Protect your Australian business from Business Email Compromise (BEC). Learn the latest prevention strategies and security protocols.
Business Email Compromise (BEC) is the highest-dollar cybercrime category targeting Australian businesses. The ACCC’s Scamwatch and the ACSC both report BEC as a leading financial loss category — losses that typically range from tens of thousands to hundreds of thousands of dollars per incident.
Unlike ransomware, BEC often leaves no malware trace and can be executed with minimal technical sophistication. The attacker exploits human trust rather than technical vulnerabilities. This is what makes it both dangerous and preventable with the right controls.
What BEC Is (and Is Not)
BEC is a category of fraud, not a single attack method. What unifies BEC attacks is the use of email — real, compromised, or impersonated — to deceive someone in your organisation into authorising a fraudulent financial action.
BEC is not: A virus, ransomware, or malware (though these may be used to gain email access in some BEC scenarios). Many BEC attacks involve no malware at all — just convincing emails and human manipulation.
BEC is: Social engineering executed via email, typically targeting financial processes.
The Four BEC Attack Patterns Targeting Australian Businesses
1. CEO Fraud
An email appearing to come from the CEO, managing director, or business owner instructs a finance team member to process an urgent, confidential wire transfer. The email creates pressure (urgency, confidentiality, authority) to bypass normal approval processes.
Why it works: The authority of the sender discourages the recipient from questioning the request. The urgency discourages the verification step. The confidentiality instruction discourages involving other staff who might catch the error.
Australian context: ABA (Australian Banking Association) fraud reports and ACSC data both document significant volumes of CEO fraud targeting Australian SMBs. Professional services firms, accounting practices, and any business with a named MD or CEO with a public profile (LinkedIn, website) are the primary targets.
2. Supplier Payment Fraud (Invoice Fraud)
An email appearing to come from a legitimate supplier notifies accounts payable of a change to bank account details. Future invoices should be paid to the new account. Subsequent invoices arrive; the payment goes to the attacker’s account rather than the real supplier.
The email appears convincing because:
- It uses the real supplier’s name and email (spoofed or from a compromised account)
- It may reference a real recent transaction or relationship detail (gathered from LinkedIn or the supplier’s website)
- Bank account changes are routine — they do not immediately trigger suspicion
Most common targets: Property law firms (settlement funds), architectural and engineering practices (large project invoices), construction businesses (subcontractor payments), and any business with high-value supplier relationships.
3. Payroll Fraud
An email purportedly from an employee requests a change to their bank account for payroll. The next payroll run deposits the employee’s salary to the attacker’s account.
The sender impersonates the employee — either by spoofing their email address, compromising their email account, or using a similar look-alike address (john.smith.company@gmail.com instead of john.smith@company.com.au).
4. Lawyer/Conveyancer Impersonation
In property transactions, attackers impersonate the purchaser’s lawyer or conveyancer and send updated settlement payment instructions. Settlement funds — typically hundreds of thousands of dollars — are transferred to the attacker’s account rather than the legitimate escrow account.
This is a well-documented attack pattern in Australia, and the ACCC has issued specific warnings about it. Settlement funds are frequently unrecoverable once transferred.
Technical Controls
Email Authentication (SPF, DKIM, DMARC)
Proper email authentication makes it significantly harder to spoof your domain. If your domain has DMARC at p=reject, emails falsely claiming to come from your domain are rejected by receiving mail servers.
This does not prevent all BEC — attackers also use look-alike domains (company-australia.com instead of company.com.au) and compromised legitimate accounts. But it eliminates the simplest category of domain spoofing.
Anti-Impersonation Policies in Microsoft 365
Microsoft Defender for Office 365 (included in M365 Business Premium) provides impersonation protection:
- Protect named users (CEO, CFO, board members) from impersonation by external senders
- Protect your domain and commonly impersonated partner domains
- Suspicious message warnings appear in Outlook for messages that trigger impersonation detection
Configure in: Microsoft 365 Defender → Email & Collaboration → Policies → Anti-phishing → Edit default policy → Impersonation tab.
Conditional Access and Account Compromise Monitoring
Many BEC attacks involve a compromised mailbox — attackers gain access to a real email account and send fraudulent instructions from it. Attackers with mailbox access can:
- Monitor email to understand payment processes and relationships
- Create forwarding rules to receive copies of all emails without the legitimate user knowing
- Send fraudulent requests from the legitimate account (bypassing all anti-spoofing controls)
Controls:
- MFA on all email accounts (makes initial compromise much harder)
- Sign-in risk monitoring and alerts (Entra ID Conditional Access)
- Regular review of mailbox forwarding rules and delegates (attackers often set these up as persistence mechanisms)
- Email audit log monitoring for suspicious access patterns
Procedural Controls: The Most Important Layer
Technical controls reduce but do not eliminate BEC risk. The most effective defence is procedural — processes that require verification before large financial actions are taken, regardless of how convincing the instruction appears.
Dual Authorisation for All Payments Above a Threshold
No single person can authorise a payment above a defined threshold (set based on your business’s transaction sizes — commonly $5,000, $10,000, or $50,000 depending on business scale). Two named individuals must independently approve.
This single control stops CEO fraud, supplier fraud, and most other payment-related BEC. The attacker would need to compromise two separate individuals simultaneously.
Call-Back Verification for Bank Account Changes
Any request to change bank account details — for a supplier, employee, or any payee — requires telephone verification using a number from your existing records, not a number provided in the request.
The verification call must confirm: the person you are speaking to is who they claim to be, and they confirm the bank account change is legitimate.
This is the single most important procedural control for supplier fraud and payroll fraud. Implement it without exception.
Out-of-Band Verification for Unusual Requests
Any unusual financial request — particularly one that creates urgency, confidentiality requirements, or pressure to bypass normal processes — should be verified through a separate communication channel (phone call to a known number) before action is taken.
“I can’t call to verify because the CEO said it’s urgent and confidential” is precisely the social engineering that makes CEO fraud effective. The correct response is always verification first.
Staff Training
The technical and procedural controls only work if staff understand why they exist and what to do when a suspicious situation arises. Annual training covering BEC scenarios, the psychology of social engineering pressure, and the specific verification procedures should be standard for any Melbourne business with payment authority.
CX IT Services provides BEC prevention training and implements the technical controls that reduce BEC risk for Melbourne businesses. Book a Right Fit Call to discuss your current exposure.
