Business Email Compromise in Australia: How It Works and How to Stop It

Every week, Australian businesses lose money to a scam that does not rely on malware, ransomware, or any technical trickery at all. Business email compromise — known as BEC — works by impersonating someone you trust, sending you an email that looks completely legitimate, and persuading you to transfer money or hand over sensitive information. No attachments. No suspicious links. Just a convincing message from what appears to be a supplier, your CEO, or your lawyer.

It is one of the most financially damaging cybercrime types in the country, and it is disproportionately effective against small and medium-sized businesses precisely because those organisations tend to operate on trust and personal relationships. When you have worked with the same supplier for five years, a request to update their bank details does not set alarm bells ringing — and that is exactly what attackers count on.

This article explains how BEC works, what the warning signs are, and the specific steps your business can take to avoid becoming a statistic.

What Is Business Email Compromise?

Business email compromise is a targeted scam in which an attacker impersonates a trusted party — a CEO, a supplier, a law firm, or a colleague — via email, with the goal of tricking someone into transferring funds or disclosing sensitive information such as payroll data, tax file numbers, or login credentials.

The key characteristic that separates BEC from ordinary phishing or spam is that it is deliberate and researched. Attackers do not spray thousands of identical emails hoping someone clicks a link. Instead, they study their target: they look up the company's structure on LinkedIn, read the CEO's public statements, identify who handles accounts payable, and then craft a message that fits naturally into the target's working context. The email may reference a real project, use the right terminology for your industry, and arrive at a moment when the recipient is busy and less likely to pause and question it.

The Australian Signals Directorate (ASD), which publishes the annual Cyber Threat Report, consistently identifies BEC as one of the top cybercrime types reported by Australian businesses. The financial losses are substantial. According to the ASD's Cyber Threat Report 2022–23, self-reported losses from BEC incidents exceeded $80 million in a single year — and that figure represents only incidents that were actually reported. The real number is considered to be significantly higher, because many businesses are reluctant to disclose that they were defrauded through social engineering rather than a technical breach.

The average loss per BEC incident for Australian businesses sits in the tens of thousands of dollars, with some incidents reaching hundreds of thousands. For an SMB operating on tight margins, a single successful BEC attack can be financially crippling.

How BEC Attacks Work — The Five Main Variants

BEC is not a single technique. It is a category of attacks that share the same social engineering premise but target different people and processes within an organisation. Understanding the main variants helps you identify where your business is most exposed.

CEO and Executive Fraud

This is the variant most people picture when they hear "BEC." The attacker impersonates the CEO, managing director, or another senior executive and sends an urgent email to someone in the finance team requesting a wire transfer. The message often invokes urgency and secrecy: the payment relates to a confidential acquisition, a regulatory matter, or a time-sensitive deal that cannot be discussed with anyone else. The recipient is told the CEO cannot be reached by phone right now and needs this actioned immediately.

The combination of authority (it is coming from the boss), urgency (act now), and secrecy (do not tell anyone) is specifically designed to short-circuit the normal approval process. Employees who would ordinarily check with a colleague before authorising a large payment feel that doing so would be disobeying a direct instruction from management.

A variant of this involves requests for gift cards rather than a bank transfer — a lower-value but still effective approach. The "CEO" asks a staff member to purchase several hundred dollars worth of gift cards and send the redemption codes back urgently. It sounds absurd in the abstract, but it works repeatedly because the social pressure of an executive's request is powerful.

Invoice Manipulation

In this variant, the attacker targets the accounts payable process rather than a specific individual. They either compromise a genuine supplier's email account or create a convincing look-alike domain, then send a revised invoice or bank detail update on the supplier's behalf. The invoice looks legitimate — the right logo, the right formatting, the right ABN — but the bank account details have been changed to an account the attacker controls.

The victim processes the invoice in good faith and the money lands in the attacker's account. Often the fraud is not discovered until weeks later when the real supplier follows up about a missing payment. By that point, the funds have been moved on and recovery is rarely possible.

