If you run a business, you already know that not every cyber threat looks dramatic. Sometimes it looks like a normal email from your managing director. Sometimes it looks like a supplier asking you to resend bank details. Sometimes it looks like a quick message from a colleague asking you to buy gift cards before a meeting.
That is exactly why business email compromise, usually shortened to BEC, is so dangerous.
BEC is not usually about flashy malware or obvious hacking. It is about trust. A criminal studies how your business communicates, finds the right moment, and then tries to get you or your team to move money, share data, or hand over login details. Microsoft describes BEC as attackers using forged trusted senders to trick people into approving payments, transferring funds, or revealing customer data.
For UK businesses, this is not some distant threat that only affects global corporations. The UK Government’s Cyber Security Breaches Survey 2025 found that 43% of businesses identified a cyber breach or attack in the previous 12 months, rising to 67% of medium-sized businesses and 74% of large businesses. It also found phishing remained the most common attack type, affecting 85% of organisations that identified a breach or attack, equivalent to 37% of all UK businesses.
If your business relies on email for approvals, invoices, supplier conversations, payroll, contracts, or Microsoft 365 access, BEC deserves your attention.
What business email compromise actually is
Business email compromise is a targeted scam where an attacker uses email impersonation, a compromised mailbox, or a lookalike domain to convince someone in your business to do something they should not do.
Usually, that means one of 4 things:
- Sending money to the wrong bank account
- Changing payment details for a supplier
- Revealing sensitive data
- Handing over credentials that let the attacker go further
Unlike old-school spam, BEC is often well researched. The attacker may know your finance process, your staff names, your suppliers, your office hours, and even the tone your senior team uses in emails. Action Fraud describes BEC as a form of phishing where criminals try to trick a senior executive or budget holder into transferring funds or revealing sensitive information.
That is why these attacks can slip through businesses that think they are “too careful” to be caught.
How BEC attacks usually happen
BEC usually starts long before the email lands in your inbox.
An attacker might scrape LinkedIn, your website, Companies House filings, press releases, and social media posts to work out who handles finance, who approves payments, who works with key suppliers, and who is senior enough to pressure others.
From there, they usually take 1 of these routes.
1. Impersonation of a senior person
This is the classic “CEO fraud” version.
You receive an email that appears to come from a director or owner asking for an urgent payment, payroll file, or confidential report. The language is brief, direct, and designed to stop you questioning it.
The message might say the sender is in a meeting, travelling, or unavailable by phone. That detail matters because it cuts off normal verification.
2. Supplier or invoice fraud
This version targets your accounts process.
The criminal poses as a supplier, law firm, consultant, or contractor and tells you that their bank details have changed. The next payment goes to the attacker instead of the genuine supplier.
Sometimes the attacker has already compromised the real supplier’s mailbox, which makes the email thread look completely legitimate.
3. Compromised mailbox attacks
This is often the most damaging version.
Instead of spoofing a sender, the attacker gains access to a real mailbox using stolen credentials. They then watch email traffic, learn how your business works, and jump in when the time is right. That can mean changing invoice details, redirecting conversations, or sending fraudulent requests from a genuine account.
This is one reason why BEC is not just an “email problem”. It is an identity, access, and process problem too.
4. Data theft and payroll scams
Not every BEC attack is about a direct transfer.
Sometimes the goal is payroll information, passport scans, customer records, tax details, or login credentials. That data can then be used for fraud, further compromise, or extortion.
Why BEC works so well
BEC works because it targets human behaviour as much as technology.
A busy finance manager wants to keep things moving. An office manager does not want to hold up a director. A junior employee may not feel comfortable challenging an urgent request from someone senior. A remote worker may not have the luxury of walking over to a colleague’s desk to check if an email is genuine.
The NCSC is very clear on this point: phishing defence should be layered, not built around the hope that users will always spot suspicious messages. It recommends making it difficult for attackers to reach users, helping users report suspicious emails, reducing the damage of undetected phishing, and responding quickly when incidents happen.
In other words, awareness matters, but awareness on its own is not enough.
Common warning signs you should not ignore
BEC emails are getting better, but they still tend to leave clues.
You should be suspicious if you see:
- Urgency that tries to rush normal checks
- Requests for secrecy
- Pressure from someone senior that feels unusual
- Payment detail changes sent only by email
- Unusual grammar, tone, or formatting
- Display names that look familiar but hide a different address
- Replies that suddenly move away from a normal email thread
- Requests for gift cards, one-off payments, or unusual bank transfers
- Unexpected requests for payroll files, invoices, or customer data
Even if the email looks genuine, the request itself might not be.
The real cost to your business
The obvious cost is money sent to the wrong place. But that is rarely the only cost.
There is also downtime, investigation time, legal support, customer communication, reputational damage, insurance complexity, and the cost of rebuilding trust internally. The Cyber Security Breaches Survey 2025 found the mean cost of the most disruptive breach or attack for businesses that identified one with an outcome was £10,140, rising to £14,360 for medium and large businesses. It also estimated around 40,000 UK businesses experienced fraud resulting from a cyber breach or attack in the previous 12 months.
For many smaller businesses, that kind of hit is not just annoying. It is genuinely disruptive.
How to prevent business email compromise
The good news is that BEC is preventable. Not perfectly, because no control is perfect, but very significantly if you combine the right technical controls with the right processes.
Start with stronger identity protection
Many BEC incidents begin with stolen passwords.
That is why multi-factor authentication should be standard across email, Microsoft 365, admin accounts, finance systems, and remote access tools. The NCSC recommends MFA to protect against password guessing and theft on online services, and also recommends logging and monitoring suspicious authentication activity.
