank details before the next run | HR / payroll |
| Solicitor impersonation | Criminal poses as a legal representative citing deadlines on a property or M&A transaction | Finance / directors |
CEO fraud exploits deference to leadership and is most effective when the real CEO is travelling — information attackers harvest from social media and out-of-office replies. Invoice redirection is dangerous because it can arrive during a genuine payment cycle, looking entirely routine.
Why are BEC attacks so effective?
BEC works because it exploits human trust, not technical vulnerabilities. The emails carry no malicious links or attachments for filters to catch, come from plausible addresses, and are timed to coincide with real business events such as a supplier invoice falling due or the CEO being away.
- Attackers research LinkedIn, Companies House records and company websites to map hierarchies and identify targets
- Emails are crafted to match the writing style, tone and formatting of the person being impersonated
- Urgency and authority discourage staff from following normal verification steps
- Many attacks run over weeks, with preliminary emails building credibility before the fraudulent request
- Requests are often timed for late Friday or just before a bank holiday, when staff are rushed
The DSIT Cyber Security Breaches Survey 2025 found 85% of breaches involved phishing, the broad category BEC sits within. BEC is the most targeted and dangerous end of that spectrum, where an attacker invests real effort into a single high-value deception. Pairing email security with phishing protection closes the gap that generic filtering leaves open.
What do real-world BEC attacks look like?
Real UK incidents follow a predictable shape: a believable sender, a plausible reason and the absence of a second verification step. Two scenarios reported to Action Fraud illustrate how routine these frauds appear to the staff who fall for them.
A UK professional services firm of forty staff received an email appearing to come from the managing director, requesting an urgent transfer of £28,000 to a new supplier. It referenced a genuine project and used the MD's usual sign-off. The finance manager paid it. The MD's account had not been hacked — the attacker had registered a lookalike domain and studied the firm's email patterns for two weeks.
In a second case, a property management company received notice from what looked like its maintenance contractor that bank details had changed. The accounts team updated the record without a phone call. Three months of payments — totalling over £15,000 — were diverted before the genuine contractor queried the missing funds.
How do you prevent business email compromise?
BEC prevention is layered: technical controls stop domain spoofing, identity controls stop account takeover, and procedural controls stop fraudulent payments leaving your account. No single measure is sufficient — together they remove the gaps each attack relies on.
- Email authentication. Publish DMARC, DKIM and SPF records. A DMARC policy at `p=reject` is the standard recommended by the NCSC and stops criminals spoofing your domain against customers and partners.
- Anti-impersonation filtering. Microsoft Defender for Business flags emails where a display name matches a known executive but the sending domain does not, and detects lookalike domains before messages reach inboxes.
- Multi-factor authentication. Enforced multi-factor authentication on every account — especially finance, HR and leadership — sharply reduces the account takeover that lets attackers send BEC from a genuine address.
- Multi-step payment verification. No email-only payment instruction should be actioned without calling the requester on a number held on file — never one supplied in the email. This single control stops most BEC that reaches the payment stage.
- Staff training. Regular training and simulated BEC exercises teach finance, HR and PA staff to spot urgency, secrecy and process-bypass requests, and to report them correctly.
- Supplier change controls. Any request to change supplier bank details must be verified through a pre-agreed channel, enforced consistently regardless of who appears to be asking.
The DSIT Cyber Security Breaches Survey 2025 found only 14% of UK businesses have a formal incident response plan — so most have no defined process for what happens after a suspicious email is reported. A managed incident response capability closes that gap.
In-house controls vs AMVIA managed email security
Most SMEs can configure some of these controls, but maintaining them — and monitoring for the impersonation patterns that change weekly — is where in-house effort breaks down. The comparison below shows where a managed service earns its place.
| Capability | Typical in-house setup | AMVIA managed email security |
|---|---|---|
| DMARC at p=reject | Often left at p=none or unmonitored | Configured, enforced and monitored |
| Anti-impersonation rules | Default Microsoft 365 settings | Tuned Defender impersonation policies |
| Lookalike domain detection | Rarely configured | Active monitoring and alerting |
| MFA enforcement | Partial, gaps for execs | Enforced across all accounts |
| Threat monitoring | Business hours, reactive | 24/7 in-house SOC, proactive |
| Incident response | Usually no documented plan | Defined response and recovery |
What should you do if you suspect a BEC attack?
Act immediately. Contact your bank to request a recall of any transferred funds — speed is critical, as money is often moved through several accounts within hours. Report the incident to Action Fraud and the NCSC, and preserve all relevant emails as evidence.
