Executive Briefing
Australian businesses lost $98 million to BEC attacks last year. Learn warning signs, prevention strategies and response protocols to stay protected.
What is Business Email Compromise?
BEC is a type of scam where criminals impersonate trusted parties—executives, vendors, or colleagues—to trick employees into transferring money or revealing sensitive information. These attacks don't rely on malware; they exploit trust and business processes.
Common BEC Attack Types
CEO Fraud / Executive Impersonation
Attackers impersonate a CEO or senior executive, urgently requesting a wire transfer or gift card purchase. These often create artificial time pressure ("I'm in a meeting, need this done immediately") to bypass normal approval processes.
Vendor Invoice Scams
Criminals compromise or impersonate a legitimate vendor and send fake invoices with updated payment details. The invoice looks genuine because it references real work or products.
Account Compromise
Attackers gain access to a real email account and use it to request payments or information from contacts. These are particularly dangerous because they come from legitimate addresses.
Payroll Diversion
Criminals impersonate employees requesting changes to payroll direct deposit information, diverting salaries to their accounts.
Warning Signs of BEC
Train your team to recognise these red flags:
- Urgency and secrecy: "This is confidential, don't discuss with anyone"
- Unusual requests: Executives asking for gift cards or unusual payment methods
- Changed payment details: Vendors requesting payment to new bank accounts
- Slight email variations: @company.com vs @companny.com
- Breaking normal procedures: Pressure to bypass approval processes
- Unusual timing: Requests sent when the supposed sender would normally be unavailable
Technical Prevention Measures
- Email authentication: Implement SPF, DKIM, and DMARC to prevent domain spoofing
- External email tagging: Mark emails from outside your organisation with a visible banner
- Multi-factor authentication: Protect all email accounts, especially executives
- Advanced threat protection: Use Microsoft Defender for Office 365 or equivalent
- Email encryption: Protect sensitive communications
Process Controls
Technical measures alone aren't enough. Implement robust processes:
- 1Verification procedures: Always verify payment changes via a known phone number (not one from the email)
- 2Dual authorisation: Require two people to approve significant transactions
- 3Callback verification: For any change to vendor payment details, call the vendor directly
- 4Document management: Maintain accurate vendor contact records
- 5Regular training: Keep staff updated on current BEC tactics
Important Note
Critical rule: If someone asks you to change payment details via email, ALWAYS verify by calling them on a number you already have on file—never call a number provided in the email.
What to Do If You're Targeted
- 1Act quickly: If you've transferred money, contact your bank immediately to attempt recall
- 2Report internally: Notify IT and management immediately
- 3Report to authorities: File a report with the ACSC (cyber.gov.au/report) and Australian Federal Police via ReportCyber
- 4Preserve evidence: Don't delete emails or modify anything
- 5Review and improve: Analyse how the attack succeeded and close gaps
How We Researched This Article
This article was compiled using information from authoritative industry sources to ensure accuracy and relevance for Australian businesses.
Sources & References
-
→
Australian Cyber Security Centre - Business Email Compromise
ACSC guidance on BEC threats and prevention
-
→
Scamwatch - Business Scams
ACCC consumer protection information on BEC
-
→
FBI Internet Crime Complaint Center (IC3)
US law enforcement data on BEC losses and trends
-
→
Australian Federal Police - ReportCyber
Official reporting channel for cybercrime in Australia
* Information is current as of the publication date. Cybersecurity guidelines and best practices evolve regularly. We recommend verifying current recommendations with the original sources.
Frequently Asked Questions
BEC attacks exploit human trust rather than technical vulnerabilities. They're carefully crafted to appear legitimate, often using real business context and exploiting time pressure. Unlike mass phishing, BEC targets specific individuals who can authorise payments.
Email filtering helps but isn't foolproof. BEC emails often don't contain malware or malicious links—they're just text requesting legitimate-seeming actions. Advanced threat protection can catch some BEC, but process controls and user awareness remain essential.
Finance teams, accounts payable, HR, and executive assistants are primary targets. Anyone with authority to transfer money, change payment details, or access sensitive information is at risk. Small businesses are increasingly targeted because they often lack controls.
Sometimes, if you act immediately. Contact your bank within hours (not days) to attempt to recall the transfer. Success rates decrease rapidly with time. Even if recall fails, reporting helps authorities track criminal networks and may help recover funds in some cases.