What Is Business Email Compromise (BEC)?

Business email compromise is a scam where an attacker poses as someone you trust, a supplier, an executive, or a staff member, to trick your business into transferring money or changing payment details. It is not a virus and it usually carries no attachment, which is exactly why spam filters miss it. For Australian SMEs it is one of the most expensive email attacks going, and the defence is a mix of technical controls and a few simple habits.

Key facts

• Business email compromise (BEC) relies on impersonation and social engineering, not malware, so it slips past filters that scan for malicious links and attachments.
• The most common version is the fake invoice or changed bank details scam, where an attacker redirects a genuine payment to their own account.
• Phishing and compromised credentials are among the leading causes of data breaches reported to the OAIC, which received 532 notifications in the January to June 2025 period.
• Multi-factor authentication, impersonation protection, and a payment verification habit stop the large majority of BEC attempts.
• BEC often starts with a quietly compromised mailbox, where the attacker reads real conversations for weeks before striking.
• A request that combines urgency, secrecy, and a change to payment details is the classic BEC pattern.

What does business email compromise look like?

BEC almost always involves a request to move money or change where money goes, wrapped in a reason to act fast and not check. A typical one we see across Sydney SMEs: a supplier you have paid for years emails to say their bank details have changed, please update them for the next invoice. The email looks right, the logo is right, the signature is right. Sometimes it is a lookalike domain with one letter changed; sometimes it is the supplier's actual mailbox, because the attacker got into it first. Another version is the fake executive, where a message that appears to come from the director asks an accounts staff member to pay an urgent invoice or buy gift cards before a meeting. The details change, the shape does not: someone you trust, a payment, and pressure not to verify.

Why do spam filters miss BEC?

Most BEC email is clean by every measure a filter checks. There is no malicious attachment to detonate and no dangerous link to follow, just plain text asking a normal-sounding question. When the attacker is sending from a genuine, already-compromised mailbox, even sender checks pass, because the mail really is coming from the real account. This is why BEC is treated as a people-and-process problem with technical support, rather than something a single filter solves. The controls that work are impersonation protection that flags lookalike domains and display-name tricks, strong authentication so accounts are harder to take over in the first place, and a verification step that does not rely on email.

How can Australian SMEs prevent business email compromise?

The single most effective habit is to verify any change to payment details out of band. That means picking up the phone and calling the supplier on a number you already have, not the number in the email, before you change anything. Pair that with multi-factor authentication on every mailbox, so a stolen password alone is not enough to get in, and impersonation protection in your email security, which Microsoft Defender for Office 365 Plan 1 provides and which is included in Microsoft 365 Business Premium. Add a clear internal rule that no payment or bank-detail change happens on email alone, and you have closed off most of the attack. In our experience supporting Sydney SMEs, it is the businesses without that verification habit that lose the money, not the ones without the fanciest filter.

What should you do if you think you have been hit?

Move fast, because recovery depends on speed. Contact your bank immediately to try to recall or freeze the payment, change the password and review sign-in activity on any mailbox you think is compromised, and check inbox rules, because attackers often add a hidden rule that auto-deletes or forwards certain mail to cover their tracks. Report it to Scamwatch and, if money has moved, to the police via ReportCyber. If personal information was exposed, you may have obligations under the Privacy Act 1988 and the Notifiable Data Breaches scheme, so get advice early. Then work out how they got in, so it does not happen twice.

Frequently asked questions

Is business email compromise the same as phishing?

They overlap but are not identical. Phishing is the broad practice of tricking someone into giving up credentials or clicking something malicious. BEC is a targeted scam that uses impersonation, often built on the back of a successful phish, to redirect a payment or extract sensitive information. BEC is usually more tailored and higher value.

Will multi-factor authentication stop BEC?

MFA stops a large share of it by making mailbox takeover much harder, which removes the most convincing version of the attack. It does not stop a lookalike-domain email sent from outside, so you still need impersonation protection and the payment verification habit alongside it.

Does cyber insurance cover BEC losses?

Some policies do and some treat it as a separate social engineering or funds transfer fraud cover with its own limits and conditions. Many insurers also require controls like MFA before they will pay. Check the wording with your broker rather than assuming, because this is a common gap.

How much does BEC protection cost for an SME?

Most of the strongest controls are configuration rather than new spend. MFA and impersonation protection are included in Microsoft 365 Business Premium, and the verification habit costs nothing but discipline. The cost is mostly in setting it up correctly and training staff to spot the pattern.

If you want to know whether your business would catch a fake invoice before the money left the building, that is worth a conversation. We help Sydney SMEs put the right controls and habits in place, and it is a lot cheaper than recovering a payment that has already gone.