If an email account has been compromised, reset the password at once, revoke all active sessions, and review recent sent items and mailbox rules for attacker activity. AMVIA's managed detection and response team handles this containment for clients around the clock.
How much does managed email security cost?
AMVIA's managed email security is priced per user and built on Microsoft 365 licensing, so cost scales with headcount rather than a large upfront outlay. Microsoft Business Premium — which includes Defender for Office 365 anti-impersonation protection — lists at £16.90 per user per month (microsoft.com/en-gb, ex VAT, annual).
For comparison, Microsoft 365 licence list prices are Business Basic £4.60, Business Standard £9.60 and Business Premium £16.90 per user per month (ex VAT, annual). AMVIA layers configuration, DMARC enforcement, monitoring and staff awareness on top of the Premium licence as a managed service. Set against an average BEC loss of £109,000 per incident, the protection pays for itself many times over.
How AMVIA helps UK businesses prevent BEC
AMVIA deploys Microsoft Defender for Office 365 to detect BEC patterns — lookalike domain spoofing, internal executive impersonation and unusual sending behaviour. We configure DMARC at `p=reject` to stop your domain being used in outbound fraud, enforce MFA across every account, and provide ongoing monitoring, alerting and staff awareness support.
That is the AMVIA model: one provider, security-first, Microsoft-certified engineers running it for you. With 67% of medium and 74% of large businesses reporting breaches in 2025 (DSIT), proactive BEC protection is not optional — it is a business necessity.
Key Points
What you need to know.
Why It Matters
43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, equating to approximately 612,000 businesses (DSIT Cyber Security Breaches Survey 2025).
How It Works
67% of medium businesses and 74% of large businesses reported breaches in 2025.
UK Requirements
Relevant UK regulations, standards, and compliance considerations.
Getting Started
Practical first steps for businesses of any size.
Key Considerations
Assess your current position and identify gaps
Understand relevant UK regulations and standards
Implement appropriate technical controls
Train staff on security awareness
Review and update regularly
Consider managed service options for specialist areas
Frequently Asked Questions
Examine the full sender address for lookalike domains such as amv1a.co.uk instead of amvia.co.uk, and be wary of any payment request citing unusual urgency or secrecy. Always verify by phoning the requester on a number already held on file — never a number given in the email. Overall IC3-reported cybercrime losses increased 33% from 2023 (FBI IC3 2024 report), making this step indispensable.
Invoice redirection, also called mandate fraud, is a BEC variant where criminals impersonate a supplier and ask you to update their bank details. Future payments then divert to the attacker's account. A written policy requiring telephone confirmation of any bank-detail change — using a pre-agreed number — stops the vast majority before funds leave your account.
BEC emails usually contain no malicious links or attachments, so conventional filters have nothing to flag. The threat is the social engineering — a convincing impersonation of a CEO or supplier. Anti-impersonation rules in Microsoft Defender for Office 365 and DMARC at p=reject catch domain-spoofing, but the average cost of the most disruptive breach is £3,550 (DSIT 2025), and a single BEC attack can far exceed that.
MFA does not stop every BEC attack, but it removes one of the most dangerous routes. If an attacker steals a password, MFA blocks them from logging in and sending fraud from a genuine, trusted address — which makes detection far harder. Enforced MFA on finance, HR and leadership accounts is a non-negotiable baseline control.
Many cyber and crime policies cover BEC losses, but cover varies and insurers increasingly require specific controls — enforced MFA, DMARC and documented payment verification — before they pay out. Check your policy wording, and treat the technical and procedural controls on this page as both fraud prevention and a condition of cover.
Finance, HR and senior PA staff are the most common targets because they control payments, payroll and executive diaries. Attackers also target directors directly through solicitor and M&A impersonation. Prioritise MFA, training and payment-verification controls for these roles first, then extend them across the business.
Need Help With This?
AMVIA can assess your current position and recommend practical next steps.
Related Resources
Email Security and Phishing Protection for UK Businesses
Comprehensive guide to cybersecurity for UK businesses. Expert advice, key considerations, and actionable steps to strengthen your…
The Complete Guide to Managed Cybersecurity for UK…
Comprehensive guide to cybersecurity for UK businesses. Expert advice, key considerations, and actionable steps to strengthen your…
What Is Email Security? A Guide for UK Business Owners
In-depth explainer on email security? a guide for uk business owners for UK businesses. Key concepts, best practices, and practical…
How to Protect Your Business from Phishing Attacks
In-depth explainer on how to protect your business from phishing attacks for UK businesses. Key concepts, best practices, and practical…
Protect your business → Get Cybersecurity Assessment