Business Email Compromise (BEC): An SME Guide to Fake Payment Fraud

An email arrives from a supplier you’ve worked with for years. Well written, logo in place, familiar signature block: “We’ve changed banks — please send future payments to this new IBAN.” Accounting updates the account, the invoice comes due, the payment goes out. Two weeks later the real supplier calls: “Our invoice still hasn’t been paid.” The money is long gone, split and withdrawn from another account.

This is an attack antivirus can never catch, because there is no malware involved — just a convincing email. It’s called BEC: Business Email Compromise.

Why the numbers stand out

According to the FBI’s 2025 Internet Crime Report, BEC caused $3.05 billion in verified losses in the United States last year, making it the second-most damaging cybercrime after investment fraud. There were 24,768 reported complaints, with an average loss of over $122,000 each. The detail that should worry every finance team: 86% of the stolen money moves via wire transfer or ACH — straight through a company’s real financial workflow.

These are US figures, but the logic is universal. In Turkey, the national cyber response centre USOM and the regulator BTK block dozens of fake sites every month, and KPMG Turkey flags “authorised push payment fraud” as the finance sector’s emerging threat. Because the attack targets human trust rather than banking infrastructure, it gets more effective as the organisation gets smaller — a large company has an approval chain, a small business usually has one person releasing the payment.

How an email gets “compromised”

Two routes, both more about patience than technical genius.

The first is genuine takeover. The attacker obtains an employee’s password through phishing or a leak, quietly enters the mailbox, and reads the correspondence for weeks. They learn who pays whom, when, and in what tone each supplier is addressed. Then, at exactly the right moment, they slip into a real email thread and request an IBAN change. The message isn’t spoofed — it really comes from that mailbox.

The second is impersonation. The attacker never enters the mailbox; they just register a near-identical address. [email protected] becomes [email protected], or the display name reads “Managing Director” while the real address stays hidden. In a team without a habit of phone verification, that’s enough.

The four most common scenarios

Scenario	How it works	Target
Supplier invoice	A real invoice gets an “IBAN changed” note	Accounting / payments
Executive instruction	The “CEO” requests an urgent, confidential transfer	Finance staff
Payroll redirect	A “change my salary account” email in an employee’s name	HR / payroll
Lawyer / closing	Pressure to pay before a deal, deed, or closing	Manager / accounting

The common thread is urgency and secrecy. Phrases like “this has to be done today” and “don’t mention this to anyone for now” aren’t accidental — they exist to push you to act before you verify.

Why classic security can’t stop it

Antivirus scans files, EDR watches behaviour, the firewall filters traffic. None of them engages in a BEC attack, because technically nothing “malicious” happens — a normal, well-written email arrives from a valid mailbox or a valid-looking address. The attack targets the process, not the software. So the defence has to be two-layered: technical and operational.

On the technical side, email authentication comes first. With SPF, DKIM and DMARC set up correctly on your domain, impersonation emails sent in your name are largely filtered out; moving DMARC to a “reject” policy keeps them out of the inbox. Multi-factor authentication (MFA) on every mailbox then makes takeover hard even if a password is stolen — most compromises happen on mailboxes without MFA.

The decisive part, though, is process. These three rules do what no single tool can:

1. Dual approval. Every payment over a set amount, and every IBAN change, requires sign-off from two separate people.
2. Out-of-band verification. When an IBAN change request comes in, confirm it by calling a known number from your own records — not by replying to the email, and never the number printed inside it.
3. Slow is the brake. The “urgent and confidential” combination is a red flag. When staff see those two words, they should slow down, not speed up.

Why the risk rises in summer

Attackers follow the calendar. The weeks when the approving manager is on leave and the team runs at half strength are exactly the gap they look for. “The boss is on holiday and unreachable, but this transfer has to go out today” sounds far more believable in July. Clarifying the payment approval chain and the stand-in approvers before holiday season largely closes that window.

Frequently asked questions

We’re a small business — why would anyone target us? Precisely because you’re small. A large company has layered approval; in your case the payment often goes out on a single signature. Low effort, high return for the attacker.

Can the money be recovered once it’s gone? Sometimes, but only if caught within the first hours. In the FBI’s data, a large share of funds is dispersed to other accounts within minutes. The moment you notice, ask the bank to halt the transfer, then report to the authorities — first steps that actually matter.

Are MFA and DMARC enough on their own? Both cut the risk substantially, but neither stops a fake request from a look-alike address by itself. The technical layer protects the email’s origin; the dual control on payment approval catches the human error. They have to work together.

Does training employees actually help? Yes, measurably. Regular awareness training and realistic drills break the reflex of acting on an “IBAN changed” email without question. It works when it’s a recurring programme, not a one-off presentation.

If you’d like to review your email authentication (SPF, DKIM, DMARC), MFA status and payment approval process together, get in touch — we’ll look at your current setup and map out a clear place to start.

Sources

• FBI — 2025 Internet Crime Report (IC3), BEC loss and complaint figures
• KPMG Turkey — Authorised push payment fraud analysis
• BTK / USOM — Malicious-link reporting and fake-site blocking