This variant is particularly effective because it blends into a routine business process. Finance teams process invoices every day, and the mental energy required to scrutinise each one carefully is not sustainable at scale.

Account Takeover

Account takeover BEC is the most technically sophisticated variant and also the hardest to detect, because there is no impersonation at all. The attacker gains access to a real, legitimate email account within your organisation — typically through phishing, credential stuffing, or a leaked password — and then uses that account to send fraudulent requests.

When the email comes from a genuine account within your company's domain, it will bypass almost every spam and impersonation filter. The sender's name and address are real. The email history and conversation threads are accessible. The attacker can read previous correspondence to understand context, use the right tone, and reference the right projects. For the recipient, there is absolutely nothing visually different about the email.

Account takeover attacks often involve a period of silent reconnaissance. The attacker sits inside an email account for days or weeks, reading emails and building a picture of the business before making their move.

Attorney and Legal Impersonation

This variant involves the attacker posing as a law firm, barrister, or solicitor who is handling a time-sensitive legal matter on behalf of the target organisation. Common contexts include property settlements, business acquisitions, estate matters, or regulatory compliance requirements. The urgency of a legal deadline — and the implied legal consequences of failing to act — creates powerful pressure to comply quickly.

The email instructs the target to transfer funds to a trust account or escrow account controlled by the attacker. Legal transactions in Australia often involve large sums and unconventional payment timelines, which makes this variant effective at targeting businesses involved in property transactions, acquisitions, or litigation.

Payroll Redirect

This variant targets human resources and payroll teams rather than finance. The attacker impersonates an employee — often using a personal email address that looks similar to their work address, or by accessing the actual work account — and contacts HR to update their bank account details for salary payments.

The request is entirely routine in isolation; employees genuinely do change their bank accounts from time to time. HR teams process payroll redirect requests regularly and may not have a rigorous verification process in place. The attacker simply needs the request to be processed before anyone notices something is wrong.

Why BEC Is So Hard to Detect

If you are wondering how so many intelligent, capable professionals fall for these attacks, the answer lies in understanding the specific conditions BEC is designed to exploit.

Look-alike domains are difficult to spot at a glance. Attackers register domains that differ from legitimate domains by a single character, a transposition, a hyphen, or a top-level domain swap. The difference between @thinkpickle.com.au and @think-pickle.com.au is easy to miss when you are scanning your inbox quickly. Similarly, @pickle.com.au and @pickle.com are different domains entirely, but when an email arrives from what appears to be a familiar name, most people's eyes go to the display name rather than the underlying address.

Attackers research their targets thoroughly. LinkedIn profiles disclose organisational hierarchies, including who reports to whom and who handles finance or payroll. Company websites list executives by name. Social media reveals who is travelling, who is at a conference, and when senior staff are likely to be unavailable for a phone call — creating a window of opportunity. The email that arrives when the CEO is at an interstate conference and asks for a payment to be processed before end of business is not coincidental; the attacker has done their homework.

Urgency and secrecy are weaponised. BEC attacks consistently use urgency to compress decision-making time and secrecy to isolate the target from the people who might raise a flag. Both tactics serve the same purpose: to stop the recipient from pausing, questioning, and verifying before acting.

Some attacks come from real accounts. In account takeover scenarios, there is no domain spoofing. The email genuinely originates from within your organisation. Traditional defences — sender verification, spam filtering, external sender warnings — provide no protection because the attack technically passes all those checks.

Spam filters are not designed to catch BEC. Most email security filters look for malicious attachments, known bad links, and spam characteristics. A well-crafted BEC email contains none of those. It is plain text, it comes from a plausible domain, and it reads like a normal business communication. The attack vector is human trust, not technical vulnerability.

Red Flags Every Australian Business Should Know

Knowing what to look for is the first line of defence. The following red flags should trigger a verification call before any action is taken.

