Everyone’s talking about AI-powered attacks and sophisticated ransomware, but the reality for Australian small and medium businesses is far more mundane. Business email compromise (BEC) is still the number one way cybercriminals are stealing money from SMBs, and it’s not even close.

According to the Australian Cyber Security Centre, BEC scams cost Australian businesses over $98 million in 2024. That’s more than ransomware, more than data breaches, more than every fancy zero-day exploit combined. And the average loss per incident? Around $64,000. For most SMBs, that’s a company-ending amount of money.

What Actually Happens in a BEC Attack

The attack is almost boring in its simplicity. A criminal compromises someone’s email account, usually through phishing or credential stuffing. They sit quietly in that account for days or weeks, learning how the business operates. They watch invoice patterns, payment schedules, and who approves what.

Then they strike. An email goes out that looks completely legitimate because it comes from a legitimate account. The finance person receives what appears to be a routine request from their boss or a supplier to change bank details for an upcoming payment. The money gets transferred. The criminals disappear.

By the time anyone realizes what’s happened, the funds are long gone, usually laundered through multiple accounts across different countries. Recovery rates are dismal. Most businesses lose the entire amount.

Why SMBs Are Particularly Vulnerable

Small and medium businesses are prime targets for BEC because they have money to steal but often lack the security controls of larger enterprises. You might have five or ten people with access to financial systems. You probably don’t have a dedicated security team. Multi-factor authentication might not be enforced across all accounts.

The criminals know this. They specifically target businesses with between 20 and 200 employees because that’s the sweet spot where payment amounts are substantial but security oversight is often informal.

Australian SMBs face an additional challenge: timezone differences. Many BEC attacks originate from overseas, timed to arrive during periods when verification is difficult. A Friday afternoon email requesting urgent payment before the weekend is a classic approach.

The ASD Essential Eight Actually Works

Here’s the good news: the Australian Signals Directorate’s Essential Eight framework is specifically designed to prevent attacks like this. You don’t need expensive consultants or complicated tools. You need to implement eight fundamental controls properly.

For BEC specifically, focus on these four:

Multi-factor authentication on everything. Every email account, every financial system, every admin panel. No exceptions. MFA won’t stop someone stealing credentials, but it will stop them using those credentials to access accounts.

Application control. Prevent unauthorized software from running on business systems. Many BEC attacks involve malware that harvests email credentials. If the malware can’t execute, it can’t steal anything.

Patch applications and operating systems. Vulnerabilities in email clients and operating systems are common entry points. Automated patching removes most of these risks with minimal effort.

Regular backups. While backups won’t prevent BEC directly, they ensure business continuity if you do get hit with a follow-on ransomware attack after the initial compromise.

Practical Steps You Can Take This Week

Stop reading and implement these controls immediately:

Enforce MFA on all email accounts. Microsoft 365 and Google Workspace both make this straightforward. There’s no legitimate reason not to have this enabled in 2026.

Create verification procedures for payment changes. Any request to change banking details for a supplier or employee must be verified through a separate communication channel. Call the person on a known number. Walk over to their desk. Never verify via email alone.

Set up banking rules for large transfers. Configure your bank accounts to require dual authorization for payments over a certain threshold, perhaps $10,000 or $20,000 depending on your business.

Train your team on BEC tactics. Everyone who handles payments needs to understand how these attacks work. Run realistic simulations. Make it okay for people to question suspicious requests.

Review email forwarding rules regularly. Attackers often set up forwarding rules to monitor communications even after changing passwords. Check every account quarterly.

Enable alerts for unusual activity. Most email providers can alert you to logins from new locations or devices. Turn these on and actually pay attention when they trigger.

The Boring Threat Is the Real Threat

Cybersecurity discussions tend to focus on sophisticated nation-state actors and advanced persistent threats. That’s not what’s costing Australian SMBs millions of dollars every year. It’s basic social engineering combined with weak authentication controls.

Business email compromise isn’t sexy. It doesn’t involve AI or machine learning or blockchain or any other buzzword. It’s just criminals exploiting the gap between trust and verification in business processes.

Close that gap. Implement MFA. Create verification procedures. Train your people. The Essential Eight framework gives you a clear roadmap. You don’t need perfection, you just need to be harder to compromise than the next business down the street.

Because right now, somewhere in Australia, a small business owner is about to approve a legitimate-looking email that will cost them everything. Don’t let that be you.