How to Spot a Business Email Compromise (BEC) Scam
Business Email Compromise (BEC) is one of the most financially damaging cyber threats facing Australian small and medium businesses. Unlike ransomware, it does not announce itself with a locked screen and a ransom note. Instead, it quietly redirects a payment, changes a supplier’s bank details, or impersonates your CEO to authorise a transfer – and by the time anyone notices, the money is gone.
The Australian Federal Police reported that BEC losses in Australia run into the hundreds of millions of dollars annually. Here is what your staff need to know.
What Is Business Email Compromise?
BEC is a social engineering attack that exploits trusted email relationships. The attacker impersonates someone the victim trusts – a CEO, a supplier, a conveyancer, the ATO – and tricks the victim into transferring money or disclosing sensitive information.
The two most common scenarios in Australia are:
-
Invoice fraud: The attacker compromises or spoofs a supplier’s email and sends a legitimate-looking invoice with changed bank details. Your accounts payable team pays the “new” account, and the attacker receives the funds.
-
CEO fraud: The attacker spoofs the CEO’s email address and sends an urgent request to the accounts team: “Can you process an urgent payment? I’m in a meeting and need this done today. Don’t call – just send the details and I’ll confirm.”
Red Flags Your Staff Should Recognise
1. Urgency and Pressure
Legitimate payments do not usually require you to bypass your normal approval process. Phrases like “please process immediately”, “I’m in a meeting – don’t call”, or “this is time-sensitive” are designed to suppress critical thinking.
Train your staff to slow down when they feel rushed.
2. Out-of-Band Bank Account Changes
If a supplier’s bank account changes – even with a seemingly legitimate email and attached PDF – verify it by calling the supplier directly on the phone number you already have on file (not the one in the email).
Never accept bank account changes by email alone.
3. Slight Email Address Variations
Attackers register domains that look almost identical to legitimate ones:
accounts@peritus-digital.com.auinstead ofaccounts@peritusdigital.com.auaccounts@peritusdigita1.com.au(the number one instead of the letter l)accounts@peritusdigltai.com.au(transposed letters)
Train staff to look at the full email address – not just the display name – before acting on financial requests.
4. Requests to Keep Things Confidential
“Don’t mention this to anyone else”, “keep this between us”, or “I’ll explain later” are social engineering tactics designed to prevent the victim from seeking a second opinion.
5. Unusual Requests from Known Contacts
If your CEO has never previously asked you to process a payment by email, that is a strong signal. Attackers research their targets – they know names, roles, and relationships – but they often do not know that your CEO always calls before any large payment.
Technical Controls That Help
Staff training alone is not enough. The following technical controls reduce the risk significantly:
- SPF, DKIM, and DMARC – email authentication standards that make it harder for attackers to spoof your domain. Use our free Email Security Checker to see your current configuration.
- Multi-Factor Authentication on email – even if an attacker obtains a password, MFA stops them accessing the mailbox to conduct the attack from within a legitimate account.
- Microsoft Defender for Office 365 (or equivalent) – advanced threat protection catches many BEC attempts before they reach the inbox.
- Payment approval workflows – a two-person rule for payments above a threshold, with at least one verbal or in-person confirmation, is a simple process control that stops most BEC attacks cold.
What to Do If You Suspect a BEC Attempt
- Do not respond to the suspicious email.
- Contact the supposed sender via a known, trusted channel (call them on their office number).
- If a payment has already been made, contact your bank immediately – Australian banks have a rapid-response protocol for BEC losses and early notification significantly increases the chance of recovery.
- Report to ReportCyber (the ACSC reporting portal).
- Preserve the email headers and any other evidence – the AFP Cybercrime team may want them.
How Peritus Digital Can Help
We help Newcastle and Hunter businesses set up the email authentication controls (SPF, DKIM, DMARC) and the Microsoft 365 security policies that reduce BEC risk. We also deliver practical staff awareness training tailored to your industry – because a staff member who can spot a BEC attempt is your best last line of defence.
