What is business email compromise (BEC)?

Business email compromise is a type of fraud where a criminal either takes over a genuine email account or convincingly imitates one, then uses it to trick someone into making a payment or changing bank details. There's usually no malware involved, it relies on deception and a moment of misplaced trust, which is what makes it so hard to spot.

How can we verify a request to change a supplier's or client's bank details?

Treat every change of bank details as something to confirm independently, no matter how genuine the email looks. Call the supplier or client back on a number you already hold for them, never a number or link in the email itself, and confirm the change with a named person. Build this into your process as a standard step, not an occasional one.

Do SPF, DKIM and DMARC stop invoice fraud?

They help, but they're not a complete answer. SPF, DKIM and DMARC make it much harder for a criminal to spoof your exact domain, which protects your name and reduces some impersonation. They don't stop look-alike domains, a genuinely compromised account, or a convincing phone call, so technical email controls need to sit alongside verification procedures and staff awareness.

What should we do first if we think we've sent a payment to a fraudster?

Act quickly. Contact your bank immediately and ask them to attempt a recall of the payment, the sooner you call, the better the chance of recovering funds. Then report it to Action Fraud, preserve the emails and records involved rather than deleting them, and check whether any accounts or mailboxes have been compromised so the same route can't be used again.

Protecting Your Practice From Invoice Fraud and Business Email Compromise

Few businesses sit closer to money changing hands than an accountancy practice. You process payments, handle client funds, set up new suppliers, manage payroll, and field a constant stream of emails about invoices, bank details and amounts due. That’s exactly the environment in which invoice fraud and business email compromise (BEC) thrive, not because practices are careless, but because they’re busy, trusted, and dealing with money all day.

This article explains, calmly and in plain English, why practices are targeted, how these scams actually work, and what you can do about them, both the technical controls and the everyday human habits that matter just as much.

Why practices are a prime target

A criminal running this kind of fraud is looking for two things: a place where money moves, and people who are conditioned to act on emailed instructions about money. A practice offers both.

Think about a normal week. A partner emails the office to approve a payment. A supplier sends an invoice with their bank details. A client asks you to process a payroll run or settle a bill on their behalf. Bank details get added and updated. Sums are paid out, often under time pressure. Every one of those routine moments is an opportunity for someone to insert themselves into the chain and quietly redirect a payment.

There’s a trust dimension too. Clients hand you their financial affairs precisely because they don’t want to think about them. If a fraudster can impersonate your practice to one of your clients, or impersonate a client or supplier to you, they’re exploiting a relationship that’s built on people not double-checking each other constantly. That trust is a strength of the profession. It’s also what these scams are designed to abuse.

None of this means a practice is doing anything wrong. It means the threat is worth understanding properly, so that a few sensible habits and controls can take most of the risk off the table.

How these scams actually work

The examples below are illustrative and hypothetical, composite patterns drawn from how this type of fraud generally operates, not accounts of any real, specific incident. They’re here to help you recognise the shape of an attack, because the shape repeats even as the details change.

The bank-details change

The single most common pattern is a request to change where money goes. An email arrives, apparently from a supplier you pay regularly: “We’ve switched banks, please update our details for future payments to the account below.” The wording is polite and unremarkable. The logo looks right. Nothing about it screams fraud.

In a genuinely compromised case, the email really does come from the supplier’s mailbox, because a criminal is sitting inside it, watching, and has sent the message themselves. In an impersonation case, it comes from a look-alike address that’s a character or two different from the real one. Either way, if you update the details and pay the next invoice, the money goes to the fraudster.

The fake or altered invoice

A close cousin is the bogus invoice. Sometimes it’s an entirely fabricated bill from a supplier you do use, slipped into the flow at a plausible moment. Sometimes it’s a real invoice that’s been intercepted and altered so the payment details point elsewhere. Because the amounts and the supplier are believable, these can pass through without a second glance, especially during a busy period.

The urgent “partner” request

Another familiar pattern targets people inside the practice. A member of staff receives an email that appears to be from a partner or principal: “Are you at your desk? I need a payment made today and I’m stuck in meetings, can you sort it discreetly and let me know once it’s done?” The hallmarks are urgency, secrecy, a request to bypass the normal process, and an implied authority that makes the recipient reluctant to push back.

The message often arrives at exactly the wrong moment, late on a Friday, or in the middle of the January crunch, when people are tired and inclined to be helpful rather than sceptical.

The last-minute redirection

A particularly damaging variant interrupts a genuine, expected payment. A transaction everyone knows is coming, a completion, a large settlement, a property-related sum, is hijacked at the last moment by an email saying the destination account has changed. Because the payment was legitimate and anticipated, the change feels like a routine administrative tweak rather than a red flag. By the time anyone realises, the money has gone.

The thread that runs through all of these is the same: there’s no dramatic hack on display. The criminal simply persuades a trusted, capable person to do something that, on any normal day, they’d do without hesitation.

The technical defences, in plain English

Technology can’t stop every one of these on its own, but it removes a lot of the easy openings and buys you time. Here’s what matters, without the jargon.

Email authentication: SPF, DKIM and DMARC

These three sit behind the scenes and help prove that an email claiming to be from your domain genuinely is.

