Last month, a Sydney construction company paid $148,000 to a supplier. Except it wasn’t their supplier. It was a criminal who’d been watching their email for weeks.

This is business email compromise, or BEC. It’s not technically sophisticated. There’s no malware, no ransomware, no dramatic ransom note. Just a convincing email from what looks like a trusted contact, asking for a routine payment to updated bank details.

And it’s costing Australian businesses more money than any other form of cybercrime.

How BEC Actually Works

There’s a common pattern. Understanding it is the first step to stopping it.

Step 1: Gain access The attacker gets into someone’s email account. Usually through phishing (a fake login page), credential stuffing (reused passwords from other breaches), or malware. If there’s no MFA, this is often trivially easy.

Sometimes they don’t even need access to your email - they compromise a supplier’s account instead.

Step 2: Watch and learn This is what makes BEC so effective. The attacker doesn’t act immediately. They read emails. They learn who pays whom, when payments are due, how communications are structured, who approves what.

They might spend weeks in an inbox, invisible, just learning.

Step 3: Strike at the right moment When a legitimate payment is coming due, the attacker sends an email. It might be:

• From a compromised account (legitimate sender, attacker controlling it)
• From a spoofed address (looks similar at a glance)
• From a fake domain (microsoftsupport.com instead of microsoft.com)

The email is perfectly timed, refers to a real transaction, uses the right tone, and asks for bank details to be updated. It looks normal because it’s based on weeks of research.

Step 4: Money disappears The victim updates their records and makes the payment. The money goes to an account controlled by the attacker. By the time anyone realises, the money has been moved through multiple accounts and often overseas.

Recovery is rare. Banks can sometimes freeze funds if you act within hours, but usually it’s gone.

Why Small Business Is Especially Vulnerable

Large enterprises have treasury systems, payment controls, segregation of duties. Small businesses often have:

• One person who handles accounts payable
• Informal approval processes
• Direct relationships with suppliers (making impersonation easier)
• Less sophisticated email security
• No MFA on email accounts

The ACSC reports BEC as one of the top cyber threats to Australian businesses, with total losses in the hundreds of millions annually. And those are just reported cases.

Real Examples (Details Changed)

The invoice redirect A Melbourne professional services firm received an email from their regular IT supplier noting updated bank details. The email came from the supplier’s actual account (which had been compromised). The firm paid $35,000 before the real supplier called asking where their payment was.

The CEO fraud A Perth retail business owner was travelling when their CFO received an “urgent” email appearing to be from the owner, asking for an immediate $80,000 transfer for a “confidential” matter. The email actually came from a slightly misspelled domain. The CFO, not wanting to question the boss, made the transfer.

The property scam A Brisbane couple about to settle on a house received an email from their conveyancer with bank details for the deposit. The email looked perfect - same signature, same formatting. They transferred $120,000. The conveyancer’s email had been compromised, and the attackers had been waiting for exactly this moment.

How to Protect Your Business

1. Enable MFA on all email accounts This is fundamental. If attackers can’t get into email accounts, most BEC attacks fail. MFA isn’t perfect (attackers can sometimes bypass it with sophisticated phishing), but it stops the majority of attempts.

2. Establish verbal verification procedures Any request to change bank details - from suppliers, from clients, from anyone - must be verified by phone using a number you already have on file. Not a number from the email. Not the number that just called you. A number you independently look up.

Make this policy absolute. No exceptions for urgency, seniority, or relationship.

3. Implement payment approval controls No single person should be able to authorise payments above a certain threshold without review. Segregation of duties isn’t just for large enterprises - it’s a control that works.

4. Check email domains carefully Train your team to actually look at sender addresses. Not the display name - the actual email address. Look for slight misspellings: companynamee.com, companyname-au.com, cornpanyname.com (that’s an ‘r’ and an ‘n’ instead of an ‘m’).

5. Be suspicious of urgency Attackers create urgency to prevent careful thinking. Any email that demands immediate action should trigger caution, not compliance.

6. Configure email security features Enable anti-spoofing protection in Microsoft 365 or Google Workspace. Configure DMARC to help receiving servers reject spoofed emails from your domain (and make it harder for attackers to impersonate you to your clients).

7. Review mailbox rules regularly Attackers often create email rules to hide their activity - forwarding certain emails to themselves, deleting confirmation messages. Audit mailbox rules periodically.

If You Think You’ve Been Hit

Act immediately. Time matters.

1. Contact your bank. If the transfer was recent (within hours), they may be able to freeze or reverse it. Call, don’t email.

2. Contact the receiving bank. If you know where the money went, call them too. They might be able to freeze the receiving account.

3. Report to police. Use the Australian Cyber Crime Online Reporting Network (cyber.gov.au). This probably won’t get your money back, but it builds intelligence that helps others.

4. Determine how the compromise occurred. Was your email hacked? Your supplier’s? How did they get the information they needed?

5. Notify affected parties. If your account was compromised, your contacts need to know. They might be targeted next.

6. Review your insurance. Some cyber policies cover BEC losses. Check your coverage and start a claim if applicable.

The Awkward Truth

Here’s what nobody wants to admit: BEC attacks succeed because of human error and process failures. There’s no technical magic that completely prevents them.

The emails are often legitimate (from a compromised real account). The requests are reasonable (payment for a real invoice). The timing is perfect (aligned with real business).

Technical controls help. MFA helps a lot. But ultimately, preventing BEC requires:

• Clear policies about payment verification
• A culture where questioning unusual requests is normal, not rude
• Training that’s specific to BEC, not just generic “security awareness”
• Regular reminders that this threat is real and ongoing

It’s not as exciting as stopping ransomware. But for many Australian businesses, it’s a bigger risk.

One email, one mistake, $50,000 gone. That’s the reality of BEC.

Don’t let it happen to you.