.svg)
Featured Posts
Business Email Compromise (BEC) can be one of the most financially damaging types of phishing attacks facing Australian organisations today. Unlike traditional phishing, BEC is highly targeted, often involves social engineering, and can trick even the most careful employees into transferring funds or sharing sensitive data. According to the Australian Signals Directorate (ASD), BEC scams cost Australian businesses over $84 million in 2023/24, and the true figure is likely even higher due to underreporting.
What is Business Email Compromise (BEC)?
BEC is a form of cyber crime where attackers impersonate a trusted person—often a company executive, supplier, or vendor—via email, in order to trick employees into taking harmful actions such as:
- Transferring funds to fraudulent bank accounts
- Sharing login credentials or sensitive documents
- Updating payment details for regular suppliers
Unlike mass phishing campaigns, BEC messages are highly targeted and can lack the tell-tale signs of spam. They often come from compromised accounts or carefully spoofed email addresses.
How Does BEC Work?
BEC attacks often unfold in phases:
- Reconnaissance: Scammers gather intel, via social media, company websites, or previous breaches - about the company hierarchy, finance processes, and communication style.
- Impersonation: The attacker uses a lookalike email address (e.g., ceo@/compaany/.com) or hijacks a real one to impersonate a senior leader or vendor.
- Urgent Request: The email contains an urgent-sounding request, such as paying an invoice, updating banking details, or purchasing gift cards. These requests often come at the end of the day or during holidays to limit verification.
- Exfiltration: Once the scam succeeds, the attacker disappears, and the company is left scrambling to recover funds or report the loss.
In July 2024, a Victorian construction company narrowly avoided a catastrophic financial loss of nearly $939,000 due to a BEC scam. The company had engaged a local supplier for a routine job. After the work was completed, the supplier sent a draft invoice via email for verification. Shortly thereafter, the construction company received what appeared to be the final invoice, reflecting the agreed amount. However, this invoice included new banking details and a message indicating a change.
"Please ensure payment is made into the above bank details as funds paid into the old account will now bounce which could cause delays."
The invoice came from the supplier's legitimate email account and was signed by the supplier's director, making it appear authentic. Fortunately, swift action from their bank's customer protection team resulted in the recovery of most of the funds, saving the business from catastrophic losses.
How to Spot a BEC Scam
BEC emails may look convincing but often include subtle red flags:
- Slight misspellings in the sender’s email address or a different address
- Unusual tone or language that doesn’t match the person’s usual style
- Requests to bypass standard procedures or using urgency (“Can you do this quickly?”)
- Sudden changes in bank account details
How to Prevent Business Email Compromise
1. Use Multi-Factor Authentication (MFA)
Especially on email accounts and systems like Microsoft 365. It reduces the risk of account takeover.
2. Train Staff in Cyber Security Awareness
Regularly educate your team about phishing, impersonation tactics, and the importance of verifying unusual requests.
3. Set Up Email Security Measures
Use email filters, DMARC/SPF/DKIM authentication, and monitoring tools to block spoofed or suspicious messages.
4. Always Verify Financial Requests
Introduce a verbal verification step for all changes to payment details or large fund transfers - even if the request seems to come from your CEO.
5. Monitor for Unusual Activity
Watch for signs of unauthorised access or odd patterns in communication, particularly in finance or executive inboxes.
6. Revise Access Control
Restrict who can and can’t approve financial transactions to lessen the attack surface for cyber criminals in your organisation.
Business Email Compromise is highly prevalent, being the top cyber-crime tactic (20%)* reported by businesses in Australia in 2023/24 FY, and no business is too small to be targeted. With the right mix of education, verification processes, and technical safeguards, your organisation can significantly reduce the risk. Remember, in the world of BEC, human risk management and awareness is your strongest defence. Contact us today to preview our award-winning training, and to demo our platform.