How to Protect Your Business from BEC

No single control eliminates BEC risk. Effective prevention requires a layered approach: technical controls to reduce the attack surface, process controls to interrupt the social engineering, and a culture where verification is normal and expected.

Verify Payment Changes Out of Band

The single most effective non-technical control is simple: before acting on any request to change payment details or transfer funds, call the requester on a known phone number and confirm the request verbally. The phone number must come from your records — your contact list, your accounts system, or your supplier's official website — not from the email itself. If the email contains a phone number to call, that number may be controlled by the attacker.

Make this a written policy. Nobody should ever process a change to bank account details or execute an unusual payment based solely on an email instruction, regardless of who that email appears to come from. When the policy is established and documented, employees feel confident saying "I need to call you to confirm this" without worrying they will offend a CEO or lose a supplier relationship. The verification call is simply policy.

Multi-Factor Authentication on Email Accounts

Multi-factor authentication (MFA) is the most important single technical control against BEC because it directly prevents account takeover — the variant where an attacker gains access to a genuine email account and sends fraudulent messages from within your organisation.

If an attacker obtains an employee's email password through phishing or a data breach, MFA means that password alone is not enough to access the account. A second factor — a code from an authenticator app, a hardware key, or a biometric — is required. Without it, the attacker is locked out even with valid credentials.

The ASD's Essential Eight mitigation strategies list MFA as a top-priority control, and for good reason. Enforcing MFA across all email accounts — including shared mailboxes and administrative accounts — should be a baseline requirement for every Australian business. See our detailed guide to multi-factor authentication for implementation steps and common questions.

Email Authentication: SPF, DKIM, and DMARC

Domain spoofing — where an attacker sends email that appears to come from your exact domain — can be prevented through a set of email authentication standards: SPF, DKIM, and DMARC.

SPF (Sender Policy Framework) defines which mail servers are authorised to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails that receiving servers can verify. DMARC (Domain-based Message Authentication, Reporting and Conformance) ties these together by telling receiving mail servers what to do when a message fails authentication — reject it, quarantine it, or report it.

In plain language: a properly configured DMARC policy means that if an attacker tries to send an email that appears to come from your domain (say, [email protected]) but is sent from their own infrastructure, the receiving mail server will detect that the message is fraudulent and either refuse to deliver it or send it to spam. This protects both your staff from impersonation attempts against them, and your suppliers and clients from attackers impersonating your business.

Many Australian SMBs have never configured SPF, DKIM, or DMARC, leaving their domains available for spoofing. Our dedicated guide on email security SPF DKIM DMARC walks through what each record does and how to get them set up correctly.

Staff Training and a Verification Culture

Technical controls protect the infrastructure. A verification culture protects the people.

Staff training for BEC is not about teaching employees to recognise malicious attachments or suspicious links. It is about helping them understand how social engineering works — specifically, how urgency, authority, and secrecy are used to bypass normal judgment — and giving them permission to slow down and verify before acting.

The cultural component is often overlooked. An employee who receives an apparently urgent request from the CEO may hesitate to call back because they do not want to be seen as difficult or inefficient. Organisations need to explicitly communicate that verification is valued, not criticised. Senior leadership needs to model this by supporting a culture where it is completely acceptable — indeed required — to call and confirm before executing an unusual financial instruction.

Security awareness training should be conducted regularly, not as a one-off event. Threat tactics evolve, and staff turnover means new employees may not be aware of the risks. Quarterly or biannual training, supplemented by simulated phishing exercises, builds and maintains the right habits over time.

Dual Authorisation for Payments

Process controls provide a backstop when social engineering succeeds against one person. Requiring two separate approvers for any payment above a defined threshold — or for any change to bank account details — means a single employee cannot be the sole point of failure.

Dual authorisation should extend to payroll changes: any update to an employee's bank account details for salary payments should require confirmation from both HR and the employee's line manager, along with verbal confirmation from the employee using a known contact number.

