It usually starts with a perfectly normal-looking email. A supplier sends updated bank details for an upcoming invoice payment. Your accounts team processes the change, pays the invoice, and only discovers weeks later that the email was not from the supplier at all. The money is gone.
How Business Email Compromise Works
Business email compromise, or BEC, is not a crude phishing attempt full of spelling errors. It is a targeted, researched attack. The attacker either compromises a real email account within your supply chain or creates a convincing lookalike domain.
They monitor email conversations, learn your invoicing patterns, identify who approves payments, and then strike at the right moment with a request that looks completely legitimate.
Why Small Businesses Are Prime Targets
Large corporations have dedicated security teams, email filtering, and payment verification procedures. Small businesses often do not. Attackers know that a Brisbane business with 10 to 30 staff is less likely to have formal processes for verifying changes to bank details.
The ACSC reports BEC as one of the highest-impact cybercrime types affecting Australian businesses, with average losses in the tens of thousands.
Practical Steps to Protect Your Business
Email filtering and security software help, but the most effective defence against BEC is process-based. Implement a policy that any change to payment details must be verified by phone using a known number, not a number from the email itself.
Train your accounts team to be suspicious of urgency. BEC emails often create time pressure with phrases like payment due today or please process immediately. That urgency is deliberate.
Enable MFA on all email accounts, monitor for mail forwarding rules that you did not create, and consider email authentication protocols like DMARC, DKIM, and SPF to make it harder for attackers to spoof your domain.
What to Do If It Happens
If you suspect a BEC attack, act immediately. Contact your bank to attempt to recall the payment. Report the incident to the ACSC through ReportCyber. Secure the compromised email account and audit it for forwarding rules or unauthorised access.
Time is critical. Banks can sometimes freeze fraudulent transfers if notified within hours, but the window closes quickly.
Is your business protected against email compromise? Take our free IT Health Check to find out.
Start Your Health Check →