How UK businesses lose money, and how to stop it happening to yours.
Business Email Compromise (BEC) cost UK organisations over £50 million in 2023 alone, and the true figure is almost certainly higher. Many incidents go unreported, either because of reputational concerns or because the victim does not realise what has happened until months after the event. These are not sophisticated technical attacks requiring advanced hacking skills. They are exercises in social engineering, exploiting the trust and routine that underpin normal business communication.
The mechanism is deceptively simple. An attacker intercepts a legitimate invoice, changes the bank details, and waits for the payment to land in their account. By the time anyone notices the discrepancy, the money has been moved through a chain of accounts and is, for all practical purposes, unrecoverable. The sophistication lies not in the technology but in the attacker’s patience, their understanding of how businesses operate, and their ability to exploit the gap between process and practice.
What makes this particularly concerning for small and medium-sized businesses is that the impact is disproportionate. A £25,000 loss that a large enterprise can absorb may represent months of profit for an SME. Some businesses never recover. Understanding how these attacks work, and what practical steps you can take to prevent them, is not optional. It is a fundamental part of running a business in 2026.
How email fraud works
Email fraud follows a consistent pattern. The specifics vary, but the underlying structure is remarkably predictable. Understanding each stage helps you recognise and interrupt the attack before any money changes hands.
Compromise
The attack begins with access. Criminals gain entry to an email account, either yours or your supplier’s, typically through phishing, credential stuffing, or exploiting a reused password from a previous data breach. In many cases, the attacker does not act immediately. Instead, they sit quietly inside the mailbox for weeks, reading correspondence, studying relationships, and learning the rhythms of the business. They identify who sends invoices, who approves payments, and when transactions are expected. This patience is what makes the attack so effective.
Learn
With access secured, the attacker studies your communication patterns in detail. They note which suppliers invoice regularly, the typical amounts, the formatting of legitimate invoices, and the language used in payment-related emails. They learn the names and roles of finance staff, the approval workflows, and the payment schedules. Some attackers set up mail rules to silently forward copies of all correspondence to an external account, allowing them to monitor activity even if their initial access is revoked. This intelligence-gathering phase can last for months before any fraudulent action is taken.
Intercept
When a genuine invoice is sent, the attacker intercepts it. They may create inbox rules that divert the original email into a hidden folder, preventing the intended recipient from seeing it. They then forward a modified version with altered bank details. The email appears to come from the legitimate sender. The invoice looks identical in every respect except for the payment information. In some cases, the attacker registers a lookalike domain, swapping a single character or using a different top-level domain, and sends the fraudulent invoice from there.
Deceive
The modified invoice arrives looking exactly as expected. The layout, branding, and invoice number match previous correspondence. The only change is the bank details. Sometimes the attacker includes a brief note: “Please note our updated banking details following a recent provider change.” Other times, they make no mention of the change at all, relying on the fact that most people do not cross-reference bank details on every payment. The deception exploits trust and routine, two things that are fundamental to how businesses operate.
Disappear
The payment is made to the criminal’s account. Within hours, the money is moved through a chain of accounts, often across multiple jurisdictions, making recovery extremely difficult. The fraud may not be discovered for weeks or months, until the legitimate supplier chases payment for an invoice they believe is still outstanding. By that point, the trail has gone cold. Banks can sometimes freeze funds if notified within hours, but the window is narrow. For most victims, the money is gone.
“The invoice looked identical. The email came from the right address. The amount matched. The only thing that had changed was the bank details, and nobody checked.”
How it looks in practice
These scenarios are drawn from real incidents affecting UK businesses. The details are representative of cases we encounter regularly. Each one illustrates a different variant of the same underlying attack, and each one was entirely preventable with the right controls in place.
The property transaction
A solicitor’s email account is compromised during a residential property purchase. The attacker monitors the conveyancing correspondence for weeks, waiting for completion day. On the morning of exchange, they send “updated” bank details to the buyer for the deposit payment. The email appears to come from the solicitor’s genuine address. The buyer transfers £250,000 to the criminal’s account. The buyer loses both the house and their life savings. This is not a hypothetical scenario. It happens regularly in UK property transactions, and the sums involved can be devastating.
