Business Email Compromise: The Scam Costing Australians Millions

A small construction firm in Queensland receives an email from their long-term building supplier. The email looks completely normal — same email address, same signature, same friendly tone. It advises that the supplier's bank account details have changed and asks that the next invoice payment be sent to the new account.

The accounts team updates the records and pays the next invoice. It is only when the real supplier follows up about an overdue payment that the business realises what has happened. The money — $47,000 — is gone.

This is Business Email Compromise (BEC), and it is Australia's most financially damaging form of cybercrime. According to the ACSC, BEC causes hundreds of millions of dollars in losses to Australian businesses every year. And unlike ransomware or data theft, the criminals often never need to touch your systems at all.

How Business Email Compromise Works

BEC is a form of fraud that exploits trust in email communication. There are several common variations, but they all follow the same basic pattern: a criminal impersonates a trusted party — a supplier, a senior executive, a lawyer, or a financial institution — and manipulates someone in your business into transferring money or revealing sensitive information.

The Fake Invoice Scam

Criminals monitor business email conversations (either by hacking an email account or through public information) and wait for the right moment to intercept a payment. They send a convincing email from a lookalike domain or a compromised account, advising of new payment details. The money goes to a criminal-controlled account rather than the legitimate supplier.

CEO Fraud

An email arrives appearing to be from the business owner or a senior executive, asking a staff member to make an urgent payment, purchase gift cards, or transfer funds. The sender may have spoofed the executive's email address or compromised their actual account. The urgency and authority of the apparent sender pressures the recipient into acting without verifying.

Account Compromise and Interception

In more sophisticated attacks, criminals actually hack into a real email account — often through a phishing attack or stolen credentials — and monitor email threads for weeks or months before striking. Because the emails come from a legitimate account, they are almost impossible to distinguish from genuine messages.

The Lawyer or Conveyancer Impersonation

Particularly common in property transactions, criminals intercept communications between a buyer and their legal representative and substitute fraudulent bank account details for settlement funds. This type of scam has cost Australian families and businesses tens of thousands of dollars in single transactions.

Why BEC Is So Hard to Spot

Unlike most scams, BEC attacks are not based on technical trickery — they are based on social engineering. The criminals have done their homework. They know your business relationships, your payment processes, and often your staff's names and roles. The emails are well written, contextually accurate, and arrive at plausible times.

By the time you realise something is wrong, the funds have typically been moved through multiple accounts across different countries, making recovery extremely difficult.

Warning Signs of a BEC Attack

• An unexpected request to change bank account details, even from a known contact
• An email from a "senior executive" asking for an urgent, confidential payment
• Pressure to act quickly or bypass normal approval processes
• A sender email address that is slightly different from the real one (e.g. supplier@acmecorp.com.au vs supplier@acmecorps.com.au)
• Requests to communicate via personal email rather than a business address
• Instructions to keep the transaction confidential

How to Protect Your Business

Verify every change to payment details by phone

This is the single most important rule. Any email requesting a change to bank account details — regardless of who it appears to be from — must be verified by calling the supplier or contact on a phone number you already have (not one provided in the suspicious email). This one habit alone can prevent the majority of BEC losses.

Establish an approval process for payments above a threshold

Any payment above a set dollar amount should require approval from a second person. This makes it much harder for criminals to exploit a single point of failure. Even a simple rule — no payment over $5,000 without a second signature — can prevent catastrophic losses.

Enable MFA on all email accounts

If criminals cannot access your email accounts in the first place, they cannot monitor your conversations or impersonate you convincingly. Multi-factor authentication is essential. See our guide on MFA for setup instructions.

Set up email authentication records

SPF, DKIM and DMARC records make it significantly harder for criminals to send emails that appear to come from your domain. While they cannot stop all BEC attacks (particularly those using compromised accounts or lookalike domains), they reduce the surface area for impersonation.

Check your email account for suspicious rules

After a phishing attack or account compromise, criminals often set up forwarding rules in your email to quietly monitor your correspondence. Regularly check your email settings for any rules that forward, redirect, or delete messages that you did not create.

Train your team on BEC red flags

Staff who handle payments, accounts payable, and financial administration should receive specific training on BEC. They should know that urgency and authority in an email are not sufficient reasons to bypass normal verification processes — in fact, those are red flags to heighten suspicion.

Use Scamwatch and ReportCyber

The ACSC's ReportCyber.gov.au and the ACCC's Scamwatch.gov.au both allow you to report BEC and fraud incidents. Reporting helps authorities track these crimes and may assist your case if law enforcement gets involved. Contact your bank immediately as well — in some cases, funds can be frozen before they are moved offshore.

What to Do If You Have Already Transferred Money

1. Contact your bank immediately — ask them to attempt a recall of the funds and flag the receiving account
2. Report to ReportCyber.gov.au and request a police report number
3. Report to Scamwatch.gov.au
4. Contact your business insurer — many cyber liability policies cover BEC losses
5. If personal data was exposed in the process, consider your obligations under the Privacy Act 1988
6. Preserve all evidence — do not delete any emails related to the incident

Recovery of funds is unfortunately not guaranteed. Speed is everything — the faster you act, the better your chances.

Key Takeaways

• BEC is Australia's most financially damaging cybercrime, causing hundreds of millions in losses annually
• Criminals impersonate trusted contacts — suppliers, executives, lawyers — to trick your team into making fraudulent payments
• Always verify changes to bank account details by phone, using a number you already have
• Require two-person approval for payments above a set threshold
• Enable MFA on all email accounts to prevent criminals from accessing and monitoring your correspondence
• If you have been defrauded, contact your bank immediately and report to ReportCyber.gov.au

BEC protection starts with understanding your risks. Flagged is a free cyber risk assessment tool for Australian small businesses. Complete your assessment at flagged.com.au to understand where your email and payment processes may be vulnerable.