Your finance manager gets an email that looks like it's from the managing director. The message says a supplier payment needs to be made urgently — new bank details attached. The amount is £18,000. The email comes from the right name, uses the right tone, references a real project. It gets paid.
The money goes to a mule account controlled by criminals. It's gone within hours. You have almost no chance of getting it back.
This is business email compromise. It happens every day across the UK, and it doesn't require the attacker to have any technical skill beyond basic research and patience. Small businesses are the primary targets — not because they're specifically chosen, but because their processes are weaker, their payment approvals less formal, and their team members more likely to act on an email from "the boss" without questioning it.
How BEC actually works
There are several variants of BEC. The most common ones that affect small businesses are:
CEO fraud
The attacker impersonates a business owner or senior leader and emails a finance team member or operations manager asking them to make an urgent payment. The urgency is always part of the script — "I'm in a meeting, can't call, just get this done." The email address may be a lookalike domain (callum@getbulwark.co instead of callum@getbulwark.com), a free Gmail account with the right display name, or in worse cases, the actual business email account if it's been compromised.
Invoice fraud
The attacker either intercepts legitimate invoice emails or sends fake ones from spoofed supplier addresses. The invoice looks genuine — correct supplier name, logo, reference numbers — but the bank account details have been changed. A business pays what they believe is a normal supplier payment and discovers the fraud when the real supplier chases for money they never received.
Account takeover
The most dangerous variant. The attacker gains access to a legitimate company email account — usually through a phishing email or credential breach — and sits inside it silently for days or weeks. They read emails, understand the business, map out relationships and processes, and wait for the right moment. Then they send a payment request from within the genuine account, making it essentially indistinguishable from a real one.
"The most dangerous version isn't an attacker pretending to be you. It's an attacker who IS you — logged into your actual email account, reading everything, waiting."
Why small businesses are targeted more than large ones
Large enterprises have finance teams with dual-approval processes, treasury functions, and fraud detection systems. Making a £18,000 payment requires sign-off from two people and goes through a procurement system. The opportunity for BEC is narrow.
At a 10-person business, one person often handles everything from invoicing to supplier payments to payroll. The managing director is accessible by email and responds quickly. There's no formal purchase order process. A single email from the right person is often enough to initiate a payment.
Attackers know this. BEC targeting small businesses is largely automated at the research stage — public LinkedIn profiles, Companies House filings, and company websites provide the names, roles, and relationships needed to craft a convincing attack in minutes.
The three technical controls that reduce BEC risk
BEC has a people component that no technology fully solves — ultimately it relies on a human making a payment decision. But there are three technical controls that significantly reduce the attack surface:
Email authentication (SPF, DKIM, DMARC)
These records prevent attackers from sending emails that appear to come from your domain. A properly configured DMARC policy set to "reject" means that anyone attempting to spoof your company email address will have their message blocked before it reaches the recipient. This doesn't stop lookalike domain attacks, but it closes off direct spoofing.
Go to MXToolbox and check your domain for SPF, DKIM, and DMARC. If any are missing or set to p=none, you're vulnerable to domain spoofing. Read the full DMARC setup guide →
Multi-factor authentication on email accounts
Account takeover BEC — where the attacker operates from inside your actual email account — requires them to log in. If MFA is enforced, a stolen password isn't enough. This is the most direct defence against the account takeover variant of BEC.
Read the full guide on how to enforce MFA on Google Workspace. It takes about 20 minutes to set up and eliminates the largest single attack vector for account compromise.
Monitoring suspicious login activity
Even with MFA, monitoring your Google Admin Console Alert Centre for unusual login patterns matters. A login from an unexpected country, at an unusual time, or from a new device is worth investigating. Google sends these alerts automatically — the question is whether anyone is reading them.
Is your email authentication set up correctly?
The free GetBulwark audit checks SPF, DKIM, DMARC, MFA, and 17 other controls. Written report within 48 hours. No obligation.
Book the free auditThe process control that matters as much as technology
Technology alone won't stop BEC because the final step — a human authorising a payment — is outside any technical control. The most effective supplementary process for small businesses is simple: a verbal confirmation rule for any payment over a set threshold or involving new bank details.
The rule: if you receive a request to pay a new bank account, or to change existing bank details, call the requester on a number you already have for them. Not reply to the email. Not text the number in the email. Call them on a number from your phone contacts or the company's verified contact list. Sixty seconds of friction prevents a significant percentage of successful BEC attempts.
Most small businesses that have been hit by BEC say the same thing afterwards: the instruction not to question it was baked into the request. "I'm in a meeting." "Do this before the end of today." "Don't bother calling, just get it done." Urgency and the removal of normal verification is always part of the attack. Teach your team to treat that urgency as a red flag rather than a reason to hurry.
