The Email Scam Hitting UK Small Businesses (And How to Spot It Before It Costs You)

I got a call last month from a small business owner in Maidenhead who'd just transferred £18,000 to a fake supplier account. The email looked exactly like the ones she'd been getting from that supplier for two years. Same logo. Same signature. Same friendly tone. Only the bank details had changed.

She hadn't been hacked. Nobody had installed anything nasty on her computer. She'd just been quietly watched, then asked politely to send money to the wrong place. And she'd done it, because the email looked completely normal.

This kind of scam — usually called Business Email Compromise, or BEC — is now the most expensive cybercrime hitting UK small businesses. There's no ransomware involved, no flashing screens demanding Bitcoin. Just a polite email that looks like every other email you get. Which is exactly what makes it so dangerous.

I want to explain how it actually works, why standard antivirus won't help, and what you can do this week to protect your business.

How the scam actually works

It usually starts months before any money moves. Someone gets into one mailbox — yours, your bookkeeper's, your supplier's, it doesn't really matter. They might phish a password, buy one off a credentials dump, or simply take advantage of a weak one. Once they're in, they don't break anything. They read. They set up a quiet rule that forwards copies of certain emails to themselves. They learn how you talk, who pays whom, and when invoices typically arrive.

Then, when the moment is right — usually just before a big payment is due — they send an email from a very convincing address. Sometimes it's spoofed. Sometimes it's a real lookalike domain (lumatech-solutions.co.uk instead of lumatechsolutions.co.uk). Sometimes it's actually your supplier's real mailbox, because they're the ones who got compromised.

The email says something like, "Just a heads up, we've changed banks. Please use the attached details for this month's invoice." It's polite. It matches the running conversation. There's nothing technically wrong with it. Your spam filter is happy. Your antivirus shrugs. And the money goes.

Why your usual security won't catch it

This is what people miss. There's no malicious attachment to scan. No dodgy link to block. The email comes from a real address that's been talking to you for years, or from a domain that looks one character off — and your eye won't catch the difference at 4pm on a Friday.

So the answer isn't more software. It's process. A few small habits, agreed across the business, will stop almost every one of these.

Five things to fix this week

1. Verify bank detail changes by phone — every time. If a supplier tells you they've changed banks, call them on the number you already have on file. Not the number in the email. Not "their" new mobile they mentioned. The known number. Yes, even if you trust them. Especially if you trust them.

2. Turn on multi-factor authentication on every mailbox. This is the single biggest thing you can do. If someone steals your password, MFA stops them getting in. Microsoft 365 and Google Workspace both make this easy. There's no good excuse not to have it on.

3. Check the actual sender address, not the display name. Display names can say anything. The real address is the bit in angle brackets, and it tells you whether the email is really from sarah@yoursupplier.co.uk or from sarah.yoursupplier@gmail.com. Train your team to look.

4. Review forwarding rules in your mailbox. This is the one almost nobody checks. Open your email settings and look for rules that forward messages externally. If you didn't set it, delete it. Attackers love these because they're silent.

5. Have a written rule for invoice payments above a certain amount. Pick a threshold — £500, £2,000, whatever fits your business. Above it, two people have to sign off and one of them has to verify the bank details by phone. Put it in writing. Stick it on the wall.

None of this is technical. None of it costs more than your monthly coffee budget. But together they stop the kind of attack that's quietly wiping out small businesses across Berkshire and Buckinghamshire every week.

The honest truth

Most of the businesses I help after a BEC attack had decent IT in place. They had antivirus. They had backups. What they didn't have was a five-minute habit that would have caught the dodgy email before it cost them tens of thousands.

I'd much rather spend an hour with you setting up MFA, reviewing your mailbox rules and writing down a simple payment process — than spend a day with you afterwards trying to trace where the money went. Because once it's gone, it's usually gone.

If you need help locking down your business email or want a second pair of eyes on your payment processes in Berkshire or Buckinghamshire, get in touch.