BEC Fraud: What to Do If Your Professional Services Firm Is Targeted or Attacked
Business Email Compromise attacks against professional services firms are becoming more sophisticated and more frequent. When an attack occurs, the decisions made in the first hours determine whether funds can be recovered and reputational damage limited. This FAQ provides practical guidance for firms that have received a suspicious instruction or believe they have been targeted or victimised by a BEC attack.
Action Fraud: Funds transferred via BEC can be recalled within 24 hours in approximately 25% of cases if reported immediately.
Frequently Asked Questions
I have received an email asking me to change a supplier's bank details. What should I do?
Do not act on the instruction until you have verified it independently. Call the supplier using a phone number you already have on file — from a previous invoice, their website, or a business card. Do not use a number provided in the email. Ask them to confirm the request verbally. Record the call. If you cannot reach them, do not action the change until you can. A legitimate supplier will understand — a fraudster will become increasingly pressuring.
We have transferred money to a fraudulent account. What do we do immediately?
Act within minutes if possible. Call your bank's fraud line immediately — not the general customer service number. Ask them to recall the payment and contact the receiving bank. The Faster Payments system allows recalls for a limited window; CHAPS and SWIFT recalls take longer but are possible. Also contact the recipient bank directly if you know which bank received the funds. Then report to Action Fraud online (actionfraud.police.uk) or by phone (0300 123 2040). Contact your cyber insurer and legal advisers.
How do we know if our email account has been compromised in a BEC attack?
Signs of email account compromise include: email forwarding rules you did not create (check all inbox rules immediately); emails marked as read that you did not read; missing emails that may have been deleted; sent emails you did not send; inbox rules that forward or delete emails from specific senders (often rules to hide BEC-related communications). Check M365 or Google Workspace audit logs for sign-ins from unfamiliar IP addresses or locations.
Do we need to tell clients if their data was accessed in a BEC-related email compromise?
If the compromised email account contained personal data about clients or third parties, you have a potential UK GDPR breach notification obligation. Assess whether the compromise is likely to result in a risk to individuals' rights and freedoms — if so, notify the ICO within 72 hours and notify affected individuals without undue delay. Even if the legal threshold is not met, proactive client notification is strongly advisable from a relationship management perspective.
Strengthen your BEC defences
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.