Business email compromise attacks cost UK organisations hundreds of millions of pounds every year. Unlike ransomware, which makes headlines and triggers incident response, BEC attacks often go undetected until the money has already left the account. The funds rarely come back.
The attack works because it exploits human trust rather than technical vulnerabilities. An email from the CEO asking the finance team to process an urgent payment doesn’t trigger any security alerts. It triggers compliance.
How BEC Attacks Work in Practice
The attacker either compromises a legitimate email account or creates a convincing lookalike domain. They study the organisation’s communication patterns, learn who authorises payments, and wait for the right moment to strike.
The request is always urgent. It always involves a change, a new bank account for a supplier, a rush payment for an acquisition, a one-off invoice that needs immediate processing. And it always comes from someone whose authority isn’t questioned.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “Business email compromise is the most financially damaging cybercrime category we see affecting UK organisations. The attacks don’t rely on malware or technical exploits. They rely on trust, urgency, and a lack of out-of-band verification for financial transactions. Technical controls help, but process controls are what actually prevent the losses.”
Why Technical Controls Alone Aren’t Enough
Email authentication protocols like DMARC can prevent domain spoofing, but they can’t stop an attacker who has compromised a legitimate mailbox. Email security gateways can flag suspicious patterns, but a well-crafted BEC email contains no malware, no malicious links, and no attachments to trigger detection.
The technical controls that help most are those that make account compromise harder in the first place. Multi-factor authentication on all email accounts, conditional access policies, and monitoring for impossible travel and unfamiliar device sign-ins reduce the risk of an attacker gaining access to a legitimate mailbox.
Process Controls That Prevent Losses
The most effective defence against BEC is a simple process: verify every payment change or unusual financial request through a different communication channel. If an email requests a bank account change, call the sender on a known number, not the number in the email, and verify.
This single control prevents the vast majority of BEC losses. But it only works if it’s consistently applied, even when the request comes from the CEO, especially when it comes from the CEO.
Testing Your BEC Defences
Include BEC scenarios in your social engineering testing. Regular external network penetration testing should assess your email security infrastructure, while targeted BEC simulations test whether your process controls actually prevent fraudulent payments.
If you haven’t tested your organisation’s resilience to BEC attacks, getting a penetration test quote for a combined technical and social engineering assessment will reveal whether your people and processes would withstand a realistic attack.
