01303 883111 info@meridian-micro.com Support Login
meridianmicro
Get in Touch
01303 883111 info@meridian-micro.com
Security

Business Email Compromise: Why UK SMEs Lost £700,000 in One Payment (And How to Stop It in 2026)

July 14, 2026 Meridian Micro

In April 2026,
a hacker stole £700,000 from a UK energy company by redirecting a single supplier payment
. The attacker compromised the email and accounting trail, altered bank details on a legitimate invoice, and the money disappeared before anyone noticed something was wrong.

This isn’t an isolated incident.
Business email compromise attacks accounted for 73% of all reported cyber incidents in 2024
, and
the UK’s official 2025/2026 Cyber Security Breaches Survey finds that phishing remains the most common incident type, with 38% of businesses reporting phishing attacks in the past 12 months
. For UK SMEs in Kent and the South East, Business Email Compromise (BEC) represents one of the most financially damaging cyber threats you’ll face this year.

Unlike ransomware or malware attacks that target your systems, BEC targets your people, your trust, and your payment processes. Here’s what every business owner and office manager needs to know right now.

What Is Business Email Compromise and Why Does It Work?

Business Email Compromise is a sophisticated fraud attack where criminals impersonate trusted contacts or compromise legitimate email accounts to manipulate your staff into making fraudulent payments or sharing sensitive information.

BEC remains one of the most financially damaging cyber-enabled fraud categories. The FBI’s 2025 IC3 report logged 24,768 BEC complaints and $3.05 billion in reported losses, up from 21,442 complaints and $2.77 billion in 2024
. That represents a 16% year-over-year increase in reported complaints.

What makes BEC particularly dangerous is that
the technical footprint is small. The decisive moment is a human one: someone approves a payment or a change of details without an independent check
.

The Four Main Types of BEC Attack

Understanding how these attacks work helps you recognise them before money leaves your account:

A 2023 NCSC report found that 37% of UK organisations experienced a phishing attack in the preceding year, and Business Email Compromise incidents caused average losses of £11,000 per incident
. But as the April case demonstrates, losses can be far higher when large supplier payments are involved.

Why BEC Attacks Succeed Against UK Businesses

Attackers now use AI tools to generate phishing emails that match the tone, formatting and language of legitimate business communication. They research targets using LinkedIn, company websites and public data to craft messages that feel personal and relevant
.

The old warning signs – poor spelling, generic greetings, suspicious addresses – are no longer reliable.
Phishing volume has risen sharply, and the majority of those attacks now use AI to produce messages that look polished, relevant, and urgent. The old signs people were taught to spot aren’t reliable indicators anymore
.

This is a threat that is ordinary and central at the same time: widespread across sectors, closely tied to everyday workflows, and still effective against organisations that believe they have the basics in place. When close to nine in ten affected organisations report that phishing formed part of their breach story, it becomes difficult for any board to argue this is a marginal risk
.

Similar to the supply chain cyber security challenges we discussed recently, BEC exploits trusted business relationships rather than technical vulnerabilities.

Practical Steps to Defend Your SME Against Business Email Compromise

1. Establish Verification Procedures for Payment Changes

Many redirection frauds succeed because there is no controlled way to add or amend a supplier’s bank details in the first place. Building the verification step into supplier onboarding, rather than treating it as an exception, closes the gap before any invoice is raised
.

Implement these controls today:

2. Deploy Technical Email Security Controls

Multi-factor authentication on email and accounting systems is essential, because account compromise is the hardest form of BEC to detect. Anti-spoofing email controls, namely SPF, DKIM and DMARC, reduce the ability of attackers to impersonate your domain
.

These measures align with both firewall and security best practices and the Cyber Essentials certification framework we’ve covered previously.

If you use Microsoft 365, ensure Safe Links and Safe Attachments are enabled. These features, covered in our article on recent SharePoint security updates, provide additional layers of protection.

3. Train Your Finance, HR and Payroll Teams

Finance, HR and payroll teams should be trained to recognise the warning signs: unexpected changes to bank details, pressure to act urgently or confidentially, and requests that bypass the usual process. Staff need explicit permission to pause and verify a request from a senior figure without fear of being seen as obstructive
.

Recognise these red flags:

The speed of response matters more than blame
. Create a culture where reporting suspicious emails is encouraged, not penalised.

4. Monitor and Respond Quickly to Potential Compromises

If a staff member suspects they’ve responded to a BEC attempt:

Businesses that have a tested incident response process recover faster and limit damage. Businesses that do not often discover the breach weeks later, after significant harm has already been done
.

BEC Fits Into Your Broader Security Strategy

Payment fraud sits at the intersection of cyber security and financial governance. The technical defences, such as MFA and email authentication, belong with your IT security policies. The procedural defences, namely verification, dual authorisation and incident response, belong with your cyber resilience policies
.

This connects directly to your business continuity planning and complements the measures we’ve discussed for defending against AI-driven cyber threats.

UK NCSC Guidelines urge UK businesses to adopt stronger anti-BEC practices such as mandatory DMARC, multi-factor authentication (MFA), regular employee training, and defined incident response plans
. These aren’t optional extras – they’re essential controls that directly reduce your financial risk.

The Bottom Line for Kent SMEs

Business Email Compromise succeeds because it targets people and processes, not just technology. A £700,000 loss from a single fraudulent payment demonstrates the scale of risk facing UK SMEs right now.

The good news is that effective BEC defence doesn’t require enterprise-scale budgets. It requires three things:

Every organisation processing supplier payments or managing payroll needs these defences in place today, not after the first fraudulent payment clears.

Need help securing your email systems against Business Email Compromise? Meridian Micro provides IT security assessments, email security configuration, and staff training for SMEs across Kent and the South East. Call us on 01303 883111 or contact us here to discuss how we can protect your business from payment fraud.