Business Email Compromise and Payment Fraud: 2026 Employer Guide

In April 2026 a hacker stole £700,000 from a UK energy company by redirecting a single supplier payment. The attacker compromised the email and accounting trail, altered the bank details on a legitimate invoice, and the money was gone before anyone noticed.

This is business email compromise, or BEC, and it remains one of the most financially damaging forms of cybercrime for businesses of every size. It does not rely on breaking encryption or deploying malware. It relies on a convincing email and a finance process with no second check.

For SMEs, BEC is the cyber risk most likely to cause a direct, irrecoverable cash loss. This guide explains how the attack works and the practical controls that stop it.

What Business Email Compromise Is

Business email compromise is a category of fraud where an attacker uses email to trick someone into transferring money or changing payment details. The National Cyber Security Centre describes it as a form of phishing that targets an organisation's normal payment processes rather than its technology.

The losses are substantial and global. The FBI's Internet Crime Complaint Centre attributes billions of dollars in reported losses to BEC each year, and it consistently ranks among the costliest categories of cybercrime. UK businesses report the same pattern through Action Fraud.

The reason BEC works is that it exploits trust and routine. The request looks normal, it comes at a plausible moment, and the recipient is doing exactly what their job asks of them.

Why SMEs Are a Prime Target

Smaller businesses are attractive to BEC fraudsters precisely because they sit between two extremes. They handle payments large enough to be worth stealing, but they rarely have the layered financial controls of a large corporate finance function.

In many SMEs, one person can both set up and release a payment, supplier relationships are informal, and a request from a director carries enough authority to short-circuit any check. Attackers research these structures using public information, then time their approach to a known event such as a large project invoice or a quiet holiday period.

The result is that the typical SME loss is a single, well-targeted payment rather than a high volume of small ones. A loss of tens or hundreds of thousands of pounds in one transfer can threaten the survival of the business.

The Common Attack Patterns

BEC takes a few recurring forms, and most real incidents are a variation on one of them.

• Invoice redirection. The attacker poses as a genuine supplier and emails to say their bank details have changed. The next legitimate payment goes to the fraudster's account. This is the pattern behind most large single losses.
• CEO or executive fraud. An email appearing to come from a senior leader asks a finance team member to make an urgent, confidential payment. The urgency and the apparent authority are designed to bypass normal checks.
• Account compromise. The attacker gains access to a real internal or supplier mailbox, often through a phished password, and sends requests from a genuine address. These are the hardest to spot because nothing about the sender looks wrong.
• Payroll diversion. A message impersonating an employee asks HR or payroll to update bank details, redirecting salary to the attacker.

In every version, the technical footprint is small. The decisive moment is a human one: someone approves a payment or a change of details without an independent check.

How a Real Loss Unfolds

The April 2026 energy company case follows a textbook invoice-redirection pattern. A genuine supplier relationship existed, a real payment was due, and the attacker inserted themselves at the point where bank details were confirmed.

From the finance team's perspective, nothing looked unusual. There was an expected invoice, a plausible note about updated bank details, and an account number that was simply typed into the payment run. No malware was needed and no system was visibly broken. The fraud only became apparent when the genuine supplier chased the payment they had never received.

What would have stopped it was not a technical product but a single procedural rule: confirm any change of bank details by calling the supplier on a previously held number before paying. That one step, applied without exception, defeats the most expensive form of BEC.

The Controls That Actually Stop It

BEC is preventable, and the controls are organisational as much as technical. The aim is to make sure no single email can move money or change payment details on its own.

Verify changes out of band

The most important control is a rule that any change to bank or payment details is verified through a separate, trusted channel before it takes effect. That means calling the supplier on a number you already hold, not a number contained in the email requesting the change.

This single step defeats invoice redirection, which is the costliest pattern. It needs to be written into the finance procedure and applied without exception, including when the request looks routine.

