Business email compromise (BEC) is a rapidly evolving and complex threat. A form of cybercrime, BEC – also known as email misdirection fraud, or payment diversion fraud – occurs when a malicious actor manipulates email communications to deceive individuals or organisations into sending money or sensitive data to the wrong person.
It is critical that businesses become aware of this threat and implement measures that help mitigate risks associated with it.
The scale of the BEC threat
According to FBI data, BEC attacks cost businesses globally nearly $55.5 billion (opens a new window) in the decade since October 2013. Many of these attacks involve high-profile organisations: in June 2025, HMRC revealed it had lost £47 million after a phishing scam (opens a new window) enabled criminals to gain customer details and attempt to claim rebates for tens of thousands of tax accounts. In the previous month, criminals successfully conducted a cyber-attack on the Legal Aid Agency (opens a new window), accessing a large amount of information relating to legal aid applicants.
To conduct a BEC attack, cyber criminals will gain access to a legitimate email account through phishing or credential theft. They may also spoof a legitimate email address to trick users into thinking a message came from a person or entity they know or trust. In the latter case, the sender typically forges email headers so that client software displays the fraudulent sender address, which most users take at face value.
Cyber criminals will then monitor communications and wait for a payment-related discussion to appear. At this point, the criminals intervene with fake instructions to divert payment to their own bank account. The victim, believing the email is genuine, sends funds to the cyber criminal’s bank account. This method of attack could also be replicated to gain access to sensitive data.
Examples of BEC attacks:
A vendor’s email account is hacked, and fake invoices are sent with updated banking details.
An executive’s email is spoofed, instructing the finance team to urgently send funds.
An organisation is tricked into transferring funds to a fraudulent account, for what is perceived as a valid reason/transaction.
BEC attempts are becoming increasingly sophisticated, as criminals capitalise on the growth of artificial intelligence (AI) tools. These are being deployed to produce fraudulent emails, texts, as well as realistic audio and video content. These ‘deepfake’ attacks have the potential to defraud businesses of vast sums of money millions of dollars. UK-based engineering firm Arup suffered such an attack (opens a new window) via their Hong Kong office in 2024.
Becoming vigilant
To help organisations in the UK, the National Cyber Security Centre (NCSC) has published advice (opens a new window) on how business can disrupt phishing attempts and limit BEC risks. Although red flags are often spotted after-the-fact, businesses can become vigilant against this threat by looking out for the following:
Unexpected or last-minute changes to payment instructions.
Slight misspellings in email addresses are a common method to trick employees, and these are often hard to detect with only slight changes to the correct domain. For example, sarahsmith@l1oyds.com, instead of sarahsmith@lloyds.com or lawfirmabcs@gmail.com, instead of lawfirmabc@gmail.com.
Emails that create urgency or secrecy.
Poor grammar or odd formatting in otherwise professional emails.
Prevention
To help prevent the occurrence of BEC attacks, organisations should look to take the following steps to build resilience:
Always confirm and verify payment details verbally with a known contact.
Enable multi-factor authentication for email accounts.
Educate and train employees on how to spot and negate phishing and fraud tactics.
Check email headers to confirm the sender’s domain matches exactly.
Use secure payment portals for transactions and avoid handling financial dealings purely over email.
Insert email footers alerting clients that your business will not change bank details and if they are asked to send funds elsewhere, they should make contact by telephone to verify the bank details before sending any funds.
Responding to BEC attacks
If your business suffers from a BEC attack, the following steps can help mitigate threats and minimise damage:
Notify your IT department to secure the affected email account(s), and to confirm no other accounts are compromised.
Immediately contact your bank to attempt to freeze or recall the transfer, if monies have been sent.
Instruct your IT department to search for potential phishing emails across the organisation and remove any from mailboxes.
Consider a report of a circumstance/notification to your insurance broker/claims team, insurance professionals can provide advice whether a detailed forensic investigation is required.
Notify your case management system provider.
Report the attack to either Action Fraud (opens a new window) or abuse@realtimeregister.com (opens a new window).
Report any suspicious emails to report@phishing.gov.uk (opens a new window) — a service provided by the NCSC.
Consider any regulatory obligations and notify accordingly.
Issue communications to update clients, partners, and customers, as appropriate.
For further information on mitigating BEC threats, contact a member of the Lockton Solicitors team.
