Business Email Compromise Recovery

How BEC Fraud Operates in Practice

Payment Diversion Through Email Spoofing

The fraudster registers a domain visually identical to the legitimate supplier’s or buyer’s replacing a single character, adding a country suffix, or substituting a letter with a numeral. Correspondence is conducted from this domain throughout the transaction. When the payment instruction is issued, the fraudster substitutes legitimate bank account details with their own. The victim transfers funds to the fraudster’s account, believing they are paying the correct counterparty.

Compromised Email Account Interception

The fraudster gains access to a genuine email account within the transaction chain through phishing, credential theft, or social engineering. From inside the legitimate account, they monitor the transaction and intercept or modify the payment instruction at the critical moment. The victim receives what appears to be an authentic communication from a known contact, containing substituted payment details. No domain discrepancy exists to alert the victim.

CEO and Senior Executive Impersonation

A fraudster impersonates a senior executive of the victim’s own organisation using a spoofed internal email domain or a compromised executive account and instructs the finance team to make an urgent, confidential wire transfer to a specified account. The instruction bypasses normal payment authorisation procedures on the basis of the apparent seniority of the sender. The transfer is made before standard verification protocols are applied.

Lawyer and Notary Impersonation

A fraudster impersonates a lawyer, notary, or regulated professional managing a transaction most commonly a property purchase, corporate acquisition, or settlement payment and issues amended payment instructions at the completion stage. The victim transfers completion funds to the fraudster’s account rather than the legitimate professional’s client account. In documented European cases, this variant has resulted in losses of €500,000–€5,000,000 in single transactions.

Supplier Invoice Fraud

A fraudster intercepts or fabricates supplier invoices amending the bank account details on an otherwise legitimate invoice and either substitutes them into the email chain or sends them directly from a spoofed domain. The victim’s accounts payable team processes the invoice against the fraudulent account details. The fraud is identified only when the legitimate supplier raises a non-payment query.

The Legal Basis for Recovery

Fraudulent Misrepresentation

A fraudster who impersonated a legitimate counterparty and issued false payment instructions has committed fraudulent misrepresentation by conduct in all EU jurisdictions. The claim is available against the identified fraudster for recovery of all funds transferred plus consequential damages. The misrepresentation is the false identity presented the fraudster represented themselves as the legitimate counterparty and the victim transferred funds in reliance on that representation.

Unjust Enrichment

Where the fraudster received funds that were intended for a legitimate third party, unjust enrichment claims are available independently of any contractual relationship the fraudster had no entitlement to the funds under any agreement or legal basis.

Banking Liability

Where a European bank received and processed a BEC transfer without applying adequate anti-money laundering or know-your-customer controls including where the receiving account had been flagged by internal or external systems as suspicious, or where the transaction profile was inconsistent with the account’s stated purpose civil liability claims against the bank may be available. These claims are fact-specific and require expert analysis of the bank’s compliance obligations under the EU Anti-Money Laundering Directives (AMLD4, AMLD5, AMLD6) and applicable national banking regulations. Where a bank failed to act on a timely and properly submitted recall request without adequate justification liability for the resulting non-recovery may additionally arise.

Claims Against the Legitimate Counterparty

Where the BEC fraud was facilitated by a security failure within the legitimate counterparty’s email infrastructure an unpatched vulnerability, inadequate access controls, or failure to implement basic email authentication protocols negligence claims against the legitimate counterparty may be available where that failure created a foreseeable risk of interception. These claims require careful assessment of the specific security failure and the applicable duty of care in the relevant jurisdiction.

Immediate Steps After Discovering BEC Fraud

The window for effective BEC recovery is measured in hours, not days. The following steps must be initiated simultaneously and immediately upon discovery:

Step 1 – Contact Your Bank Immediately

Notify your bank of the fraudulent transfer within minutes of discovery. Request an immediate recall or payment return under SWIFT’s Payment Controls Service or the applicable national bank recall framework. Provide the transfer reference, amount, date, and receiving bank details. Every minute between discovery and bank notification increases the probability that funds have been onward-transferred beyond recall.

Step 2 – Contact the Receiving Bank Directly

Identify the receiving bank from the transfer details and contact their fraud or compliance team directly in parallel with your own bank’s recall request. Provide full details of the fraudulent transaction and request an account freeze pending investigation. Many EU banks maintain 24-hour fraud hotlines for exactly this purpose.