Conveyancing fraud is one of the most common forms of BEC in the UK.
The supplier invoice
A construction company receives a regular monthly invoice from a long-standing supplier. The invoice looks identical to every previous one, but the bank details have been changed. The finance team processes the payment as part of their normal routine. Three months later, the supplier contacts the company asking why they have not received payment. The investigation reveals that the supplier’s email had been compromised, and three consecutive invoices had been redirected to a fraudulent account. Total loss: over £90,000.
Longer payment terms give attackers more time before detection.
The CEO fraud
A finance officer receives an urgent email from what appears to be the company’s managing director, requesting an immediate payment to a new supplier as part of a “confidential acquisition.” The email stresses urgency and secrecy, instructing the officer not to discuss the payment with anyone else. The email actually originates from a lookalike domain registered that morning. Under pressure and believing the request to be legitimate, the officer processes a £45,000 payment before raising it with a colleague. By then, the money has been withdrawn.
Also known as “whale phishing” or executive impersonation.
The scale of the problem
Email fraud is not a niche threat affecting a handful of unlucky businesses. It is a widespread, industrialised form of crime that targets organisations of every size, in every sector, every day of the year.
Lost to Business Email Compromise in the UK in 2023, with the true figure likely much higher
Average loss per incident for small and medium-sized businesses, often representing months of profit
of UK businesses reported being targeted by email fraud in the past twelve months
Warning signs to watch for
Fraudulent emails and invoices are designed to look legitimate, but they almost always contain tell-tale indicators. Training your team to recognise these signals is one of the most effective defences available.
“New bank details” or “updated payment information” mentioned in the email body.
Slight variations in the sender’s email address: an extra letter, a different domain extension, or a character substitution.
Unusual urgency or pressure to process the payment quickly, often accompanied by language designed to prevent the recipient from seeking a second opinion.
A request to keep the payment confidential, particularly when paired with authority (“The CEO has asked me to handle this directly”).
A different tone, writing style, or level of formality compared to the sender’s usual correspondence.
Bank details that do not match previous invoices from the same supplier.
The account name differs from the company name on the invoice.
A foreign bank account for a UK-based supplier, or a personal account rather than a business account.
Minor differences in layout, branding, or formatting compared to previous invoices from the same source.
Invoice number sequences that do not follow the established pattern.
Process controls
The most effective defences against invoice fraud are not technical. They are procedural. A well-designed payment process, consistently followed, will stop the vast majority of attacks regardless of how convincing the fraudulent email appears. These controls cost nothing to implement and can be put in place immediately.
Callback verification
For any new supplier or bank detail change, verify the request by calling the supplier on a known, trusted number. Never use a number provided in the email that contains the change request. This single control prevents the majority of invoice fraud. Make it a mandatory step in your payment process, documented and auditable.
Dual authorisation
Require two separate individuals to approve payments above a defined threshold. No single person should have the ability to initiate and authorise a large payment without oversight. This creates a natural checkpoint where a second pair of eyes can catch anomalies that the first person might miss, particularly when under time pressure.
Bank detail register
Maintain a master list of verified supplier bank details, stored securely and accessible to the finance team. Any request to change bank details triggers the callback verification process before the register is updated. Payments are only made to accounts listed in the register. This eliminates the possibility of a single fraudulent email redirecting a payment.
Technical controls
While process controls address the human element of the attack, technical controls reduce the likelihood of email accounts being compromised in the first place and make it harder for attackers to impersonate legitimate senders. These should be implemented in parallel with your procedural defences.
Multi-factor authentication on all email accounts
MFA prevents account compromise from stolen passwords. If an attacker obtains credentials through phishing or a data breach, they still cannot access the account without the second factor. This is the single most effective technical control against email compromise. Enforce it on every account, without exception.
External email warnings
Configure your email platform to tag messages from outside your organisation with a visible banner. This makes spoofed internal emails immediately obvious. When an email claims to be from the CEO but carries an external sender tag, it raises an immediate red flag. Microsoft 365 and Google Workspace both support this natively.
DMARC, DKIM, and SPF
These email authentication protocols prevent criminals from sending emails that appear to originate from your domain. Without them, anyone can send an email that looks like it came from your company’s address. Properly configured, these controls protect both your organisation and your clients from impersonation attacks originating from your domain.
