Business Email Compromise & Invoice Fraud: Emergency Response Guide.
Your mailbox has been used to defraud you, a supplier, or a customer. Here's what to do in the next hour to stop the damage spreading and start recovering what's been lost.
Get In Touch
Fill out the form and a member of our Cyber Attack Response team will be in touch. No hard sales, just honest advice.
Published by Holker IT · Last updated 1 July 2026
Business email compromise (BEC) is one of the most financially damaging forms of cyber crime, precisely because it doesn't need malware or a clever exploit. An attacker gains access to, or convincingly impersonates, a real mailbox, then uses the trust already built into that relationship to redirect a payment, request sensitive information, or trick a colleague into acting on a fake instruction.
What Business Email Compromise Looks Like.
Invoice fraud
An attacker intercepts a genuine invoice, or sends a convincing fake, with bank details changed to an account they control. Often targets suppliers and customers, not just the compromised business itself.
Payment redirection / CEO fraud
An attacker impersonates a director or senior manager, usually by email, sometimes with a spoofed or lookalike domain, to pressure a colleague in finance into an urgent, unusual payment.
Mailbox takeover via phishing
Stolen credentials give an attacker direct access to a real inbox. They read existing conversations, then reply from inside them, which is why these emails are so convincing.
Immediate Response: What To Do Right Now.
Stop any pending or recent payment
If a payment has been sent or is about to be sent, contact your bank's fraud team immediately. Faster Payments recall windows are short, and speed is the single biggest factor in getting money back.
Reset the mailbox and force sign-out
Change the password on any account you suspect is compromised, then force sign-out of all active sessions in your Microsoft 365 or Google Workspace admin centre. A password change alone does not end an existing session.
Check inbox rules and forwarding settings
Attackers commonly set up a hidden rule that forwards or deletes specific emails, so they can keep reading correspondence even after the password is changed. Review and remove anything you don't recognise.
Warn anyone who may have received a fraudulent email
If the mailbox was used to contact suppliers, customers or colleagues, tell them directly, by phone where possible, so they don't act on anything sent during the compromise.
Preserve the evidence
Don't delete the fraudulent emails. Keep headers, sender addresses and timestamps; your bank, insurer and Action Fraud will all need them.
Report it
Report to Action Fraud, and if any personal data was exposed, assess whether it's notifiable to the ICO within 72 hours.
A Costly and Growing Problem.
Source: gov.uk Cyber Security Breaches Survey 2025/2026; FBI Internet Crime Complaint Center. Only around 5% of UK businesses currently hold Cyber Essentials certification, which includes controls that directly reduce BEC risk, such as email authentication and access management.
If You've Already Sent The Money.
Verify any bank detail change by phone, using a number you already have on file rather than one in the email itself, before paying a supplier again. This single habit stops the majority of repeat invoice fraud attempts.
For the full picture on responding to any cyber incident, see our main guide: My Business Has Been Hacked? What To Do Right Now, and our first-hour containment checklist.
Frequently Asked Questions.
What is business email compromise?
Business email compromise is where an attacker gains access to, or convincingly impersonates, a real business email account to trick someone into making a fraudulent payment, sharing sensitive information, or acting on a fake instruction.
How can I tell if an invoice has been tampered with?
Look for a bank detail change, especially if it arrived close to a payment due date, and always verify by phone using a number you already have on file, never a number or link in the email itself.
Can my bank get the money back?
It depends how quickly the fraud is reported. UK banks operate reimbursement rules for Authorised Push Payment fraud, but the best chance of recovery comes from reporting the payment as fraudulent within hours, not days.
Do I need to tell my customers or suppliers?
Yes, if your mailbox was used to contact them during the compromise. A direct phone call warning them not to act on anything sent during that period is one of the most effective ways to limit wider damage.
Is a business email compromise a notifiable data breach?
It can be, if personal data was accessed or exposed as a result. You have 72 hours from becoming aware of a notifiable breach to report it to the ICO, so this assessment should happen early, not as an afterthought.