Business Email Compromise — How It Happens and How to Stop It

Business email compromise is the most financially damaging cybercrime category affecting Australian businesses. Unlike ransomware which disrupts operations visibly, BEC attacks are often completely invisible — the business continues operating normally while money flows silently to criminal accounts. By the time the fraud is discovered, transfers may be unrecoverable.

The Two Main Types of BEC

Account compromise: The attacker gains actual access to a legitimate email account through phishing or credential theft. They monitor the account silently — sometimes for weeks or months — for financial communications, then intercept or modify payment instructions at a strategic moment. Because the emails come from the legitimate account, they bypass most technical security filters and appear entirely genuine to recipients. Domain impersonation: The attacker registers a domain that appears almost identical to yours or your supplier's — replacing characters, adding hyphens, or using different top-level domains — and sends emails that appear to come from your organisation.

How Much Australian Businesses Lose

The ACCC's Scamwatch and the Australian Cyber Security Centre consistently report that BEC is one of the highest-value cybercrime categories affecting Australian businesses. Average losses per incident for small to medium businesses are typically $50,000 to $500,000. Unlike some other fraud categories, banks have limited ability to reverse transfers once they have cleared, particularly to overseas accounts.

The Warning Signs in an Email

Look carefully at the sender's actual email address — not just the display name. Requests to change payment details accompanied by a reason that sounds plausible but cannot be easily verified. Unusual urgency — "this payment must be made today." Requests to keep the matter confidential. And communications that come from a slightly different address than normal, even if the difference is subtle.

Technical Controls That Work

DMARC, DKIM, and SPF configured correctly prevent criminals from impersonating your domain. MFA on all email accounts prevents account takeover even if passwords are stolen. Email security filtering that detects lookalike domains adds another layer. And an email banner that marks all external emails clearly — so staff can immediately see that an email from "your CEO" is actually from an external address — prevents display name spoofing attacks.

The Human Backstop

Critically, a clear internal policy requiring verbal verification of any payment detail changes provides a human backstop even when technical controls are bypassed. This policy must be absolute — no exceptions for urgency, authority, or familiarity with the requester. Train staff that this policy protects both the business and them personally — following the policy gives them protection if fraud later occurs. IntrusionX can implement the full set of BEC protections for your Melbourne business — contact us for a free assessment.

Real-World BEC Losses in Australia

The scale of BEC losses in Australia is significant — the ACCC consistently reports that payment redirection scams (the BEC category) account for the largest dollar losses of any cybercrime type, with individual business losses frequently exceeding $100,000. Melbourne professional services firms, law firms, and real estate agencies are among the most frequently targeted. The combination of high-value transactions and email-based communication makes these sectors disproportionately exposed. Understanding that your business is operating in a sector that is specifically and systematically targeted is the starting point for taking the threat seriously.

Getting Professional Help

Implementing BEC protections correctly — particularly DMARC configuration and Microsoft 365 or Google Workspace security hardening — requires technical expertise. Incorrectly configured DMARC can cause your legitimate business emails to be blocked. IntrusionX can implement the full technical stack of BEC protections for Melbourne businesses, including DMARC, MFA, email security filtering, and external sender warning banners, with testing to confirm everything is working correctly before go-live. Contact us for a free assessment of your current email security posture.