Disable auto-forwarding to external addresses
One of the first things an attacker does after compromising a mailbox is set up a forwarding rule to copy all incoming and outgoing mail to an external address. Blocking external auto-forwarding at the tenant level prevents this. It also stops any mailbox rules that redirect, delete, or hide emails from the legitimate user.
Staff awareness
Technology and process can only go so far. The final layer of defence is your people. An informed, empowered team that feels confident questioning unusual requests is your strongest protection against social engineering attacks of every kind.
Regular, scenario-based training
Finance and administration teams need to understand how these attacks work in practice, not in theory. Show them real examples. Walk through actual fraudulent emails. Make them comfortable questioning unusual requests, even when those requests appear to come from senior staff. Training should be ongoing, not a one-off annual exercise.
A culture that rewards caution
Staff should feel safe delaying a payment to verify it, regardless of the apparent urgency. If someone claiming to be the CEO sends an email demanding an immediate confidential payment, the correct response is to verify through a separate channel, not to comply. This only works if the organisation’s leadership actively supports and models this behaviour.
Clear reporting mechanisms
Establish a straightforward process for reporting suspicious emails. Make it easy, make it fast, and never punish false alarms. Every reported suspicious email is an opportunity to prevent a loss. If staff are afraid of wasting time or looking foolish, they will not report, and the next fraudulent email will succeed.
“A five-minute phone call to verify bank details costs nothing. A fraudulent payment costs everything. The businesses that never fall victim are the ones that made verification a habit, not an afterthought.”
If you’ve been targeted
Speed is everything. The actions you take in the first few hours after discovering a fraudulent payment will determine whether you have any chance of recovering the funds. Do not wait. Do not hope the problem will resolve itself. Act immediately, in this order.
Contact your bank immediately
Time is critical. Many banks can freeze or recall payments if notified within hours of the transfer. The faster you act, the greater the chance of recovering the funds. Call the fraud department directly. Do not wait until the next business day. Every hour of delay reduces the probability of recovery.
Report to Action Fraud
Call 0300 123 2040 or report online at actionfraud.police.uk. This creates a formal record of the incident and feeds into the National Fraud Intelligence Bureau’s database. While recovery through law enforcement is rare, reporting contributes to broader intelligence efforts and may support insurance claims.
Preserve all evidence
Do not delete the fraudulent emails. Screenshot everything: the original email, the invoice, the payment confirmation, any related correspondence. Save email headers and metadata. This evidence will be needed for your bank’s fraud investigation, any insurance claim, and potential law enforcement involvement.
Secure your systems
If the fraud originated from a compromised account within your organisation, you need to act fast. Reset passwords on the affected account. Revoke all active sessions. Check for and remove any mail forwarding rules or inbox rules that the attacker may have created. Review sign-in logs to understand the scope of the compromise. Consider whether other accounts may also be affected.
The bigger picture
Email fraud is not a standalone problem. It is a symptom of broader security gaps: weak authentication, insufficient access controls, poor staff awareness, and a lack of documented processes. Organisations that address email fraud in isolation will find themselves playing a perpetual game of catch-up as attackers evolve their methods.
The most resilient organisations treat email security as part of a comprehensive approach to cyber security. That includes Cyber Essentials certification, regular security awareness training, robust identity and access management, and a clear incident response plan. These measures reinforce each other. MFA prevents account compromise. Training helps staff recognise social engineering. Process controls catch what technology misses. Together, they create layered defences that are far more effective than any single control.
If this article has prompted you to review your own defences, start with the basics. Enable MFA on every account. Implement callback verification for bank detail changes. Brief your finance team on what to look for. These three actions alone will dramatically reduce your exposure, and they can all be completed this week.
Need help protecting your business?
We help UK businesses implement the technical and process controls that prevent email fraud and invoice manipulation. That includes configuring email authentication protocols, deploying multi-factor authentication, reviewing payment processes, and delivering staff awareness training tailored to your organisation.
If you are not sure where your vulnerabilities lie, a security review will identify the gaps and give you a clear, prioritised plan for closing them.