Business Email Compromise: The Scam Costing Australian SMBs Thousands

Every year, Australian small businesses lose millions of dollars to a scam that doesn't involve hacking, malware, or breaking into your systems. It's called Business Email Compromise (BEC), and it's the highest-cost cybercrime reported to the Australian Cyber Security Centre (ACSC). The damage isn't done through technical exploits — it's done through trust.

What Is Business Email Compromise?

BEC is a form of social engineering where a criminal impersonates someone you trust — your CEO, a supplier, your accountant — and convinces you or a staff member to transfer money, change bank details, or hand over sensitive information. No virus is installed. No system is broken into. The attacker simply sends a convincing email and waits.

What makes BEC so effective is the effort criminals put into research. Before they ever contact you, they may have spent weeks studying your business: reading your website, monitoring your LinkedIn, watching your social media, or even accessing a compromised email account to read your real correspondence. By the time they make contact, they know who your suppliers are, what your payment processes look like, and how your boss writes emails.

How BEC Attacks Work in Practice

There are several common scenarios Australian small businesses encounter:

Invoice Fraud

You receive an invoice from what appears to be a regular supplier. The email address looks almost right — perhaps one letter is different, or it uses a lookalike domain like supplier-pty.com instead of supplierpty.com. The invoice looks legitimate but includes updated bank details. You pay it. The money goes to the criminal.

CEO or Executive Impersonation

A staff member receives an urgent email that appears to be from the business owner or a senior manager. The email asks them to make a quick payment, purchase gift cards, or change payroll details. The urgency and authority of the request bypass normal caution. By the time anyone checks, the money is gone.

Payroll Redirection

An employee receives an email that appears to be from their HR department asking them to update their bank account details. Alternatively, someone impersonating an employee emails payroll directly to change where their salary is deposited. The next pay cycle, wages land in a criminal's account.

Supplier Impersonation

Criminals compromise a supplier's email account — or spoof it convincingly — and use it to request payment for legitimate-looking invoices. Because the email comes from a known contact, staff see no reason to question it.

Warning Signs to Watch For

• Requests to change bank account details, especially by email alone
• Urgent payment requests that bypass normal approval processes
• Email addresses that don't quite match — check the full domain carefully
• Pressure to keep the transaction confidential or act before end of day
• Unusual grammar or phrasing from someone you usually communicate with regularly
• Requests arriving outside normal business hours when checking is harder

How to Protect Your Business

Always Verify Bank Detail Changes by Phone

This is the single most effective control against BEC. If any supplier, employee, or contact emails to say their bank details have changed, call them on a number you already have on file — not the number in the email. Make this a firm business rule and enforce it consistently. No legitimate supplier will complain about a quick verification call.

Implement a Two-Person Approval Process

For any payment above a threshold you set — whether that's $500 or $5,000 — require a second person to approve and verify. A criminal impersonating your CEO can't easily intercept two separate staff members checking with each other in person or over the phone.

Turn On Email Authentication Controls

Ask your email provider or IT support to configure SPF, DKIM, and DMARC on your business email domain. These technical controls make it much harder for criminals to spoof your domain and impersonate your business to others. Many small businesses leave these unconfigured, which is a gift to attackers.

Train Your Staff

Your team is your first line of defence. Make sure every staff member who handles payments or financial information knows what BEC looks like, understands the verification policy, and feels empowered to question suspicious requests — even if the email appears to come from you. Create a culture where it's safe to pause and check rather than rush to comply.

Use Multi-Factor Authentication on Email

If a criminal gains access to your actual email account, they can read your conversations, study your relationships, and send convincing messages to your contacts. Multi-factor authentication (MFA) — where logging in requires both a password and a code from your phone — makes it dramatically harder to compromise your email account in the first place.

What the ACSC Data Tells Us

The ACSC consistently reports that BEC is among the highest-cost cybercrimes affecting Australian businesses. Losses frequently run into tens of thousands of dollars per incident, and the money is often very difficult to recover once it's been transferred. Unlike credit card fraud, there's no automatic chargeback mechanism — if the transfer is authorised by you or your staff, even under false pretences, recovery depends on how quickly you act and how cooperative the receiving bank is.

The good news is that the protections against BEC are largely procedural rather than technical. You don't need expensive software. You need clear processes, consistent verification habits, and staff who know what to look for. Start with the phone call rule — verify every bank detail change before you pay — and build from there.