SPF is, in effect, a published list of the servers allowed to send email on behalf of your domain. If a message comes from somewhere not on the list, that’s a warning sign.
DKIM adds a tamper-evident signature to your outgoing email, so the receiving system can check the message really came from you and wasn’t altered in transit.
DMARC ties the two together and lets you tell the world what to do with email that fails those checks, for example, reject it or send it to spam, while reporting back to you on attempts to abuse your name.

Set up properly, these make it far harder for someone to spoof your exact domain and impersonate your practice to clients. They are an important protection for your reputation. What they don’t do is stop a look-alike domain (a near-miss spelling), a genuinely hijacked account, or a convincing phone call, which is why technical controls are necessary but not sufficient on their own.

Multi-factor authentication

If there’s one control to get right, it’s multi-factor authentication (MFA). Most account takeovers begin with a stolen or guessed password. MFA means a password alone isn’t enough to get in, there’s a second step, usually a prompt on a phone. Turning MFA on across Microsoft 365, your practice and accounting software, and anywhere else staff log in is one of the highest-value things you can do to prevent your own mailboxes being compromised in the first place. It’s also a core part of the basics covered in our plain-English Cyber Essentials guide for practices.

Email filtering

Good email filtering catches a large share of phishing and impersonation attempts before anyone sees them, and can flag external messages or warn when a sender’s display name doesn’t match their actual address. It won’t catch everything, but it thins out the volume and reduces the chances of a tired person clicking the wrong thing.

Conditional access

Conditional access is a way of saying who can sign in, from where, and under what conditions. For example, you might allow logins from managed devices or expected locations and challenge or block ones that look unusual. For a practice, this makes a stolen password far less useful to an attacker, because the login itself looks wrong before any harm is done.

The human defences, which matter just as much

Because these scams target people, the most effective protections are habits and procedures, and they cost very little to put in place.

Verify every change of bank details

Make it an unbreakable rule: any request to change bank details, or to make a payment to a new account, is confirmed by calling a known, trusted number for that person or organisation, one you already hold on file, never a number or link from the email itself. Speak to a named individual and confirm the change out loud. This one habit defeats the great majority of bank-details fraud, because it breaks the criminal’s reliance on the email channel they control.

Dual authorisation for payments

Require two people to approve payments above a sensible threshold, and especially any payment to a new or changed account. A second pair of eyes is remarkably good at catching the thing the first person, under pressure, didn’t question. It also removes the burden of being the sole decision-maker on a request that feels off.

Staff awareness training

People can only spot what they’ve been shown. Brief, regular, practical awareness training, what the patterns look like, what “urgency and secrecy” should trigger, what to do when something feels wrong, turns your team into the strongest layer of defence rather than the weakest. The goal isn’t to make everyone paranoid; it’s to make caution normal.

A culture where it’s fine to double-check

This is the quiet one, and it’s the most important. Fraud relies on people being too polite, too busy, or too junior to question an instruction that appears to come from authority. A practice where partners actively welcome being called to confirm a payment, where double-checking is treated as good practice rather than insubordination or fuss, is a practice these scams struggle to beat. Say it out loud to your team: if in doubt, check, and you’ll never be in trouble for checking.

What to do if you’re hit

If a fraudulent payment has gone out, or you suspect one has, the priority is speed and a clear head. The guidance below is general and sensible rather than legal advice, and you should adapt it to your circumstances and obligations.

Contact your bank immediately. Ask them to attempt to recall or freeze the payment. The chance of recovering funds drops quickly with time, so this is the first call to make, ahead of working out exactly what happened.
Report it to Action Fraud. Reporting (and, in Scotland, to Police Scotland) creates an official record and feeds intelligence that helps tackle these crimes. Keep any reference number you’re given.
Preserve the evidence. Resist the urge to delete the offending emails or tidy up. Keep the messages, headers, invoices and payment records intact, they matter for the bank, for any investigation, and for understanding how it happened.
Find out how they got in. Check whether a mailbox has been compromised, force password resets, confirm MFA is on, and review mailbox rules for anything a criminal may have set up to hide their activity. The aim is to close the door so the same route can’t be used twice.
Review related accounts and recent activity. Look at other recent payments and any pending changes to bank details, in case this wasn’t the only attempt.
Notify as appropriate. Depending on what was exposed, you may need to inform affected clients or suppliers, and consider your data-protection obligations, including whether a personal data breach is involved and whether the ICO needs to be told. Your professional body’s and the ICO’s expectations are worth keeping in view here; we cover that ground in our piece on what ICAEW and your clients expect from your practice’s IT and data security.

Handled promptly and calmly, even a genuine attempt often ends without loss. The worst outcomes tend to come from delay and from not having decided in advance who does what.

The bottom line

Invoice fraud and business email compromise aren’t exotic threats, they’re the everyday reality of working somewhere money moves, and practices are squarely in the firing line. The reassuring part is that the defences are mostly straightforward: solid email controls and MFA on the technical side, and a few firm habits, verify bank-details changes by phone, require dual authorisation, train your people, and make double-checking welcome, on the human side.

Getting both halves right is exactly the kind of thing our cyber security service for practices is built around. And if you’d simply like an honest view of where your practice stands today, book a free Practice IT Health Check, in 15 to 20 minutes we’ll tell you, plainly, where your real exposure is and what’s worth doing first.