Business Email Compromise cost Australian businesses over $80 million last year. Here is how email spoofing works, what BEC attacks look like, and the technical controls that stop them.
Business Email Compromise (BEC) is the most financially damaging cyber crime affecting Australian businesses. According to the Australian Competition and Consumer Commission, BEC attacks cost Australian businesses hundreds of millions of dollars each year - and the majority of victims are small and medium businesses who never expected to be targeted.
The attacks succeed not because of sophisticated malware or zero-day exploits, but because email is fundamentally insecure by default, and most businesses have not implemented the controls that close the obvious gaps.
This article explains how email spoofing and BEC work, what the attacks look like in practice, and the specific technical controls that prevent them.
How Email Spoofing Works
Email was designed in the 1970s without authentication in mind. The “from” address in an email is completely free-form - anyone can set it to anything. Without additional controls, there is nothing technically stopping someone from sending an email that appears to come from your CEO, your bank, or the ATO.
Domain spoofing is the simplest form: an attacker sends an email with your exact domain in the from address. It looks exactly like it came from your company.
Lookalike domain spoofing uses a domain that looks like yours. Instead of yourcompany.com.au, the attacker registers yourcornpany.com.au (note the ‘rn’ that looks like ‘m’) and sends emails from that domain. At a glance, particularly on mobile where the full address is truncated, it is indistinguishable.
Display name spoofing sets the display name to “CEO Name” or “Your Bank” while using a completely different sending address. Many email clients show only the display name by default, and users never see the actual sending address.
What BEC Attacks Look Like
The CEO Fraud / Payment Request
The attacker impersonates your CEO or a senior executive and sends an urgent email to the accounts team requesting an immediate payment. The email typically:
- Creates urgency (“I’m in a meeting and can’t be reached by phone”)
- Asks for secrecy (“Don’t discuss this with anyone until it’s done”)
- Provides bank account details for the transfer
- Often targets the accounts person who is most likely to comply with a request from the CEO
The average loss per successful CEO fraud attack in Australia is in the range of $50,000 to $200,000.
The Invoice Redirect
The attacker compromises either your email account or a supplier’s email account, monitors legitimate invoice conversations, then sends a fraudulent email that looks exactly like a legitimate invoice but with different bank account details.
This is particularly common in:
- Real estate (deposit payments)
- Construction (large subcontractor invoices)
- Professional services (large project milestone payments)
- Conveyancing (settlement amounts)
The Supplier Compromise
The attacker compromises the email account of one of your trusted suppliers or service providers. They then send fraudulent communications from the legitimate compromised account - these bypass most email security controls because the emails are genuinely coming from the correct domain.
This attack is nearly impossible to detect with technical controls alone. It requires procedural controls (verbal verification of payment changes) to catch.
The Technical Controls That Stop Most BEC
1. SPF (Sender Policy Framework)
SPF is a DNS record that specifies which mail servers are authorised to send email from your domain. When a receiving mail server gets an email claiming to be from yourcompany.com.au, it checks the SPF record to see if the sending server is on the approved list. If it is not, the email can be rejected or flagged.
Setting up SPF: Add a TXT record to your domain’s DNS that lists your authorised sending sources. If you use Microsoft 365, Google Workspace, or another major provider, they provide the exact SPF record to use.
Important: SPF only protects against spoofing of your exact domain. It does not protect against lookalike domain attacks.
2. DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to outgoing emails. The receiving mail server verifies the signature against a public key published in your DNS. If the signature does not match, the email was tampered with in transit or was not actually sent from your mail server.
DKIM provides both authentication and integrity - it confirms both that the email came from an authorised source and that it was not modified after sending.
3. DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC is the policy that ties SPF and DKIM together. It tells receiving mail servers what to do when an email fails SPF or DKIM checks - deliver it, quarantine it, or reject it.
A DMARC policy of p=reject means that any email failing authentication checks will be rejected outright. This is the goal, but most organisations start with p=none (monitor only) or p=quarantine while they identify and fix any legitimate sending sources that might be affected.
DMARC also provides reporting: you receive aggregate reports showing who is sending email using your domain, both legitimate senders and attackers. This visibility is valuable for both security and troubleshooting.
The combination of SPF, DKIM, and DMARC at enforcement level stops domain spoofing completely. Attackers cannot send emails that appear to come from your domain.
4. Anti-Phishing and Anti-Spoofing Policies
Microsoft 365 Defender and Google Workspace both include configurable anti-phishing policies that:
- Flag emails where the display name matches an internal user but the sending address is external
- Detect and quarantine lookalike domain spoofing attempts
- Apply machine-learning analysis to identify social engineering patterns in email content
- Add warning banners to emails that exhibit phishing characteristics
These policies must be actively configured - the defaults are not sufficient for most businesses.
5. Safe Links and Safe Attachments
Safe Links rewrites all URLs in emails so they are scanned at the time of click, not at delivery. A link that was clean when the email arrived but was later changed to point to a malicious site will still be caught.
Safe Attachments opens email attachments in a sandboxed environment before delivery. Malicious attachments are detonated in the sandbox and blocked before reaching the user’s inbox.
Both controls are available in Microsoft 365 Defender (formerly Advanced Threat Protection) and are included in Microsoft 365 Business Premium.
6. External Email Warning Banners
A simple but effective control: add a warning banner to all emails arriving from external senders. Something like “This email was sent from outside your organisation. Be cautious about links and attachments.”
This banner catches many social engineering attempts by prompting the recipient to check the actual sending address before acting.
What Technical Controls Cannot Stop
Supplier Account Compromise
If an attacker has compromised your supplier’s actual email account and is sending from their legitimate domain, most technical controls will not catch it. SPF, DKIM, and DMARC will all pass because the email is genuinely coming from the authorised server.
What stops this: Procedural controls. A policy that requires telephone verification (to a number from your own records, not one in the email) for any bank account change or unusual payment request. This is one of the most important BEC defences and it costs nothing to implement.
Well-Crafted Lookalike Domains
A sophisticated attacker who registers a domain with subtle differences (replacing ‘l’ with ‘1’, adding a hyphen, using a different TLD) will pass all technical controls on their own domain. Detection requires the anti-phishing lookalike domain features described above, combined with user awareness training.
Compromised Internal Accounts
An attacker who has compromised a legitimate user account inside your organisation can send emails that pass every authentication check. This is why MFA on all email accounts is so important - it prevents the account compromise that enables these attacks.
What to Check Right Now
-
SPF record: Go to a DNS lookup tool and check your domain for a TXT record starting with “v=spf1”. If it does not exist, you have no SPF protection.
-
DMARC record: Look for a TXT record at
_dmarc.yourdomain.com.au. If it does not exist, or if the policy isp=none, you are not protected against domain spoofing. -
MFA on email: Log in to your email admin console. Is MFA enforced for all users? If it is optional or not configured, you are vulnerable to credential attacks that enable BEC.
-
Accounts payable procedure: Ask your accounts team: what is the process if you receive an email requesting a change to bank details for a regular supplier? If the answer is “we update the details and process the next payment”, you have a critical procedural gap.
Getting Help
Email security configuration is not complex for a managed IT provider, but it is easy to get wrong if you do it yourself. An incorrect DMARC policy can cause legitimate emails to bounce. SPF records have character limits and specific syntax requirements.
If you want an assessment of your current email security posture - whether your SPF, DKIM, and DMARC are correctly configured, whether your anti-phishing policies are adequate, and whether your accounts team has been trained on BEC scenarios - book a Right Fit Call and we can walk you through what we would assess and what we typically find.
