Business Email Compromise and Email Fraud: What should we be doing?

The £50 Billion Problem Hiding in Plain Sight

Cybercriminals no longer hack systems first. Increasingly, they hack trust. Business Email Compromise, or BEC, has become one of the most expensive and fastest-growing forms of corporate fraud, costing organisations billions every year. The danger is no longer confined to multinational giants. Smaller firms are now heavily targeted because weaker payment controls and overstretched finance teams create easy opportunities. Meanwhile, AI has transformed phishing into something far more convincing. Today’s fraudulent emails are polished, personalised and often written in flawless English. Some criminals even use deepfake voice messages or compromised Microsoft 365 accounts to imitate senior executives and trusted suppliers. Attackers routinely study company websites, LinkedIn profiles and supplier relationships before striking. Traditional spam filters are struggling to keep pace because modern email fraud is designed to look authentic rather than obviously malicious. For business leaders, this is no longer simply an IT problem; it is a governance, finance and reputational risk.

Could Someone Convincingly Pretend to Be Us?

One of the most dangerous aspects of BEC is how believable it has become. Fraudsters no longer rely on badly written phishing messages, instead they study company websites, LinkedIn profiles and supplier relationships before sending highly personalised emails that appear genuine. In some attacks, criminals register lookalike domains changing just one character in a company name. Others hijack real email conversations and quietly insert fake invoices or altered bank details into ongoing discussions. “CEO fraud” is also rising, with finance teams receiving urgent payment requests that appear to come directly from senior executives. AI tools can now imitate writing style, tone and even vocabulary with alarming accuracy. In 2026, your corporate biography may be helping criminals write believable fraud emails. Businesses should protect themselves with email authentication controls, while proactively registering obvious lookalike domains. Public executive visibility should increasingly be treated as part of a company’s security strategy rather than simply a marketing asset.

Are Our Payment Verification Processes Still Built for a Pre-AI World?

Many finance procedures were designed for an era when fraudulent emails were easy to spot and staff worked in the same office. That world has disappeared. Today’s attackers combine email, WhatsApp, Teams messages and even deepfake voice recordings to create convincing payment requests. In 2024, engineering firm Arup confirmed that an employee was deceived into transferring millions after participating in a video call featuring AI-generated deepfakes impersonating senior colleagues. Hybrid working has made verification harder because employees can no longer simply walk down the corridor to confirm an urgent request. Criminals exploit pressure, secrecy and apparent authority to bypass normal approval procedures, particularly during international transfers or supplier bank-detail changes. The safest finance departments now assume every urgent payment request is potentially fraudulent until proven otherwise. Businesses should introduce mandatory secondary verification using a different communication channel, delayed-release approvals for unusual transactions and AI-driven anomaly detection that flags unfamiliar payment patterns before money leaves the organisation.

Is Multi-Factor Authentication Actually Protecting the Right People?

Executives and finance teams remain prime targets because a single compromised account can unlock payment systems, supplier conversations and sensitive financial data. Many businesses now use Multi-Factor Authentication (MFA), yet attackers are adapting quickly. Password theft remains common and criminals increasingly deploy “MFA fatigue” attacks, repeatedly sending approval requests until an exhausted employee accepts one by mistake. Others steal session cookies, allowing them to bypass weaker forms of MFA entirely without needing a password again. SMS-based authentication is becoming less trusted because text messages can be intercepted or redirected through SIM-swap fraud. As a result, security specialists are increasingly recommending passkeys and hardware security keys as stronger alternatives. In 2023, both Microsoft and Google expanded support for passkey authentication to reduce phishing-related account compromise. MFA is no longer optional, but weak MFA is no longer enough. Businesses should prioritise phishing-resistant MFA, secure privileged accounts first and review outdated email access methods that may quietly undermine modern protections.

Would We Even Notice if an Email Account Had Already Been Compromised?

The most dangerous email fraud may already be sitting quietly inside your organisation. Many BEC attacks remain undiscovered for weeks because criminals often avoid dramatic action at first. Instead, they monitor inboxes, study payment routines and wait for the right moment to intervene. Hidden forwarding rules are a favourite tactic, allowing attackers to secretly copy emails involving invoices, suppliers or senior executives. Some criminals even alter payment details within genuine email conversations, making the fraud extremely difficult to detect. Increasingly, attackers use “low and slow” behaviour designed to avoid triggering security alerts. In response, businesses are shifting towards AI-driven monitoring systems that analyse behavioural patterns rather than simply scanning for suspicious keywords. Identity-based threat detection is also growing in importance. Organisations should monitor impossible-travel logins, unusual access locations, mailbox forwarding rules and sudden changes in invoice behaviour. In many cases, early detection may determine whether a fraud attempt becomes a minor incident or a major financial disaster.

If We Were Hit Tomorrow, Would We Actually Know What To Do?

Many businesses spend heavily on prevention yet still improvise when fraud actually happens. In a BEC attack, the first 24 hours are often decisive because banks may still be able to freeze or trace transferred funds. Delays can rapidly escalate financial, legal and reputational damage. Cyber insurers are also becoming more demanding, increasingly requiring proof of security controls and documented response procedures before honouring claims. Regulators and investors now view cyber resilience as a leadership and governance issue rather than merely an IT concern. An incident response plan is really a decision-making plan under pressure. Organisations should pre-assign responsibility for technical investigation, banking liaison, customer communications and legal escalation before an incident occurs. Firms that respond quickly and coherently are often judged far more favourably than those appearing confused or secretive after an attack.

BEC Is Now a Leadership Challenge, Not Just an IT Problem

Business Email Compromise is evolving faster than many organisations can adapt their governance, finance and risk procedures. The modern threat is no longer simply technical because attackers increasingly exploit psychology, authority and trust rather than software vulnerabilities alone. AI-generated phishing emails, deepfake voice calls and compromised cloud accounts mean traditional defences are becoming less effective in isolation. The businesses responding most successfully are combining smart technology with disciplined payment controls, informed employees and rapid decision-making when incidents occur. Increasingly, boards, insurers and regulators expect cyber resilience to form part of mainstream corporate governance rather than being delegated entirely to IT departments. Ultimately, organisational culture may prove just as important as cybersecurity software. In the AI era, the businesses most likely to survive email fraud may not be the most technical — but the most sceptical.

And what about you…?

• If one of your finance employees received an urgent payment request from “you” today, how confident are you that they would verify it properly before transferring money?
• Could your business recognise the warning signs of a compromised email account before a criminal quietly altered invoices or payment details?