In April 2026,
a hacker stole £700,000 from a UK energy company by redirecting a single supplier payment
. The attacker compromised the email and accounting trail, altered bank details on a legitimate invoice, and the money disappeared before anyone noticed something was wrong.
This isn’t an isolated incident.
Business email compromise attacks accounted for 73% of all reported cyber incidents in 2024
, and
the UK’s official 2025/2026 Cyber Security Breaches Survey finds that phishing remains the most common incident type, with 38% of businesses reporting phishing attacks in the past 12 months
. For UK SMEs in Kent and the South East, Business Email Compromise (BEC) represents one of the most financially damaging cyber threats you’ll face this year.
Unlike ransomware or malware attacks that target your systems, BEC targets your people, your trust, and your payment processes. Here’s what every business owner and office manager needs to know right now.
What Is Business Email Compromise and Why Does It Work?
Business Email Compromise is a sophisticated fraud attack where criminals impersonate trusted contacts or compromise legitimate email accounts to manipulate your staff into making fraudulent payments or sharing sensitive information.
BEC remains one of the most financially damaging cyber-enabled fraud categories. The FBI’s 2025 IC3 report logged 24,768 BEC complaints and $3.05 billion in reported losses, up from 21,442 complaints and $2.77 billion in 2024
. That represents a 16% year-over-year increase in reported complaints.
What makes BEC particularly dangerous is that
the technical footprint is small. The decisive moment is a human one: someone approves a payment or a change of details without an independent check
.
The Four Main Types of BEC Attack
Understanding how these attacks work helps you recognise them before money leaves your account:
- Invoice fraud: An attacker intercepts or impersonates a genuine supplier and changes bank details on a legitimate invoice. This is what happened in the April 2026 energy company case.
- CEO or executive fraud:
An email appearing to come from a senior leader asks a finance team member to make an urgent, confidential payment. The urgency and the apparent authority are designed to bypass normal checks
. - Account compromise:
The attacker gains access to a real internal or supplier mailbox, often through a phished password, and sends requests from a genuine address. These are the hardest to spot because nothing about the sender looks wrong
. - Payroll diversion:
A message impersonating an employee asks HR or payroll to update bank details, redirecting salary to the attacker
.
A 2023 NCSC report found that 37% of UK organisations experienced a phishing attack in the preceding year, and Business Email Compromise incidents caused average losses of £11,000 per incident
. But as the April case demonstrates, losses can be far higher when large supplier payments are involved.
Why BEC Attacks Succeed Against UK Businesses
Attackers now use AI tools to generate phishing emails that match the tone, formatting and language of legitimate business communication. They research targets using LinkedIn, company websites and public data to craft messages that feel personal and relevant
.
The old warning signs – poor spelling, generic greetings, suspicious addresses – are no longer reliable.
Phishing volume has risen sharply, and the majority of those attacks now use AI to produce messages that look polished, relevant, and urgent. The old signs people were taught to spot aren’t reliable indicators anymore
.
This is a threat that is ordinary and central at the same time: widespread across sectors, closely tied to everyday workflows, and still effective against organisations that believe they have the basics in place. When close to nine in ten affected organisations report that phishing formed part of their breach story, it becomes difficult for any board to argue this is a marginal risk
.
Similar to the supply chain cyber security challenges we discussed recently, BEC exploits trusted business relationships rather than technical vulnerabilities.
Practical Steps to Defend Your SME Against Business Email Compromise
1. Establish Verification Procedures for Payment Changes
Many redirection frauds succeed because there is no controlled way to add or amend a supplier’s bank details in the first place. Building the verification step into supplier onboarding, rather than treating it as an exception, closes the gap before any invoice is raised
.
Implement these controls today:
- Require phone verification (using a known number, not one provided in the email) for any change to supplier bank details
- Mandate dual authorisation for payments above a set threshold
- Create a formal process for updating payment information that cannot be bypassed via email alone
- Maintain a verified contact list for all regular suppliers, separate from email
2. Deploy Technical Email Security Controls
Multi-factor authentication on email and accounting systems is essential, because account compromise is the hardest form of BEC to detect. Anti-spoofing email controls, namely SPF, DKIM and DMARC, reduce the ability of attackers to impersonate your domain
.
These measures align with both firewall and security best practices and the Cyber Essentials certification framework we’ve covered previously.
If you use Microsoft 365, ensure Safe Links and Safe Attachments are enabled. These features, covered in our article on recent SharePoint security updates, provide additional layers of protection.
3. Train Your Finance, HR and Payroll Teams
Finance, HR and payroll teams should be trained to recognise the warning signs: unexpected changes to bank details, pressure to act urgently or confidentially, and requests that bypass the usual process. Staff need explicit permission to pause and verify a request from a senior figure without fear of being seen as obstructive
.
Recognise these red flags:
- Urgent payment requests that bypass normal approval workflows
- Requests for confidentiality or secrecy around financial transactions
- Supplier bank detail changes, especially close to payment dates
- Emails from executives that feel slightly “off” in tone or format
- Requests to move conversations away from normal business channels
The speed of response matters more than blame
. Create a culture where reporting suspicious emails is encouraged, not penalised.
4. Monitor and Respond Quickly to Potential Compromises
If a staff member suspects they’ve responded to a BEC attempt:
- Change affected passwords immediately
- Check whether the compromised account has sent further emails
- Review recent sign-in activity for unusual locations or times
- Contact your bank immediately if payment information may have been compromised
- Report the incident to Action Fraud (0300 123 2040)
Businesses that have a tested incident response process recover faster and limit damage. Businesses that do not often discover the breach weeks later, after significant harm has already been done
.
BEC Fits Into Your Broader Security Strategy
Payment fraud sits at the intersection of cyber security and financial governance. The technical defences, such as MFA and email authentication, belong with your IT security policies. The procedural defences, namely verification, dual authorisation and incident response, belong with your cyber resilience policies
.
This connects directly to your business continuity planning and complements the measures we’ve discussed for defending against AI-driven cyber threats.
UK NCSC Guidelines urge UK businesses to adopt stronger anti-BEC practices such as mandatory DMARC, multi-factor authentication (MFA), regular employee training, and defined incident response plans
. These aren’t optional extras – they’re essential controls that directly reduce your financial risk.
The Bottom Line for Kent SMEs
Business Email Compromise succeeds because it targets people and processes, not just technology. A £700,000 loss from a single fraudulent payment demonstrates the scale of risk facing UK SMEs right now.
The good news is that effective BEC defence doesn’t require enterprise-scale budgets. It requires three things:
- Clear verification procedures for payment and bank detail changes
- Properly configured email security and authentication controls
- Trained staff who know the warning signs and feel empowered to question suspicious requests
Every organisation processing supplier payments or managing payroll needs these defences in place today, not after the first fraudulent payment clears.
Need help securing your email systems against Business Email Compromise? Meridian Micro provides IT security assessments, email security configuration, and staff training for SMEs across Kent and the South East. Call us on 01303 883111 or contact us here to discuss how we can protect your business from payment fraud.