Business Email Compromise: How to Recognise and Reduce your Risk 

Business Email Compromise (BEC) is one of the most financially damaging phishing threats facing Australian organisations today. Unlike broad phishing campaigns, BEC targets specific people, relies on social engineering, and can fool even vigilant employees into transferring money or leaking sensitive data. The Australian Signals Directorate (ASD) reports BEC scams cost Australian businesses over $84 million in 2023-24 - and underreporting means the real figure is likely higher. 

What is Business Email Compromise (BEC)? 

In a BEC scam, criminals impersonate a trusted person — often an executive, supplier, or vendor — to trick employees into taking harmful actions like: 

• Transferring funds to a fraudulent account 

• Sharing login details or confidential documents 

• Updating payment details for regular suppliers 

These emails are highly targeted. They often come from compromised accounts or spoofed addresses and may not show obvious signs of phishing. 

In July 2024, a Victorian construction company nearly lost $939,000 to a BEC scam. The scammers sent a fake final invoice with new banking details from the supplier’s real email account. Luckily, the company’s bank acted fast and recovered most of the funds. 

How to Spot a BEC Scam 

Watch for these common red flags: 

• Small changes in the sender’s email address 

• Unusual tone or wording that feels off 

• Requests to skip normal procedures or a sense of urgency 

• Sudden changes in payment or banking details 

How to Reduce your Risk of BEC 

Use Multi-Factor Authentication (MFA) 
Add MFA on all email accounts and systems like Microsoft 365 to stop account takeovers. 

Train Your Team 
Regular cyber security training helps staff recognise impersonation and verify suspicious requests. Use our Scan for S.C.A.M framework to double check suspicious emails. 

Strengthen Email Security 
Have IT deploy email filters, DMARC/SPF/DKIM authentication, and monitoring tools to block spoofed messages. 

Verify Financial Changes 
Always confirm changes to payment details or large transfers with a phone call or face-to-face check, even if the request looks legitimate. 

Monitor Accounts Closely 
Check for signs of unauthorised access or unusual communication, especially in executive or finance inboxes. 

Limit Financial Authority 
Restrict who can approve transactions to reduce your organisation’s attack surface. 

BEC remains the top cyber crime tactic reported by Australian businesses (20%)* in 2023–24. Every business, big or small, is a target. Education, clear processes, and strong security measures keep your people prepared.