Skip to content
HSBC UKHSBC UK Hexagon Icon
Back to Authorised Push Payment Scams

Business Email Compromise is a type of APP scam, where a business or individual is tricked into sending money to a fraudster, who is impersonating a genuine organisation or person, such as a supplier.

Watch: BEC in practice

How it happens

There are two common tactics fraudsters use to carry out Business Email Compromise:

  • Fraudsters can spoof (copy) an email address, by creating a similar email address with subtle differences to the genuine email address to trick you. For example, using letters that are similar such as using ‘rn’ instead of ‘m’J@rnbusiness.com instead of J@mbusiness.com.
  • Genuine email addresses can be compromised (hacked) by a fraudster with malware (likely deploying a virus) or by obtaining the email password through another method, such as a vishing call.

There are two types of Business Email Compromise:

Payment/Invoice Diversion

Fraudsters are often aware of the relationships between organisations and suppliers, understanding when regular payments are due, making it easier to trick you. They contact individuals, such as finance staff within businesses, posing convincingly as suppliers or employees, to make payment requests. These can sometimes carry on from existing email threads, and align with genuine activities of your business, making these requests even more believable.

CEO Fraud

CEO Fraud is where fraudsters impersonate the CEO or another colleague of an organisation, before sending emails to the finance department, requesting a payment to be made urgently. Their email address is either spoofed or hacked and is often timed so that the manager they’re impersonating is away making it difficult to verify the details. They impersonate senior management to play on their authority and pressure staff into making payments urgently.

How to protect yourself

Follow the advice below to help protect yourself and your business from Business Email Compromise:

  • Always verify new payment details from suppliers by phoning a known contact, on a known telephone number or one from the company’s official website, to check the sort code and account number. Never use a number in the email as this could be a fraudster.
  • Implement a two-step payment verification process which includes a non-email check (e.g. phone/SMS) with the initiator.
  • Check email addresses for granular details by looking for subtle differences, such as added letters, numbers, special characters or a different domain like ‘.com’ instead of ‘.co.uk’.
  • Always check the sender’s name/email address, clicking on the name will reveal the full email address of the sender.
  • When receiving payment instructions from within your organisation, verify payment details with the instructing party in person, where possible, or by phoning them.
  • Examine website links, email addresses and spelling in all correspondence as these can be giveaway signs of a fraudulent email.
  • Consider blocking email auto-forwarding to make it harder for information to be stolen.
  • Provide your workforce with training on scams so they understand what Business Email Compromise is, and how to identify and escalate it. Embed a risk culture within your organisation, and encourage staff to query any suspicious activity.
  • Don’t overshare personal information on social media – such as pet names, birthdays and family connections as this information could be harvested by fraudsters to and used to convince you they’re contacting you from a genuine organisation.
  • Avoid opening an attachment within an email or text which you’re not expecting as this could infect your systems with malware.
  • Never act on the urgency of a request. Take your time to validate the legitimacy of the communication.
  • Never be afraid of seeking a second opinion. If you’re unsure if a request is genuine, don’t action it and refer it to a colleague or manager.
  • Don’t use any phone numbers or other contact information provided in unexpected or suspicious emails.
  • Never assume that an email received from a known email address, or with a previous email trail is genuine. Always verify payment instructions separately to the email.

How to report it

If you believe you have been a victim of this scam, please report it to us or your bank.

You should also report it to Action Fraud on 0300 123 2040 or via the Action Fraud website. If you are in Scotland, please report to Police Scotland directly by calling 101.

Further resources

Infographic – Tips on staying safe from Business Email Compromise and CEO Fraud

Take 5 – Stop, Challenge and Protect

NCSC – National Cyber Security Centre advice and guidance on a range of cyber topics