The threshold for requiring dual authorisation will vary by business size and transaction volume. The important principle is that the approval process is genuinely independent — both approvers should review the request separately, not simply rubber-stamp a decision the first approver has already made.

Email Filtering and Anti-Impersonation Tools

Modern email security platforms — including the advanced security tiers available in Microsoft 365 and Google Workspace — include anti-impersonation features that go well beyond basic spam filtering. These tools can flag emails from look-alike domains, warn recipients when an external sender is impersonating an internal staff member's display name, and apply extra scrutiny to emails that contain payment-related language alongside external sender origins.

Banner warnings on emails from external senders — particularly those that appear to be from within the organisation — are a low-cost, high-visibility control. When an email arrives that looks like it comes from your CEO but is actually from an external domain, a clearly visible warning prompts the recipient to pause before acting.

These tools are not foolproof, particularly against account takeover scenarios where the email genuinely originates internally. But they substantially raise the cost of attacks that rely on look-alike domains or display name spoofing.

What to Do If Your Business Has Been Targeted

If you suspect a BEC attempt — or have already transferred funds in response to a fraudulent request — speed is critical. Every hour matters for fund recovery.

Step 1: Do not complete the transfer if you catch it in time. If the payment has not yet been processed, place an immediate hold on it and do not proceed until the request has been verified through independent channels.

Step 2: Contact your bank immediately. If funds have already been transferred, call your bank's fraud line as a matter of urgency — not the general customer service line. Many banks have mechanisms to recall or freeze a transfer if they are notified quickly enough, particularly if the receiving account is also held at an Australian institution. SWIFT recall processes exist for international transfers, though success rates are lower. Do not delay this call for any reason.

Step 3: Report the incident to the ACSC via ReportCyber. ReportCyber is available at reportcyber.gov.au. Reporting serves two purposes: it creates an official record of the incident (which may be required by your insurer), and it helps the ACSC identify patterns and advise other businesses. You can also contact the ACSC's Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371).

Step 4: Preserve all evidence. Do not delete emails, and do not attempt to "clean up" the conversation. The email headers, message content, and timeline of events will be needed by your bank, your insurer, and potentially law enforcement. Take screenshots and export the relevant emails before anything is altered.

Step 5: Notify your IT provider and assess whether any account was compromised. If the attack involved what appeared to be an internal email, there is a possibility that a real account within your organisation has been accessed. Your IT provider should review login logs, look for signs of unauthorised access, and change credentials for any accounts that may be involved. See our guide to cyber incident response for a comprehensive framework.

Step 6: Consider your Notifiable Data Breach obligations. Under the Privacy Act 1988, Australian organisations that hold personal information are required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if a data breach is likely to result in serious harm. If a compromised email account contained personal information about staff, clients, or customers, you may have notification obligations. If you are uncertain, seek legal advice promptly.

BEC and Cyber Insurance

Cyber insurance and crime insurance policies may cover BEC losses, but the specifics vary significantly between policies and insurers. Some policies treat BEC losses as a cybercrime event; others classify them under social engineering fraud, which may be a separate coverage category with its own sublimit.

There are several important considerations for Australian businesses.

First, many cyber insurance policies now require specific technical controls to be in place as a condition of coverage. MFA on email accounts and DMARC configuration are increasingly listed as minimum security requirements. If your business does not have these controls in place when a claim is lodged, the insurer may have grounds to reduce or deny the claim.

Second, coverage limits for social engineering and funds transfer fraud vary widely. A policy might have a $10 million cyber liability limit but only a $100,000 sublimit for funds transfer fraud losses. Read your policy carefully and discuss the specific coverage with your broker.

Third, timely reporting is generally a condition of coverage. Most policies require you to notify the insurer within a defined period after discovering the loss. Do not delay reviewing your policy after an incident.

If you are reviewing your insurance position, your broker should be asked specifically whether BEC and funds transfer fraud are covered, what the applicable limits are, and what technical controls are required to maintain coverage.

