How a BEC attack unfolds
BEC attacks follow a recognisable pattern. The specific technique varies, but the objective is always the same: redirect a legitimate payment, or extract sensitive data that enables fraud downstream.
Reconnaissance
The attacker identifies targets using publicly available information — Companies House filings, LinkedIn profiles, company websites. They map who handles payments, who the CEO is, who the regular suppliers are. This phase can take days or weeks and requires no technical access at all.
Account access or domain spoofing
Either the attacker compromises a real email account — via phishing or credential stuffing — or they register a lookalike domain (e.g. get-it-solutions.uk instead of get-it.uk) and craft emails that appear legitimate. Compromised accounts are more convincing and harder to detect because the email genuinely originates from the real domain.
Silent monitoring
When a real account is compromised, attackers often monitor for weeks before acting. They read existing email threads, understand payment workflows, identify upcoming transactions, and learn the communication style of the compromised person. Rules are sometimes set to auto-forward replies and delete traces.
The instruction
At the right moment — often when a genuine payment is expected — the attacker sends a payment instruction or bank detail change notification. It arrives in context, references real conversations, and comes from what looks like the right person. The finance team processes it as routine.
The transfer and the window
Once money moves to a mule account, recovery is time-critical. The NCSC recommends contacting your bank immediately to trigger a Faster Payments recall. Beyond 24 hours, recovery rates drop significantly. Reporting to Action Fraud creates a record but rarely recovers funds directly.
The main variants
Invoice fraud
A supplier's bank details are "updated" just before a legitimate invoice is due. The payment goes to the attacker. Often not discovered until the real supplier chases the unpaid invoice weeks later.
CEO / CFO impersonation
An urgent payment instruction arrives appearing to be from the CEO or CFO, often with a reason that discourages verification — "I'm in a meeting, just process this." Frequently targets finance staff directly.
Conveyancing fraud
Completion funds redirected by compromising solicitor or client email. A single transaction. Often six-figure losses. Our mortgage BEC case study covers this in detail.
Supplier impersonation
The attacker compromises a supplier's email account and uses real ongoing threads to insert fraudulent payment requests. Particularly effective because the email thread history is genuine.
Mortgage completion fraud — £312,000 redirected
A conveyancing transaction where a compromised email account was monitored for three weeks before completion. The attacker substituted bank details in the completion funds instruction at the last moment. By the time the error was discovered, the funds had moved twice.
Read the full case study →Why BEC is particularly relevant for insurance brokers
Insurance brokers handle premium flows, client money, and supplier payments — often under time pressure at renewal. The combination of known payment cycles, high transaction values, and the FCA's client money rules makes brokers an attractive BEC target.
A broker whose client account is compromised faces not just financial loss but potential FCA notification obligations and client trust damage that is difficult to recover. The NCSC has noted financial intermediaries as a consistently targeted sector for BEC.
Notably, standard cyber insurance policies often exclude BEC losses unless a specific social engineering endorsement is in place. It's worth checking your current policy wording — see our guide on what cyber insurance actually covers.
The controls that help prevent BEC
DMARC with a reject policy
DMARC at reject policy prevents anyone from spoofing your domain in inbound email clients that honour it. It doesn't stop compromised accounts, but it closes the spoofed-domain attack vector entirely. Our Cyber Vitals scan checks your DMARC configuration and flags if you're on none, quarantine, or reject.
MFA on all email accounts
The silent monitoring phase — where attackers read threads before acting — requires sustained account access. MFA on Office 365 or Google Workspace makes initial account compromise significantly harder and limits persistence once a password is stolen. This is a Cyber Essentials v3.3 requirement for all cloud services.
Out-of-band payment verification
Any request to change bank details or make an urgent payment should be verified via a known phone number — not one provided in the email, and not by replying to the email thread. This is a process control, not a technical one, but it's the single most effective BEC prevention measure available.
Email security rules and anomaly detection
Rules that flag emails from external senders who appear to be internal staff (display name spoofing), flag lookalike domains, and alert on auto-forwarding rules being created. Most modern email platforms support these natively — they just need to be configured.
Staff awareness — specifically about BEC
Generic phishing training doesn't always cover BEC specifically. Staff handling payments need to understand the invoice fraud and CEO impersonation patterns, and need to feel empowered to verify unusual requests without fear of appearing obstructive. A culture where "I just wanted to double-check" is encouraged, not penalised, is a meaningful control.
If money has already moved
Act immediately — recovery is time-critical:
- Call your bank now — request an urgent recall via Faster Payments. Every hour matters.
- Do not send further payments to the same details while investigating.
- Preserve all email evidence — don't delete anything, including the fraudulent emails.
- Report to Action Fraud (0300 123 2040) — creates a reference number for bank and insurance purposes.
- Notify your insurer — check whether you have a social engineering endorsement. Time limits on notification may apply.
- Check ICO obligations — if personal data was accessed as part of the compromise, a 72-hour notification window may apply under UK GDPR.
If you're unsure whether you've been compromised or need a structured incident response, see our guide on responding to a phishing incident, or book a call directly.
Cyber Vitals — Check your email authentication now
Cyber Vitals checks your SPF, DKIM, and DMARC configuration — the email authentication controls that prevent domain spoofing. If your DMARC is missing or set to none, your domain can be impersonated in BEC attacks. Free instant scan, no account required.
Run a Free Scan →Operational Risk Assessment (ORA)
ORA covers the controls most relevant to BEC prevention — MFA posture, email authentication, access control, and staff awareness — alongside the full Cyber Essentials v3.3 control set. Takes 15 minutes and produces a prioritised action report.
Start the Assessment →