Business Email Compromise (BEC) UK Business Guide 2026

By Andy Pickett · Managing Director

Published 5 May 2026 · About the author

Business Email Compromise (BEC) attacks have overtaken ransomware as the dominant financial cyber threat to UK businesses. Unlike ransomware — which announces itself loudly and forces a public response — BEC is silent, surgical, and frequently goes undetected for weeks before the loss is realised. UK B2B BEC losses now run into hundreds of millions per year by Action Fraud’s estimates, with average individual losses of £25,000–£120,000 for SMBs and millions for mid-market businesses.

This guide explains the five most common BEC patterns hitting UK businesses in 2026, the controls that actually stop them, what to do during a live BEC incident, and how to recover funds (when recovery is possible). Read time: 12 minutes. The first four sections are the most critical.

What is Business Email Compromise (BEC)?

BEC is an umbrella term for cyber attacks where the attacker uses email to impersonate a trusted party — CEO, supplier, lawyer, accountant — to convince a finance staff member to authorise a payment, change bank details, share confidential data, or transfer assets. Crucially, BEC usually doesn’t involve malware. The compromise is human, not technical — which is why traditional antivirus and even EDR can miss it entirely.

The FBI’s Internet Crime Report consistently ranks BEC as the single highest-loss cyber crime category, ahead of ransomware. UK Action Fraud data tells the same story.

The 5 most common BEC patterns hitting UK businesses

1. CEO fraud (“urgent payment” impersonation)

The most-recognised pattern. Attacker spoofs or compromises the CEO’s email and contacts the finance team:

“Hi Sarah — I’m in a meeting. Can you process an urgent £47,000 payment to the supplier below today? It’s for the deal closing tomorrow. Don’t mention this to anyone yet, I’ll explain on Monday. Sort code: 12-34-56, account 78901234. Thanks — David.”

Modern variants use AI to mimic the CEO’s genuine writing style, scraped from public LinkedIn posts and previous email threads. Recent UK incidents have seen attackers spoof voice and even video on WhatsApp / Microsoft Teams calls following the email.

2. Supplier invoice redirection

Attacker compromises (or impersonates) a supplier the victim already pays. Sends a “we’ve changed our bank account” notice with an updated invoice. The victim’s finance team updates the supplier record and the next payment goes to the attacker. The supplier later complains the invoice wasn’t paid — usually three to six weeks after the loss.

This is the dominant BEC pattern hitting UK manufacturers, professional services firms and SMBs with regular supplier payments.

3. Conveyancing / completion fraud

Specific to UK property law firms. Attacker compromises a conveyancer’s mailbox, monitors active completion matters, then sends fraudulent “updated bank details” emails to buyers shortly before completion. Six-figure losses are common. More in the solicitors-specific guide.

4. Payroll diversion

Specific to UK accountancy firms. Attacker compromises a partner’s mailbox, then emails the client’s HR contact with a fake “please update employee X’s bank account before this Friday’s payroll run.” The client’s next payroll run sends the employee’s salary to the attacker. More in the accountants-specific guide.

5. Vendor email compromise (VEC)

The most sophisticated variant. Attacker takes over a real supplier’s mailbox and uses it to send legitimate-looking but fraudulent invoices to the supplier’s actual customers. Because the email truly comes from the supplier’s real domain (no spoofing), every email-security check passes. VEC is the leading cause of supplier-payment fraud in UK B2B in 2026 and the hardest pattern to detect via technical controls alone.

How BEC attacks actually unfold

A representative timeline of a UK SMB BEC compromise:

• Day 0: Attacker phishes a finance director’s Microsoft 365 credentials via a fake DocuSign link. MFA is not enforced; the credentials work.
• Day 1: Attacker sets a hidden inbox rule forwarding all incoming finance email to an external mailbox and auto-deleting messages mentioning “phishing,” “suspicious” or the attacker’s own domain. Attacker also configures a forwarding rule to mirror outbound email.
• Days 1–14: Attacker silently observes business rhythms, supplier relationships, payment cycles, internal escalation paths, and the finance director’s writing style.
• Day 15: Attacker registers a look-alike domain (e.g. company-co.uk vs companyco.uk) and configures matching SPF/DKIM/DMARC records.
• Day 18: Attacker emails the finance team from the look-alike domain impersonating the finance director, requesting a £65,000 payment to a supplier with “updated” bank details. The email arrives mid-afternoon when the target is rushed.
• Day 18 + 2 hours: Payment authorised and made.
• Day 19: Attacker laundered £65,000 through three mule accounts within 30 minutes. Recovery now near-impossible.
• Day 32: Real supplier complains payment overdue. BEC discovered.

This timeline is representative because every step uses controls every UK business already has access to. The attacker’s success depends entirely on those controls not being properly configured.

