A staff member in your accounts team receives an email from a supplier. The email looks legitimate, correct logo, correct tone, correct contact details. It asks them to update the supplier’s bank details for the next payment. They update the details, pay the next invoice, and the money goes to a criminal’s account.
This is business email compromise (BEC). It is not a technical hack. It is a con job that uses email to trick people into transferring money or handing over sensitive information. The ACCC reported over $98 million in BEC losses in Australia in a single year. Most victims are small and mid-sized businesses.
Here is what BEC looks like in practice, and the practical steps you can take to reduce the risk.
What Business Email Compromise Actually Looks Like
BEC does not look like spam. There are no obvious spelling mistakes or Nigerian prince stories. These attacks are targeted and researched.
The most common forms are:
Fake invoice fraud. An attacker impersonates a supplier your business already pays. They send an email, sometimes from a spoofed address, sometimes from a genuinely compromised mailbox, asking you to update payment details. The invoice looks real because the attacker has studied your supplier’s actual invoices.
CEO or director impersonation. An attacker pretends to be a senior person in your business and emails an accounts team member asking for an urgent payment. The email might come from a lookalike domain ([email protected] instead of [email protected], notice the zero replacing the letter O).
Compromised mailbox. An attacker gains access to a real email account inside your business. They sit quietly, reading emails, learning your processes. Then they strike, either redirecting payments or sending fraudulent requests from a legitimate account. This is the hardest type to detect because the email genuinely comes from a trusted address.
Why Traditional Email Filters Miss BEC
Your spam filter catches bulk junk. BEC is different. These emails are individually crafted, sent to a specific person, and contain no malware attachments or suspicious links. They look like normal business correspondence.
Standard email security catches the obvious threats. BEC bypasses it because the email itself is not technically malicious. It is just a lie wrapped in a legitimate-looking message.
How to Protect Your Business
There is no single fix, but layering these controls together significantly reduces the risk.
Set up SPF, DKIM, and DMARC on your domain. These are email authentication protocols that verify whether an email genuinely came from your domain. SPF (Sender Policy Framework) tells receiving mail servers which servers are allowed to send email on your behalf. DKIM (DomainKeys Identified Mail) adds a digital signature. DMARC (Domain-based Message Authentication) ties them together and tells receiving servers what to do with emails that fail authentication. Your IT provider can configure all three. They stop attackers from sending emails that appear to come from your domain. Microsoft 365 security hardening includes this as standard.
Tag external emails. Configure your email system to add a visible banner to any email that comes from outside your organisation. Something like: “This email came from outside your organisation. Be cautious with links and attachments.” It is a simple visual cue that reminds staff to think twice before acting on an external request.
Enforce MFA on every mailbox. Multi-factor authentication (a second verification step beyond your password, like a code from a phone app) on your Microsoft 365 accounts stops attackers from accessing a mailbox even if they steal or guess the password. This is the single most effective control against mailbox compromise.
Establish a payment verification process. Any request to change bank details, from a supplier, a client, or internally, must be verified by phone using a known number (not the number in the email). This is not an IT control. It is a business process. Write it down, train your team, and enforce it.
Train your staff, but do it properly. One annual awareness session is not enough. Your team needs to see examples of real BEC emails. They need to know that these attacks target accounts and finance staff specifically. They need to feel comfortable questioning a request, even if it appears to come from the boss.
What to Do If You Suspect a BEC Attack
Act fast. If your accounts team has made a payment based on a fraudulent request, contact your bank immediately. Banks can sometimes recover funds if they are notified within hours.
Report the incident to the ACSC (cyber.gov.au) and the police. Preserve the email. Do not delete it. If you suspect a mailbox has been compromised, reset the password, revoke active sessions, and review mail forwarding rules (attackers often set up forwarding to quietly copy emails to an external address).
Then review your email security controls with your IT provider to close the gap that was exploited.
The Bottom Line
BEC works because it exploits trust, not technology. The fix is a combination of technical controls (authentication, MFA, email tagging) and business processes (payment verification, staff training).
If you are not sure whether your email environment is properly configured, or whether your team would spot a BEC attempt, an IT Audit will tell you exactly where you stand. It is a $990 one-off assessment. We review your email security, access controls, and backup configuration and give you a clear report with priorities. No ongoing commitment required.
