For any organisation that uses email, the answer to this question is—unfortunately—yes. Business email compromise comes in many guises, can happen to any organisation and has the potential to do significant financial damage.

Author: Johnty Mongan


According to a 2022 report by enterprise security company, Proofpoint, 77% of organisations faced business email compromise (BEC) attacks in 2021—up 18% on the previous year—and UK-based organisations were particularly heavily targeted.i The move to remote working practices may be a contributing factor in this increase.

One of the most financially damaging online crimes, BEC is big business for cybercriminals, with attacks carried out by transnational criminal organisations that employ lawyers, linguists, hackers, and social engineers. Methods have become more sophisticated over time as attackers continually hone their techniques and the deception is often only uncovered when it is too late.

What is business email compromise?

Business email compromise, also known as email account compromise, covers several email-based fraud techniques. These include spear phishing (targeted phishing), social engineering (involving impersonation), email spoofing, identity theft and the use of malware.

An attack will typically involve hijacking a corporate email address to send an email to a target, appearing to come from a trusted person or business. Often, the perpetrator impersonates the company’s CEO or another senior employee.

The attacker’s aim is to gain access to critical business information or extract money. BEC attacks often exist in multiples because one attack will open the door to further incidents due to the data and identities stolen.

Common methods of business email compromise

A BEC attack can come in a number of different forms. The common thread is the intent to make the target believe that they have received a genuine email from a known contact in their organisation, or a trusted supplier or other third party.

Email impersonation: The attacker sets up an email account that looks like a business email account. They will source a legitimate business email address (typically easy to find online) and create a modified version that looks similar. This method may have more chance of success if received by the target on a mobile device because only the sender’s name is shown, not their email address—so the target will not even have the opportunity to see the discrepancy in the altered email address.

Email spoofing: The email address the recipient sees looks exactly like the genuine address, but the attacker modifies the email’s SMTP (Simple Mail Transfer Protocol) envelope and the header. The SMTP envelope is the information exchanged between email servers for message delivery and the header is the visible ‘To/From’ information that sits above the email message itself. It is surprisingly easy for a hacker to forge the ‘From’ elements of both the envelope and header, making spoofing a common form of BEC attack.

Email account takeover: Using stolen account credentials or by hacking, an attacker gains access to a corporate email account where they obtain information about the user’s contacts, style of writing and personal data. They then use the account to a send a phishing email to their target. This type of BEC attack adds a level of authenticity because the email is from a trusted address.

Malware: Attackers use malware (malicious software) to infiltrate company networks and gain access to legitimate email threads about billing and invoices, using this information to dupe an accountant or financial officer into transferring money. Malware can also allow cybercriminals access to a victim’s data such as financial account information and login details.

Warning signs to look out for

  • Slight spelling differences in the email address—either the person’s name or the domain name.
  • A high level of urgency in the email, often requiring you to act quickly.
  • A message saying there has been a change to the bank account tied to remittance payments.
  • The message is atypical for the sender, either by way of content, style, spelling/punctuation or sign-off.
  • Requests for personal or confidential information over email.
  • A request for you to update or verify account information via links in the email.
  • Any other unusual request involving money or sensitive data.

How to guard against BEC attacks

  • Set up Multi-Factor Authentication (MFA) on any account that allows it.
  • Ensure the domain name/URL in emails is associated with the business/individual it claims to be from.
  • Ensure the settings in employees’ computers are enabled to allow them to view the full email extension.
  • Verify payment and purchase requests and changes of payment procedures in person, if possible, or by calling the person on their known number.
  • Monitor financial accounts on a regular basis for irregularities.
  • Avoid supplying login credentials or personally-identifiable information of any sort via email.
  • Confirm the authenticity/security of external virtual meeting platforms you do not normally use.
  • Partner with a cyber risk management specialist who can review and help you improve your email security processes and employee awareness.

To find out how Gallagher’s Cyber Risk Management team can help your organisation strengthen its defences against email-based attacks and also support you in breach response and recovery, please get in touch with the Cyber Risk Management team.

Author Information


The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.