How Pickle Helps Australian Businesses Prevent BEC

Business email compromise is a people-and-process problem, but the controls that significantly reduce your exposure are technical ones — and they require correct configuration, ongoing monitoring, and regular training to be effective.

Pickle's managed IT services for Australian SMBs, strata buildings, and commercial properties include the specific controls that address BEC risk.

We configure Microsoft 365 environments with DMARC, DKIM, and SPF properly set up so your domain cannot be spoofed against you or your clients. We enforce MFA across all user accounts, including shared mailboxes and administrator accounts that are often left unsecured. We configure Microsoft Defender for Office 365's anti-impersonation policies, which flag look-alike sender domains and warn recipients when an external sender is attempting to appear as a known internal contact.

We also deliver staff security awareness training that is specific to the threat landscape Australian SMBs face — not generic global content, but training that addresses the BEC variants most likely to target your industry and your size of business. And we provide ongoing monitoring so that if a suspicious login or unusual email activity occurs, we can identify and respond to it before it becomes a damaging incident.

BEC losses are largely preventable with the right controls in place. If your business has not reviewed its email security configuration, MFA status, or payment verification processes recently, now is the time.

To talk through your current setup and where your exposure may lie, call Pickle on 1300 688 588 or email [email protected].

Frequently Asked Questions

Q: Is BEC the same as phishing?

A: They are related but not the same. Phishing is a broad category of attacks that use deceptive emails to steal credentials or deliver malware, usually at scale — the same message sent to thousands of recipients. BEC is a targeted subset of email fraud that does not necessarily involve malicious links or attachments at all. The goal of BEC is to persuade a specific person to transfer money or disclose information, using social engineering rather than technical exploitation. That said, phishing is often used as a precursor to BEC — specifically to steal email credentials that then enable an account takeover attack.

Q: Can BEC happen even if we have antivirus software?

A: Yes. Antivirus software is designed to detect malicious code — viruses, ransomware, trojans, and similar threats. A BEC email typically contains none of these. It is a plain-text email with no malicious attachment and no malicious link. There is nothing for antivirus software to flag. The attack is entirely social: its goal is to manipulate a person's behaviour, not to compromise a system. This is why the effective controls for BEC are process-based (verification policies, dual authorisation) and email-authentication-based (DMARC, anti-impersonation tools) rather than antivirus-based.

Q: How do attackers know who handles payments in our business?

A: Most of this information is publicly available. LinkedIn profiles reveal job titles and responsibilities — "accounts payable officer," "finance manager," and similar roles are regularly listed. Company websites may name key staff. Social media accounts can reveal team structures, office locations, and even when senior staff are travelling or at conferences. Attackers are patient researchers. They may spend days or weeks studying a target organisation before sending a single email, ensuring the message is credible and arrives at a moment of vulnerability.

Q: Is a business liable if an employee is tricked into transferring money?

A: This is a complex legal question that depends on the specifics of each situation, and Australian businesses should seek legal advice for their particular circumstances. Generally speaking, businesses are not automatically immune from liability simply because a fraud was committed by a third party. Whether a bank will recover or compensate for a fraudulent transfer depends on the speed of notification, the bank's fraud policies, and whether reasonable security practices were in place. Some cyber insurance policies cover BEC losses, but coverage depends on the policy terms and whether required technical controls were implemented. The clearest path is prevention: with the right controls in place, the question of liability is far less likely to arise.

Q: What is the first thing to do if we suspect a BEC attempt?

A: Stop the payment if it has not been made. If you receive a request that triggers any of the red flags described in this article — unusual urgency, a request to change bank details, a slightly unfamiliar email address, a demand for secrecy — do not act on the email. Pick up the phone and call the person it claims to be from using a phone number you already have on record (not a number provided in the email). If the payment has already been made, contact your bank's fraud team immediately — speed is critical for fund recovery. Then follow the steps outlined in the "What to Do If Your Business Has Been Targeted" section above.