The controls that actually stop BEC

BEC is the cyber threat with the highest ratio of damage to defence cost. Every defence below is achievable for under £5/user/month or as part of standard Microsoft 365 / Google Workspace tiers.

Identity hardening

• MFA on every mailbox — no exceptions. Most UK BEC events start with a credential phish; MFA blocks 99%+ of them.
• Conditional access blocking sign-in from outside the UK by default. Users travelling abroad are added to an exception group.
• Disable legacy auth (POP, IMAP, SMTP basic auth) so attacker tooling can’t bypass MFA.
• Quarterly review of forwarding and inbox rules — auto-forwarding to external addresses is the single best BEC indicator. Block it at tenant level.

Email authentication & impersonation defence

• SPF, DKIM, DMARC at p=reject for your own domain. Most UK SMBs run DMARC at p=none, which is no protection.
• Anti-impersonation rules in Defender for Office 365 P1/P2 detecting display-name spoofing of executives.
• External-sender warning banners on every inbound email from outside the organisation.
• Look-alike domain monitoring — register typo-squat variants of your own domain proactively.

Process controls (the highest-leverage layer)

• Verbal verification protocol for any bank-detail change request — verify on a phone number you already have, not one in the email.
• Dual authorisation for any payment over a threshold (typically £5,000 or £10,000).
• Cooling-off rule: any “urgent” payment received in the last hour of the working day waits until tomorrow morning unless verbally re-authorised.
• Bank-details lockdown: supplier bank details only changed in person or via a documented multi-factor verification, never by email alone.

Detection

• Managed Detection & Response (MDR) with Microsoft 365 / email-aware analyst playbooks. UK 24/7 MDR here.
• Mailbox-rule monitoring alerting on any new forwarding or auto-delete rule.
• Impossible-travel detection alerting when a user signs in from two distant locations within an unrealistic time window.

Insurance and recovery

• Cyber insurance with explicit BEC / funds-transfer-fraud sub-limit — check the sub-limit (typically £100k–£500k), it’s usually well below the headline policy limit. UK cyber insurance guide.
• Pre-arranged DFIR firm able to support BEC investigation, mailbox forensics and ICO notification.
• Action Fraud & bank-recall procedures documented in the IR plan.

What to do during a live BEC incident

If a payment has been sent in the last 24 hours to a fraudulent account, time is everything. Recovery prospects drop sharply after the funds are laundered, which usually happens within hours.

First 60 minutes

1. Call your bank’s fraud line and request immediate funds recall.
2. Notify the receiving bank if known (they may freeze the destination account).
3. Report to Action Fraud (0300 123 2040) and obtain a crime reference.
4. Force-reset the compromised mailbox password and revoke active sessions.
5. Disable any inbox forwarding or auto-delete rules.
6. Notify your cyber insurer’s 24/7 hotline if covered.

Hours 1–24

1. Engage DFIR firm to investigate scope of mailbox compromise.
2. Identify other mailboxes potentially affected via the same credential phish.
3. Notify the ICO if personal data has been exposed (72-hour clock).
4. Notify customers, suppliers or partners whose communications passed through the compromised mailbox.
5. Prepare board / management notification with known facts and current containment status.

Days 1–30

1. Complete forensic investigation; document attacker tactics for future prevention.
2. Submit cyber insurance claim with full evidence pack.
3. Update controls based on root-cause analysis (commonly: enforce MFA, block external forwarding, configure DMARC).
4. Run tabletop exercise with senior leadership covering the incident lessons.
5. Run targeted refresher awareness training for affected teams.

Can you recover funds lost to BEC?

Sometimes — and almost always only in the first 24–48 hours. Recovery rates depend heavily on:

• Speed of bank notification: Banks can sometimes recall payments within the first hour while still in clearing. After clearing, recall depends on the receiving bank’s cooperation.
• Receiving bank’s response: Major UK banks have BEC fraud teams that can freeze destination accounts. Smaller / international receiving banks frequently won’t respond fast enough.
• How quickly attacker laundered funds: Modern BEC operations launder funds within 30 minutes via mule networks and crypto. Recovery after laundering is rare.
• Cyber insurance: Even when funds aren’t recoverable, BEC sub-limit insurance typically pays out if the controls in place at the time matched what you declared on the proposal.

Recent UK BEC recovery statistics suggest 10–25% of BEC funds are partially recovered when reported within 4 hours, and under 5% when reported after 48 hours. Speed beats every other variable.

Frequently Asked Questions

Want a UK BEC defence audit for your business? Request a free BEC readiness review — we’ll assess your MFA enforcement, DMARC posture, anti-impersonation rules, payment-process controls and cyber insurance BEC sub-limit, and identify the controls that need to be in place before the next attack reaches your finance team. See also our best UK cyber security companies guide.