Step 3 – File a Criminal Complaint Immediately

File a criminal complaint with the national police or specialist cybercrime unit in the EU member state where the receiving bank is located in parallel with the bank notifications. Criminal complaints unlock law enforcement access to bank account records, freeze powers, and cross-border judicial cooperation mechanisms that are unavailable through civil channels alone. In Germany, France, Spain, Italy, and the Netherlands, specialist financial cybercrime units can act within hours of a complaint where a live bank account is identified.

Step 4 – Apply for an EAPO

Where the fraudster’s account is identified in an EU member state, apply immediately for a European Account Preservation Order. The EAPO freezes accounts across all EU member states simultaneously on an ex parte basis without notifying the defendant and can be obtained within days of filing where the evidential threshold is met.

Step 5 – Preserve All Evidence

Preserve every email in the fraudulent chain including headers, metadata, and the original domain details without alteration. Do not delete, forward, or modify any communication. Email metadata is critical forensic evidence for both criminal investigation and civil proceedings, and may be the only means of identifying the fraudster’s identity and infrastructure.

Legal Options for BEC Fraud Victims

Civil Litigation

Civil proceedings against the identified fraudster for fraudulent misrepresentation and unjust enrichment are available in all major EU jurisdictions. Civil proceedings can achieve full recovery of transferred funds, compensatory damages, asset freezing orders, EAPO bank account freezes, and disclosure orders compelling banks to produce account holder identity, transaction records, and onward transfer details.

Asset Tracing

BEC fraud proceeds follow traceable paths through banking systems typically through one or more intermediate accounts before reaching the fraudster’s control. Forensic accounting and civil disclosure tools in EU proceedings can trace the full fund movement chain and identify assets acquired with misappropriated capital. The earlier asset tracing proceedings are initiated, the greater the probability that funds remain within the EU banking system and are accessible through enforcement mechanisms.

Criminal Proceedings and Cross-Border Cooperation

BEC fraud is prosecuted as criminal fraud and computer-related crime in all EU member states engaging both national criminal codes and the Council of Europe Convention on Cybercrime (Budapest Convention). Criminal investigations access bank account records, email infrastructure data, and IP address logs that are not available through civil disclosure alone. Cross-border judicial cooperation under the European Investigation Order (EIO) enables evidence gathering and asset identification across multiple EU member states simultaneously.

Chargeback and SWIFT Recall

For transfers processed through SWIFT, the SWIFT Payment Controls Service enables financial institutions to flag and potentially recover fraudulent transfers within defined timeframes. For card payments, chargeback mechanisms are available within 120 days of the transaction date. Both mechanisms must be initiated immediately upon discovery delays beyond the applicable window eliminate these recovery paths entirely.

Factors That Determine Recovery Outcomes

Speed of Action After Discovery

BEC proceeds are moved within hours of receipt typically through multiple intermediate accounts before reaching the fraudster’s final holding. Every hour between discovery and bank notification, criminal complaint, and EAPO application reduces the probability of successful recovery. Cases where action was initiated within the first 24 hours of discovery have the highest documented recovery rates. Cases where action was delayed beyond 72 hours face significantly reduced prospects of recovering funds that remain within the EU banking system.

Jurisdiction of the Receiving Account

Recovery is most practically viable where the receiving account is held at a regulated bank in a major EU member state Germany, France, Spain, Italy, the Netherlands, or Belgium. These jurisdictions have functional AML enforcement frameworks, accessible fraud complaint mechanisms, and effective cross-border judicial cooperation. Accounts in less-regulated jurisdictions or outside the EU present greater recovery challenges, though cross-border cooperation tools remain available.

Identifiability of the Fraudster

Where the fraudster’s identity is established through bank account holder records obtained by criminal investigation, email forensics, or civil disclosure personal liability claims and asset tracing proceedings can be initiated. Named individuals with personal assets in EU jurisdictions are the most viable civil defendants. Where the fraudster operated through a shell account, criminal investigation remains the primary tool for identification.

Quality of Email and Payment Documentation

All emails in the fraudulent chain including full headers and metadata the payment instruction that was followed, transfer confirmation records, and all communications with the legitimate counterparty around the time of the fraud form the evidentiary foundation. Email header forensics establishing the true origin of the fraudulent instruction are critical for both criminal investigation and civil proceedings.