If you are reviewing your wider setup, this is exactly where a proper security services plan should start.
Lock down email authentication
Email spoofing is still a huge part of BEC.
Microsoft’s guidance on email authentication is blunt: SPF, DKIM, and DMARC work together to prevent forged senders, and anything less than all the email authentication methods results in substandard protection.
That means you should not leave domain protection half-finished.
If your business uses Microsoft 365, your Cloud Services / Office 365 setup should include proper email authentication, anti-phishing configuration, and regular review of policies.
Put payment verification rules in writing
This is one of the simplest and most effective controls you can introduce.
If bank details change, nobody updates them based on email alone. Ever.
Instead, your team should verify the request using a trusted phone number that was already on file, not one included in the email. The same goes for urgent transfer requests, supplier account changes, and payroll amendments.
You do not need a complex manual for this. You need a clear rule that your team can follow every time.
Limit who can approve money and data requests
BEC succeeds when one person can be pressured into acting alone.
Build separation into your process. That might mean:
- 2-person approval for bank detail changes
- secondary sign-off for payments over a set threshold
- restricted access to payroll and sensitive files
- role-based permissions in finance and cloud systems
This fits naturally into broader IT consultancy services and sensible access design.
Train your team without making them the whole defence
Training matters, but blame does not help.
Your people should know what BEC looks like, how to report suspicious emails, and how your internal verification process works. They should also know that questioning unusual payment requests is part of doing their job well, not a sign of being difficult.
The NCSC explicitly recommends a layered approach rather than relying too heavily on users spotting attacks unaided.
That is why good awareness training should sit alongside filtering, monitoring, access control, and incident response.
Monitor for signs of account compromise
A mailbox that has already been breached can be harder to spot than a spoofed email.
Watch for:
- Unusual sign-ins
- Impossible travel logins
- Failed MFA attempts
- Suspicious inbox rules
- Unusual forwarding behaviour
- Odd replies sent from genuine accounts
- Mass downloads or searches in mailboxes
This is where ongoing IT Support and Management really matters. BEC defence is not a one-off project. It is operational.
Protect endpoints and remote users
If attackers steal credentials through a compromised device, email becomes the next stage of the attack.
That is why endpoint visibility, patching, and device control matter. Northern Star’s own content around Why EDR Matters More Than Ever, Top 5 Reasons why your business needs EDR, and Network Penetration Testing: What It Is, What It Isn’t, and Why It Matters all sit in the same bigger picture: stop attackers early, and reduce the damage if they get in.
For businesses with hybrid teams, this also links naturally to hardware and software choices, secure device management, and sensible rollout standards.
Test your defences before criminals do
You cannot fix what you have not found.
That is why penetration testing and wider migrations or security reviews can be so valuable. They help you find exposed services, weak controls, poor identity handling, or misconfigurations before an attacker turns them into a real-world incident.
If your business operates across multiple sites or countries, global support and international projects and European IT support also become part of the BEC conversation, because inconsistent controls across locations create easy gaps.
What to do if you think you have been hit
If you suspect a BEC incident, speed matters.
You should immediately take the following actions:
- Stop The Payment If It Is Still Possible
- Contact Your Bank Straight Away
- Lock Compromised Accounts And Reset Credentials
- Review MFA, Mailbox Rules, And Sign-In Activity
- Isolate Affected Devices If Needed
- Preserve Evidence And Email Headers
- Report The Incident Internally And Externally Where Appropriate
- Notify Relevant Suppliers, Customers, Or Staff If Their Data May Be Involved
Do not treat it as “just one dodgy email”. If an attacker has already accessed a mailbox, they may have been sitting quietly for days or weeks.
BEC prevention is really about business discipline
The most effective defence against business email compromise is not one magic tool. It is a business-wide habit of checking, controlling, and verifying.
That means strong email authentication. Strong MFA. Good monitoring. Clear finance rules. Sensible permissions. Supported staff. Secure Microsoft 365 configuration. Tested incident response. And an IT partner that understands how your business actually works.
That practical, relationship-led approach is very much in line with Northern Star’s AM Methodology, broader news and advice, and hands-on support model delivered by their team.
FAQs
What is the difference between phishing and business email compromise?
Phishing is the wider category. It covers scam emails and messages designed to steal information, deliver malware, or trick someone into taking action. Business email compromise is a more targeted form of phishing focused on impersonation, trust, and business processes such as payments, payroll, and sensitive data handling. BEC is usually more personalised and often more convincing.
Can small businesses be targets for BEC?
Yes, absolutely. Smaller businesses are often seen as easier targets because they may have less formal finance controls, less monitoring, and fewer in-house security resources. Attackers do not always need a large payday. A smaller, fast-moving business with weaker checks can be just as attractive.
Does Microsoft 365 stop BEC automatically?
Microsoft 365 provides useful built-in protections, and Microsoft also offers additional anti-phishing and email security features, but it is not an automatic guarantee. You still need the right configuration, MFA, email authentication, access controls, user processes, and ongoing monitoring. Technology helps a lot, but configuration and process matter just as much.
What should you do if a supplier emails new bank details?
Do not update anything based on the email alone. Verify the request through a known and trusted phone number you already hold for that supplier. That single step can stop one of the most common and costly BEC scenarios.
Is BEC only about fake emails?
No. Some BEC attacks use fake or lookalike domains, but others come from genuine compromised accounts. That is why checking the sender address is helpful but not enough. You also need to verify unusual requests and monitor account activity.
Ready to make BEC much harder to pull off?
If you want to tighten up your email security, review your Microsoft 365 setup, strengthen user access, or test your wider security posture, speak to Northern Star through their contact page. A practical review now can save you a very expensive conversation later.
