01782 744144

How to defend your business from email compromise

Email phishing attacks that target senior leaders and finance personnel in the business are on the increase. The National Cyber Security Centre (NCSC) has published guidance aimed at helping small to medium sized businesses to deal with Business Email Compromise (BEC).

The guidance considers actions that you can take to reduce the likelihood of being affected by BEC, and what to do if you think you’ve already been compromised.


What is BEC?

Criminals try to access a work email account to trick someone into transferring money to an account that is controlled by the criminal. The phishing emails are targeted at individuals, usually those who are likely to have the seniority to approve money transfers.

The criminal might try to impersonate someone else in the business and might even include text from an existing email thread to make the contact seem more legitimate.


What to do if you think you have lost money

NCSC advise that if you think you have lost money because of an attack like this, the most important thing is not to panic.

Actions you should take include contacting your bank, ensuring that you are using their official contact details, and reporting it as a crime to the police.

If you have an IT department, they may be able to help, and you should check to see if your account or anyone else’s email account has been compromised.

Reducing the likelihood of BEC

Suggestions include:

  • Reduce your digital footprint: Information about senior staff on websites and on social media and networking sites can be used by criminals to make their phishing emails appear more convincing. Senior staff especially should check their social media privacy settings and think about what they post to reduce their digital footprint.


  • Help staff be able to recognise a fraudulent request and give them the confidence to ask whether an email is genuine.


  • Set up 2-step verification. This means even if a criminal knows your password, they won’t be able to access your accounts.


  • Carefully control who can make high value payments and revoke this privilege as soon as someone doesn’t need it. Have verification procedures to confirm requests made by email.



  • Because of the level of sophistication that can be used, recognise that no amount of staff awareness and training can guarantee detecting all BEC attempts. Therefore, consider how you will handle an incident, ideally rehearsing it so that you know what to do and how to minimise a problem if it happens.


The full guidance can be found here: https://www.ncsc.gov.uk/guidance/business-email-compromise-defending-your-organisation



Hmrc Enquiries Support & Protection