Business Email Compromise | Cyber Attack Response | Holker IT
Cyber Incident Response · Business Email Compromise

Business Email Compromise & Invoice Fraud: Emergency Response Guide.

Your mailbox has been used to defraud you, a supplier, or a customer. Here's what to do in the next hour to stop the damage spreading and start recovering what's been lost.

Microsoft PartnerCyber Essentials CertifiedICO RegisteredISO 27001 Aligned

Get In Touch

Fill out the form and a member of our Cyber Attack Response team will be in touch. No hard sales, just honest advice.

Business email compromise (BEC) is one of the most financially damaging forms of cyber crime, precisely because it doesn't need malware or a clever exploit. An attacker gains access to, or convincingly impersonates, a real mailbox, then uses the trust already built into that relationship to redirect a payment, request sensitive information, or trick a colleague into acting on a fake instruction.

Money already sent to the wrong account? Speed matters more than anything else. Call your bank's fraud team immediately, then call Holker IT on 0333 305 2020 (Option 2) to secure the mailbox before more damage is done.
The three patterns

What Business Email Compromise Looks Like.

Invoice fraud

An attacker intercepts a genuine invoice, or sends a convincing fake, with bank details changed to an account they control. Often targets suppliers and customers, not just the compromised business itself.

Payment redirection / CEO fraud

An attacker impersonates a director or senior manager, usually by email, sometimes with a spoofed or lookalike domain, to pressure a colleague in finance into an urgent, unusual payment.

Mailbox takeover via phishing

Stolen credentials give an attacker direct access to a real inbox. They read existing conversations, then reply from inside them, which is why these emails are so convincing.

Do this now

Immediate Response: What To Do Right Now.

1

Stop any pending or recent payment

If a payment has been sent or is about to be sent, contact your bank's fraud team immediately. Faster Payments recall windows are short, and speed is the single biggest factor in getting money back.

2

Reset the mailbox and force sign-out

Change the password on any account you suspect is compromised, then force sign-out of all active sessions in your Microsoft 365 or Google Workspace admin centre. A password change alone does not end an existing session.

3

Check inbox rules and forwarding settings

Attackers commonly set up a hidden rule that forwards or deletes specific emails, so they can keep reading correspondence even after the password is changed. Review and remove anything you don't recognise.

4

Warn anyone who may have received a fraudulent email

If the mailbox was used to contact suppliers, customers or colleagues, tell them directly, by phone where possible, so they don't act on anything sent during the compromise.

5

Preserve the evidence

Don't delete the fraudulent emails. Keep headers, sender addresses and timestamps; your bank, insurer and Action Fraud will all need them.

6

Report it

Report to Action Fraud, and if any personal data was exposed, assess whether it's notifiable to the ICO within 72 hours.

Why it matters

A Costly and Growing Problem.

43%of UK businesses identified a breach or attack in the past 12 months
93%of cyber crime cases started with phishing
£2.3bn+lost to business email compromise scams in a single year, per the FBI (US $3bn+)

Source: gov.uk Cyber Security Breaches Survey 2025/2026; FBI Internet Crime Complaint Center. Only around 5% of UK businesses currently hold Cyber Essentials certification, which includes controls that directly reduce BEC risk, such as email authentication and access management.

Already paid?

If You've Already Sent The Money.

Report it fast, don't sit on it. UK banks are required to reimburse victims of Authorised Push Payment (APP) fraud in most cases, but only if the fraud is reported promptly and you can show reasonable care was taken. Call your bank's fraud line the moment you suspect a payment was misdirected, then follow up in writing.

Verify any bank detail change by phone, using a number you already have on file rather than one in the email itself, before paying a supplier again. This single habit stops the majority of repeat invoice fraud attempts.

For the full picture on responding to any cyber incident, see our main guide: My Business Has Been Hacked? What To Do Right Now, and our first-hour containment checklist.

FAQ

Frequently Asked Questions.

What is business email compromise?

Business email compromise is where an attacker gains access to, or convincingly impersonates, a real business email account to trick someone into making a fraudulent payment, sharing sensitive information, or acting on a fake instruction.

How can I tell if an invoice has been tampered with?

Look for a bank detail change, especially if it arrived close to a payment due date, and always verify by phone using a number you already have on file, never a number or link in the email itself.

Can my bank get the money back?

It depends how quickly the fraud is reported. UK banks operate reimbursement rules for Authorised Push Payment fraud, but the best chance of recovery comes from reporting the payment as fraudulent within hours, not days.

Do I need to tell my customers or suppliers?

Yes, if your mailbox was used to contact them during the compromise. A direct phone call warning them not to act on anything sent during that period is one of the most effective ways to limit wider damage.

Is a business email compromise a notifiable data breach?

It can be, if personal data was accessed or exposed as a result. You have 72 hours from becoming aware of a notifiable breach to report it to the ICO, so this assessment should happen early, not as an afterthought.

Get Emergency Help Now.

Call 0333 305 2020 (Option 2) and a member of our Cyber Attack Response team will call you back immediately.

Sources: NCSC Respond & Recover guidance, gov.uk Cyber Security Breaches Survey 2025/2026, FBI Internet Crime Complaint Center, Action Fraud, ICO.

Scroll to Top