Require dual authorisation for payments

Payments above a set threshold, and all changes to standing payment details, should require approval by two people. Separating the person who sets up a payment from the person who releases it removes the single point of failure that BEC depends on.

Protect email accounts

Multi-factor authentication on email and accounting systems is essential, because account compromise is the hardest form of BEC to detect. Anti-spoofing email controls, namely SPF, DKIM and DMARC, reduce the ability of attackers to impersonate your domain and are a core part of the NCSC's guidance.

Train the people who handle money

Finance, HR and payroll teams should be trained to recognise the warning signs: unexpected changes to bank details, pressure to act urgently or confidentially, and requests that bypass the usual process. Staff need explicit permission to pause and verify a request from a senior figure without fear of being seen as obstructive.

The Warning Signs to Build Into Training

BEC messages share a recognisable set of signals. Finance, HR and payroll staff who know these by heart are the most effective single defence an SME has.

• A supplier or employee notifies a change of bank details, especially close to a payment date.
• Pressure to act urgently, often combined with a request for confidentiality.
• A request that breaks the normal process, such as bypassing a purchase order or a usual approver.
• Small inconsistencies in an email address or domain, such as a transposed letter or a lookalike domain.
• A reply-to address that differs from the visible sender, or a thread that suddenly moves to a personal email account.
• A tone or phrasing that is subtly unlike the person the message claims to be from.

None of these is conclusive on its own, which is why the verification rule matters. The control does not depend on staff spotting a fake; it depends on them confirming every change of details through a trusted channel regardless.

If a Payment Has Already Gone

Speed matters more than anything else once a fraudulent payment is suspected. The first hours give the best chance of recovery.

1. Contact your bank immediately using a number you find independently, and ask them to attempt to recall the payment.
2. Report it to Action Fraud at actionfraud.police.uk or on 0300 123 2040, which is the UK's national reporting centre for fraud and cybercrime.
3. Secure the affected accounts by resetting passwords and reviewing mailbox rules, since attackers often set up forwarding rules to stay hidden.
4. Preserve the evidence, including the original emails and headers, for the bank and the police.

Recovery is possible but never guaranteed, which is why prevention is the only reliable strategy.

Where BEC Fits in Your Wider Controls

Payment fraud sits at the intersection of cyber security and financial governance. The technical defences, such as MFA and email authentication, belong with your IT security policies and align with the controls assessed under Cyber Essentials.

The procedural defences, namely verification, dual authorisation and incident response, belong with your cyber resilience policies. Payment fraud also overlaps with the corporate offence covered in our guide to the failure to prevent fraud rules under the UK Fraud Strategy 2026, where reasonable fraud prevention procedures are a legal expectation, not just good practice.

Supplier Onboarding Is Part of the Defence

Many redirection frauds succeed because there is no controlled way to add or amend a supplier's bank details in the first place. Building the verification step into supplier onboarding, rather than treating it as an exception, closes the gap before any invoice is raised.

A simple standard helps: capture bank details once, at onboarding, through a verified channel, and require the same out-of-band confirmation for any later change. Keep a record of who verified the details and when. This turns payment integrity into a routine part of supplier management instead of a judgement call made under time pressure on a single invoice.

Why Documented Controls Matter Beyond the Loss Itself

A BEC loss is rarely just the missing money. Cyber insurance claims can be reduced or refused where an insurer finds that basic controls such as payment verification or multi-factor authentication were not in place or not followed.

Documented, enforced procedures are also what regulators, auditors and tender assessors increasingly expect to see. Being able to show a written payment-control and incident-response process is now part of demonstrating that an organisation takes financial crime prevention seriously.

How Policy Pros Can Help

Most BEC losses trace back to a missing procedure rather than a missing piece of software. A clear, written set of payment controls is what turns "we should have checked" into "we always check".

Policy Pros writes the cyber resilience and IT security policies that document payment verification, dual authorisation, account security and incident response in plain terms your finance and HR teams can follow. To review your exposure to payment fraud and put the right controls in place, get in touch through our IT security and assurance service.