Business Email Compromise: What It Is and How to Protect Your Practice

Your accounts person gets an email from you - or someone who looks exactly like you. It asks them to transfer funds to a new supplier account urgently, before the end of the day. The email looks right. The name is right. The tone sounds like you. So they do it. The money is gone within minutes, and getting it back is rarely possible.

This is Business Email Compromise, and it is one of the most financially damaging scams hitting professional services businesses right now. It does not rely on malware or technical exploits. It relies on trust - on someone in your team believing they are doing the right thing by following instructions from a person they recognise. The FBI has reported losses in the billions of dollars annually from these scams globally, and there is no reason to think Canterbury businesses are insulated from it.

What makes these attacks so effective is the preparation behind them. Before anyone sends a fraudulent email, they have often spent time researching your business - who the directors are, who handles payments, which suppliers you use. That information is frequently available on your website, LinkedIn, or other public sources. The email that arrives in your accounts person's inbox has been written to pass a quick read. It references real context. It creates urgency. It asks for discretion. All the hallmarks of how a real executive might communicate when something time-sensitive comes up. hackers use context like this against you more often than most people realise.

When email security is handled properly, several things change. Your email system itself can be configured to make it much harder for someone to impersonate your domain - so an email pretending to come from your address is more likely to be flagged or rejected before it reaches anyone. Staff know what a suspicious request looks like and have a clear process for verifying payment instructions before acting on them. That process does not have to be complicated: a phone call to confirm using a known number, not the one in the email, is often enough to stop a transfer in its tracks.

Good email security also means having anti-phishing tools running in the background that flag unusual messages before they reach your team. These tools have improved significantly and catch a lot of what used to get through. Combined with well-configured authentication settings on your domain, they reduce the attack surface considerably. None of this is visible day-to-day, but it makes a real difference when someone tries to exploit your business. most breaches like this are entirely preventable with the right controls in place.

The practical step for most businesses is to get someone to review how your email is currently configured and whether your team has any training around payment verification and cyber threats. This is not something that needs a big project - it needs someone who knows what to look for. If a payment request ever arrives by email alone, with urgency attached and no easy way to verify it, that should be enough to pause before acting. Building that instinct into your team, and backing it up with the right technical controls, is what keeps your accounts protected. For businesses handling client funds or sensitive financial transactions, see how IT support for professional services can help. If you want to understand how your current IT setup handles email threats, ITstuffed offers a free 15-minute IT Fit Check - book one at /booking.