When most people think about cyber attacks on businesses, they think about ransomware. Systems locked, data encrypted, a demand for payment. It is dramatic, visible and well-covered in the press.

Business email compromise is quieter, less dramatic and measured by financial loss, more costly. It is also, in many ways, better suited to targeting small and medium-sized businesses than large enterprises.

What business email compromise actually is

Business email compromise, or BEC, is a category of fraud in which an attacker manipulates email communications to deceive someone in a business into making a payment, revealing credentials or taking some other action that serves the attacker’s interests.

The most common variants are:

Payment diversion – An attacker intercepts or spoofs email communications between a business and one of its suppliers. They send an email appearing to come from the supplier, informing the business that the supplier’s bank details have changed and requesting that future payments be made to a new account. The business updates their records and makes the next payment to the attacker’s account. By the time the fraud is discovered, the money is gone.

Invoice fraud – Similar to payment diversion but typically initiated by impersonating the supplier rather than intercepting communications. The attacker sends a convincing fake invoice, often for a plausible amount, from an email address that closely resembles the supplier’s real address.

CEO fraud – An attacker impersonates a senior executive, typically the MD or CEO and sends an urgent email to the finance team requesting an immediate payment. The urgency and apparent seniority of the request bypasses normal authorisation procedures.

Credential harvesting – A more technically sophisticated variant in which the attacker gains access to a legitimate email account, often through phishing and monitors communications over weeks or months before identifying and exploiting a payment opportunity.

Why BEC is particularly dangerous for SMEs

Large organisations typically have multi-person payment authorisation processes, dedicated finance teams with established verification procedures, and fraud detection systems that flag unusual payment requests. These controls significantly reduce the effectiveness of BEC attacks.

SMEs often have none of these. Payment authorisation may rest with a single person. Supplier relationships are managed informally. Verification procedures calling the supplier to confirm changed bank details exist in principle but are not consistently followed under time pressure.

The attacker knows this. BEC attacks are frequently targeted specifically at smaller businesses for exactly this reason.

The financial impact

UK Finance and Action Fraud consistently report BEC as one of the most financially damaging categories of fraud for UK businesses. Unlike ransomware, where recovery is sometimes possible, BEC fraud typically results in immediate and largely irrecoverable financial loss. Banks have limited ability to recall payments once they have been processed, particularly where the funds have been moved quickly through multiple accounts.

The average loss per incident for SMEs is significant, typically ranging from tens of thousands to hundreds of thousands of pounds depending on the nature of the business and the payment intercepted.

The defences that actually work

Verification by a different channel – Any request to change supplier payment details should be verified by calling the supplier on a known number, not a number provided in the email, before the change is made. This single control eliminates the majority of payment diversion fraud.

Payment authorisation controls – No single person should be able to authorise and execute a significant payment without a second person confirming. This applies particularly to payments above a defined threshold and to any payment to a new or recently changed payee.

Email security configuration – Properly configured email security including SPF, DKIM and DMARC records makes it significantly harder for attackers to spoof your domain or your suppliers’ domains. Many SMEs have not checked whether these are correctly configured.

Staff awareness – The most important defence is people who know what to look for and feel empowered to question an unusual request, even when it appears to come from a senior person. A culture where anyone can say “this looks odd, can I verify before I act?” is genuinely protective. **Cyber insurance that covers BEC.** Not all cyber insurance policies cover business email compromise. Some treat it as fraud rather than a cyber incident and exclude it. This is worth checking with your broker before you need to make a claim.

← All Insights
← Previous Next →

More Insights

Supplier Management

The MSP Contract Renewal Playbook: How to Negotiate from Strength

Most SMEs accept their MSP's renewal offer without negotiation. This is almost always a commercial mistake. Here is how to approach contract renewal in a way that produces better terms, better service commitments and better value.

17 July 2026 · 4 min read
IT Governance

The IT Governance Checklist Every SME Board Should Work Through Once a Year

Most SME boards have no structured way to review their IT governance position. This practical checklist gives you a framework for doing exactly that in plain English, without technical jargon, in under an hour.

1 July 2026 · 5 min read
Cyber Essentials

Cyber Essentials Explained: A No-Nonsense Guide for UK SME Business Leaders

Cyber Essentials is the UK government-backed certification that more and more businesses are being asked to hold. Here's what it actually involves, how long it takes, what it costs, and whether you need CE or CE+.

23 June 2026 · 5 min read