The rising threat of business email compromise fraud

Often referred to as ‘CEO fraud’, business email compromise (BEC) is a cyber threat that’s on the rise, costing businesses billions. Relying on email ‘imitation’, hackers are spoofing employees into transferring funds or confidential personal data for - what they believe – to be a legitimate request. How can you and your clients stay vigilant against BEC?

The rising threat of BEC

According to a report last year, over 6,000 businesses are targeted every month by BEC fraud, with the UK being the second most targeted region (26%) behind the US (39%).

BEC is a complex and targeted form of email fraud. Unlike some phishing scams that involve sending a generic message to thousands of accounts hoping for ‘a bite’, BEC involves thorough research. Hackers need to identify the individuals likely to action their type of request and who within the business would typically make the demand.

Once the victim is found, hackers will craft a believable email to try and successfully convince the targeted individual to transfer funds outside of the organisation or request personal data like PAYE forms, P45s etc. 

Although BEC is referred to as ‘CEO fraud’, emails are made to imitate and come from an individual you would commonly have contact with to make it feel as genuine as possible.  That could be someone in your team, a line-manager, a Chief Financial Officer (CFO) or similar.

Staying vigilant 

Don’t assume that your business is ‘too small’ to be targeted by cyber scams. While the attacks on the large multinational organisations might make the evening news, SME businesses are just as at risk as the large ones – we’ve recently seen a rise in cyber scams impacting insurance brokers. How can you and your clients stay vigilant against the threat of BEC?

  • Double-check the validity - If the request seems odd, or you’re unsure about the validity, check with the ‘requestor’ on the phone or in person to make sure it’s genuine, especially if the request is outside the normal line of enquiry.
  • ‘Keep it between us’ - If you’re asked that you keep the request confidential or that you only communicate directly via email, you should be wary – this is a common tactic used by hackers.
  • Lookalike domains - Check the ‘reply-to’ email address. A lookalike domain will be used to try and fool recipients at first glance. Make sure you double-check that the reply address is consistent with that of your organisation. 

Other things to look out for:

  • Does the email from the sender seem like their normal ‘email style’? Check for commonalities in tone or grammar.
  • Did the email arrive in the early hours of the morning or at an unusual time? 
  • Was it vague and only containing attachments – or did the email contain an attachment when you weren’t expecting one?

In summary, BEC is a researched and targeted type of email fraud that utilises ‘imposter’ imitation tactics to make the recipient believe they’re dealing with a genuine request. To protect yourself against BEC; always double-check the validity of emails relating to transferring funds or personal data, look out for red flags like poor grammar or unusual send times and check for inconsistent reply-to addresses. 

For more information

For more information on BEC and the steps you and your clients can take to protect your businesses, check out this overview by Proofpoint. 

We also have a series of 'Cyber Risk' modules available on our Aviva Development Zone. Simply search 'cyber' on the Development Zone site. 

If you don’t have a licence for the Aviva Development Zone, or you’d like more information, email


Post a comment

Please Log in to post a comment.

Log in to save this page to your favourites.