Business email compromise: what UK firms need to know

Business email compromise (BEC) is fraud's quietest category. There is no malware to detect, no system breached, no ransom note. There is an email - plausible, well-timed, apparently from someone trusted - asking for something that, in context, seems routine: pay this invoice, update these bank details, process this transfer before the deadline.

The money moves through entirely legitimate channels, authorised by an entirely legitimate employee. By the time anyone questions it, it has usually moved again.

Phishing and impersonation consistently rank as the most common attack types reported by UK organisations in the DSIT Cyber Security Breaches Survey 2025/26, in which phishing affected 85% of the businesses that suffered any breach or attack, and the sector evidence is concrete: the Solicitors Regulation Authority documented £7m of client losses in a single year from email-enabled conveyancing fraud (SRA risk outlook, 2016 figures), while the Charity Commission opened 603 fraud and 99 cybercrime cases between November 2023 and October 2024, with phishing the most common type of cyber-enabled fraud (Charity Commission).

This post explains how BEC actually works - and is honest about which parts of it email authentication can and cannot stop, because that distinction is where most vendor marketing goes quiet.

The shape of the fraud

BEC has recognisable variants, all built on the same foundation of borrowed trust:

• Invoice fraud. A supplier "emails" updated bank details, or a fraudulent invoice arrives looking exactly like the real monthly one. Finance pays it in the normal run.
• Executive impersonation ("CEO fraud"). An email apparently from a director instructs an urgent, confidential payment - typically while the real director is known to be travelling or in meetings.
• Payroll diversion. "An employee" asks HR to change the account their salary is paid into.
• Payment diversion in transactions. The conveyancing classic: at the moment funds are due to move, "the solicitor" sends revised account details. The legal sector calls it Friday afternoon fraud for a reason.

What makes BEC effective is research and timing rather than technical sophistication. Criminals read websites, LinkedIn and previous correspondence; they know who pays invoices, when completions happen, which director signs off. The email succeeds because it arrives when exactly such an email was expected.

The three techniques underneath - and why the difference matters

Every BEC email has to solve one problem: appearing to come from someone the victim trusts. There are exactly three ways to do it, and they have different defences.

1. Exact-domain spoofing. The From address genuinely shows the trusted domain - [email protected]. Email's original 1980s design allows anyone to claim any sender address; unless the domain's owner has published authentication controls, nothing stops this. It is the cheapest technique: free, scalable, requiring no compromise of anything.

2. Look-alike domains. The criminal registers a near-match - yourcompamy.co.uk, yourcompany-payments.co.uk - and relies on nobody inspecting the address closely. Costs a few pounds; defeats casual inspection; requires the victim not to look.

3. Account takeover. The criminal obtains the password to a genuine mailbox (through phishing or reused credentials) and sends from the real account - often after watching the inbox for weeks, then inserting themselves into a live thread at the moment money moves. The most convincing and most expensive technique to mount.

What DMARC stops - honestly

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the published instruction that closes technique one. With a policy at enforcement, receiving mail servers reject email claiming to be from your exact domain that cannot authenticate. The free, scalable version of BEC - the one that can be sprayed at every client and supplier you have - stops reaching inboxes. DMARC's daily reports also show you attempts: many organisations discover, in their first month of monitoring, that their domain was already being spoofed.

DMARC does not stop techniques two or three. A look-alike domain is a different domain - its owner controls its records, and it can even pass authentication for itself. A taken-over account sends genuinely authenticated mail from the real domain. Any pitch implying DMARC "stops BEC" outright is selling past the truth.

So the accurate claim is narrower and still substantial: DMARC eliminates one of the three techniques entirely - the cheapest one - and converts your domain from an open resource into a monitored asset. Criminals optimise for cost; removing the free option pushes them towards techniques that are slower, costlier and more detectable.

The defences that cover the rest

A proportionate BEC defence for a UK business is short:

1. DMARC at enforcement, monitored - closes exact-domain spoofing and gives visibility. If your record sits at p=none, it currently blocks nothing: see Why DMARC p=none is not protecting you.
2. Verification procedures for payments - any change of bank details or unusual payment request is confirmed by phone on a number you already hold, without exception, however senior the apparent requester. This single habit defeats all three techniques.
3. Multi-factor authentication on every mailbox - the control against account takeover.
4. A culture where checking is praised - BEC relies on urgency and deference; staff who feel safe pausing a "CEO request" are the last line that works.

None of this requires fear, and none of it is expensive. BEC is common because the cheap technique is so widely available - not because the defences are hard.

Start with the part you can fix this week

Whether your domain currently allows exact impersonation is a matter of public record - your DMARC, SPF and DKIM settings are visible to anyone who looks, including criminals selecting targets. SealedMail's Free Domain Health Check tells you what they would see: a scored, plain-English certificate covering SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI and blacklist status, by email, free, with no sign-up.

For the mechanics behind it all, read What is DMARC? - and if you operate in a sector where the stakes are client money, the legal sector's experience in DMARC for law firms is instructive whatever your industry.