Guide

What Is Business Email Compromise (BEC)? UK SME Guide

A practical guide for UK businesses — explaining what this means, why it matters, and what you should do about it.

Overview

43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, equating to approximately 612,000 businesses (DSIT Cyber Security Breaches Survey 2025). 67% of medium businesses and 74% of large businesses reported breaches in 2025.

Learn more

BEC is the most financially damaging end of the phishing spectrum and the costliest email threat facing UK SMEs today. This page explains how the attacks work, why standard filters miss them, and the technical and procedural controls that stop them — backed by AMVIA's managed cybersecurity team and specialist email security service.

What is business email compromise?

Business email compromise is a social-engineering attack in which a criminal poses as someone the victim trusts — usually a senior leader, supplier or legal representative — and requests an urgent payment or change of bank details. Unlike mass phishing, BEC is highly targeted and often follows weeks of reconnaissance into the target organisation.

Industry data indicates UK businesses lost an average of £109,000 per BEC incident, and nearly 30% of BEC incidents lead to a direct funds transfer fraud event. According to the DSIT Cyber Security Breaches Survey 2025, 43% of UK businesses experienced a breach or attack in the past 12 months — around 612,000 businesses — with impersonation reported by 35% of those experiencing breaches. For a small firm, a single successful BEC attack can be catastrophic.

What are the common types of BEC attack?

BEC takes several forms, but all share one trait: a believable impersonation that pressures staff to move money fast. The five patterns below account for the overwhelming majority of UK incidents, and each targets a specific business process — payments, payroll or supplier onboarding.

BEC variantHow it worksPrimary target
CEO fraudAttacker poses as a senior leader demanding an urgent, confidential transfer that bypasses approvalFinance team
Invoice redirection (mandate fraud)Spoofed supplier email claims bank details have changed; payments divert to the criminalAccounts payable
Supplier impersonationLookalike domain (e.g. amvia-invoices.com) sends convincing invoices mirroring real brandingAccounts payable
Payroll diversionAttacker impersonates an employee to change payroll bank details before the next runHR / payroll
Solicitor impersonationCriminal poses as a legal representative citing deadlines on a property or M&A transactionFinance / directors

CEO fraud exploits deference to leadership and is most effective when the real CEO is travelling — information attackers harvest from social media and out-of-office replies. Invoice redirection is dangerous because it can arrive during a genuine payment cycle, looking entirely routine.

Why are BEC attacks so effective?

BEC works because it exploits human trust, not technical vulnerabilities. The emails carry no malicious links or attachments for filters to catch, come from plausible addresses, and are timed to coincide with real business events such as a supplier invoice falling due or the CEO being away.

  • Attackers research LinkedIn, Companies House records and company websites to map hierarchies and identify targets
  • Emails are crafted to match the writing style, tone and formatting of the person being impersonated
  • Urgency and authority discourage staff from following normal verification steps
  • Many attacks run over weeks, with preliminary emails building credibility before the fraudulent request
  • Requests are often timed for late Friday or just before a bank holiday, when staff are rushed

The DSIT Cyber Security Breaches Survey 2025 found 85% of breaches involved phishing, the broad category BEC sits within. BEC is the most targeted and dangerous end of that spectrum, where an attacker invests real effort into a single high-value deception. Pairing email security with phishing protection closes the gap that generic filtering leaves open.

What do real-world BEC attacks look like?

Real UK incidents follow a predictable shape: a believable sender, a plausible reason and the absence of a second verification step. Two scenarios reported to Action Fraud illustrate how routine these frauds appear to the staff who fall for them.

A UK professional services firm of forty staff received an email appearing to come from the managing director, requesting an urgent transfer of £28,000 to a new supplier. It referenced a genuine project and used the MD's usual sign-off. The finance manager paid it. The MD's account had not been hacked — the attacker had registered a lookalike domain and studied the firm's email patterns for two weeks.

In a second case, a property management company received notice from what looked like its maintenance contractor that bank details had changed. The accounts team updated the record without a phone call. Three months of payments — totalling over £15,000 — were diverted before the genuine contractor queried the missing funds.

How do you prevent business email compromise?

BEC prevention is layered: technical controls stop domain spoofing, identity controls stop account takeover, and procedural controls stop fraudulent payments leaving your account. No single measure is sufficient — together they remove the gaps each attack relies on.

