Business Email Compromise: How Fake Invoice Scams Work

Business email compromise (BEC) is one of the most financially damaging types of cyber attack affecting small businesses. It does not rely on malware. There is no virus to detect and no file to block. The attack works by manipulating people into sending money or sensitive information to the wrong place.

Understanding how it works is the most effective way to avoid it.

What Business Email Compromise Is

BEC is an attack where someone impersonates a person or organisation your business trusts, with the aim of getting you to take a financial or data-related action. The impersonation usually comes via email. The email either looks like it comes from a known supplier, a company director, a solicitor, or a business partner.

No malware is involved. The email itself is the attack.

The Two Main Patterns

Supplier Invoice Fraud

An email arrives appearing to come from a supplier your business deals with regularly. It notifies you that the supplier's bank account details have changed and requests that future payments, or a specific outstanding invoice, are directed to the new account.

The email may arrive from a look-alike address (one letter changed, a different domain extension) or, in more sophisticated attacks, from the supplier's genuine email address after it has been compromised.

The request itself is routine. Businesses update bank details. Invoice payments are a normal activity. The attack succeeds because it arrives in context, at a plausible time, and asks for something that does not immediately seem suspicious.

CEO or Director Fraud

An email appears to come from a senior person in the business, usually the owner, managing director or finance director. It requests an urgent payment or bank transfer, often with a reason that discourages checking: a deal that must not be disclosed yet, a payment that must happen before end of day, a situation being handled personally.

The email may use a look-alike address or, if the attacker has compromised a genuine account, may come from the real address. The combination of authority and urgency is designed to bypass the normal checking behaviour that would catch it.

How Attackers Set Up BEC Attacks

More sophisticated BEC attacks are not random. The attacker has usually done research beforehand:

• They have identified who in your business handles payments
• They know who your key suppliers are (often from your website, social media or public records)
• In some cases, they have compromised one of the email accounts involved and have been silently monitoring correspondence for weeks before acting
• They time the request to coincide with a real payment cycle or a known transaction

The attack that arrives while a genuine invoice is outstanding, from a sender address that looks exactly right, referencing the correct supplier name and a plausible payment amount, is much harder to catch than a generic scam email.

Why Antivirus Does Not Stop It

Traditional antivirus and endpoint security tools detect malicious files and suspicious behaviour from software. A BEC email contains no malicious file and triggers no software-based detection. The attack is entirely social: it targets the person, not the system.

Email spam filters catch some BEC attempts, particularly those using look-alike domains that have been flagged by threat intelligence. But a carefully crafted email from a compromised genuine account, or from a new domain not yet on any block list, may pass through cleanly.

Practical Defences That Work

A single rule that stops most cases

Any request involving a change to bank details or a payment to an unfamiliar account must be verified by telephone, using a number you already have for that contact, before any action is taken. Not a reply to the email. Not a call to a number provided in the email. A call to a number from your own records or from the supplier's website.

This one rule, applied consistently, stops the majority of supplier invoice fraud and CEO fraud attempts cold.

MFA on all email accounts

If an attacker cannot compromise a genuine email account in the first place, the most convincing version of BEC (emails from a real address) is not available to them. MFA enforcement means a stolen password is not enough to access the account.

Email authentication records

SPF, DKIM and DMARC configured correctly make it harder for attackers to spoof your domain when targeting your customers and partners. They also help receiving mail servers identify suspicious inbound email that claims to come from known senders.

Staff training

Staff who understand how these attacks work are more likely to pause before acting on an unusual request. Knowing that a request for a bank detail change should always be verified by phone, regardless of how legitimate the email looks, is a simple and effective habit.