Business Email Compromise (BEC)
Compromised or spoofed business email accounts used to redirect payments and steal data.
Last reviewed: 1 June 2026
What this scam is
Business email compromise (BEC) occurs when a scammer gains access to or convincingly spoofs a business email account, then uses it to redirect payments, request transfers, or harvest sensitive information from staff, customers, or suppliers.
How it works
After phishing an account or spoofing the domain, the attacker monitors email, then inserts themselves into a real payment conversation or sends new instructions — changing bank details or requesting urgent transfers from a trusted internal address.
Common red flags
- Payment or bank-detail changes mid-conversation
- Subtle differences in email address or domain
- Urgency and requests to bypass procedures
- Unusual login alerts on business accounts
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
(From a real-looking internal address) Please update the payment for invoice [number] to the new account below.
Payment methods used
- Bank transfer
Who is usually targeted
- Finance teams
- Executives
- Suppliers and customers
What to do immediately
- Verify payment changes out-of-band via a known phone contact
- Secure compromised accounts (reset passwords, enforce 2FA)
- If paid, contact your bank immediately and report it
Evidence to preserve
- Emails and headers
- Account login logs
- Payment records
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How do we reduce BEC risk?
Enforce strong app-based 2FA on all email accounts, verify payment changes by phone to known contacts, use email authentication (SPF/DKIM/DMARC), and train staff to spot look-alike domains.