  • Email authentication. Publish DMARC, DKIM and SPF records. A DMARC policy at `p=reject` is the standard recommended by the NCSC and stops criminals spoofing your domain against customers and partners.
  • Anti-impersonation filtering. Microsoft Defender for Business flags emails where a display name matches a known executive but the sending domain does not, and detects lookalike domains before messages reach inboxes.
  • Multi-factor authentication. Enforced multi-factor authentication on every account — especially finance, HR and leadership — sharply reduces the account takeover that lets attackers send BEC from a genuine address.
  • Multi-step payment verification. No email-only payment instruction should be actioned without calling the requester on a number held on file — never one supplied in the email. This single control stops most BEC that reaches the payment stage.
  • Staff training. Regular training and simulated BEC exercises teach finance, HR and PA staff to spot urgency, secrecy and process-bypass requests, and to report them correctly.
  • Supplier change controls. Any request to change supplier bank details must be verified through a pre-agreed channel, enforced consistently regardless of who appears to be asking.

The DSIT Cyber Security Breaches Survey 2025 found only 14% of UK businesses have a formal incident response plan — so most have no defined process for what happens after a suspicious email is reported. A managed incident response capability closes that gap.

In-house controls vs AMVIA managed email security

Most SMEs can configure some of these controls, but maintaining them — and monitoring for the impersonation patterns that change weekly — is where in-house effort breaks down. The comparison below shows where a managed service earns its place.

CapabilityTypical in-house setupAMVIA managed email security
DMARC at p=rejectOften left at p=none or unmonitoredConfigured, enforced and monitored
Anti-impersonation rulesDefault Microsoft 365 settingsTuned Defender impersonation policies
Lookalike domain detectionRarely configuredActive monitoring and alerting
MFA enforcementPartial, gaps for execsEnforced across all accounts
Threat monitoringBusiness hours, reactive24/7 in-house SOC, proactive
Incident responseUsually no documented planDefined response and recovery

What should you do if you suspect a BEC attack?

Act immediately. Contact your bank to request a recall of any transferred funds — speed is critical, as money is often moved through several accounts within hours. Report the incident to Action Fraud and the NCSC, and preserve all relevant emails as evidence.

If an email account has been compromised, reset the password at once, revoke all active sessions, and review recent sent items and mailbox rules for attacker activity. AMVIA's managed detection and response team handles this containment for clients around the clock.

How much does managed email security cost?

AMVIA's managed email security is priced per user and built on Microsoft 365 licensing, so cost scales with headcount rather than a large upfront outlay. Microsoft Business Premium — which includes Defender for Office 365 anti-impersonation protection — lists at £16.90 per user per month (microsoft.com/en-gb, ex VAT, annual).

For comparison, Microsoft 365 licence list prices are Business Basic £4.60, Business Standard £9.60 and Business Premium £16.90 per user per month (ex VAT, annual). AMVIA layers configuration, DMARC enforcement, monitoring and staff awareness on top of the Premium licence as a managed service. Set against an average BEC loss of £109,000 per incident, the protection pays for itself many times over.

How AMVIA helps UK businesses prevent BEC

AMVIA deploys Microsoft Defender for Office 365 to detect BEC patterns — lookalike domain spoofing, internal executive impersonation and unusual sending behaviour. We configure DMARC at `p=reject` to stop your domain being used in outbound fraud, enforce MFA across every account, and provide ongoing monitoring, alerting and staff awareness support.

That is the AMVIA model: one provider, security-first, Microsoft-certified engineers running it for you. With 67% of medium and 74% of large businesses reporting breaches in 2025 (DSIT), proactive BEC protection is not optional — it is a business necessity.

Key Points

What you need to know.

Why It Matters

43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, equating to approximately 612,000 businesses (DSIT Cyber Security Breaches Survey 2025).

How It Works

67% of medium businesses and 74% of large businesses reported breaches in 2025.

UK Requirements

Relevant UK regulations, standards, and compliance considerations.

Getting Started

Practical first steps for businesses of any size.

Key Considerations

Assess your current position and identify gaps

Understand relevant UK regulations and standards

Implement appropriate technical controls

Train staff on security awareness

Review and update regularly

Consider managed service options for specialist areas

Frequently Asked Questions

Need Help With This?

AMVIA can assess your current position and recommend practical next steps.