Business Email Compromise: How Sydney SMBs Can Prevent Invoice Fraud and CEO Scams

Business Email Compromise (BEC) cost Australian organisations $98 million in reported losses in 2023, making it one of the most financially damaging cyber threats. Unlike traditional phishing that casts a wide net, BEC attacks are carefully crafted to target specific individuals with believable scenarios. This guide helps Sydney businesses recognise and prevent these sophisticated attacks.

What is Business Email Compromise?

BEC is a type of scam where criminals impersonate trusted parties—executives, vendors, or colleagues—to trick employees into transferring money or revealing sensitive information. These attacks don't rely on malware; they exploit trust and business processes.

Common BEC Attack Types

CEO Fraud / Executive Impersonation

Attackers impersonate a CEO or senior executive, urgently requesting a wire transfer or gift card purchase. These often create artificial time pressure ("I'm in a meeting, need this done immediately") to bypass normal approval processes.

Vendor Invoice Scams

Criminals compromise or impersonate a legitimate vendor and send fake invoices with updated payment details. The invoice looks genuine because it references real work or products.

Account Compromise

Attackers gain access to a real email account and use it to request payments or information from contacts. These are particularly dangerous because they come from legitimate addresses.

Payroll Diversion

Criminals impersonate employees requesting changes to payroll direct deposit information, diverting salaries to their accounts.

Warning Signs of BEC

Train your team to recognise these red flags:

Urgency and secrecy: "This is confidential, don't discuss with anyone"
Unusual requests: Executives asking for gift cards or unusual payment methods
Changed payment details: Vendors requesting payment to new bank accounts
Slight email variations: @company.com vs @companny.com
Breaking normal procedures: Pressure to bypass approval processes
Unusual timing: Requests sent when the supposed sender would normally be unavailable

Technical Prevention Measures

Email authentication: Implement SPF, DKIM, and DMARC to prevent domain spoofing
External email tagging: Mark emails from outside your organisation with a visible banner
Multi-factor authentication: Protect all email accounts, especially executives
Advanced threat protection: Use Microsoft Defender for Office 365 or equivalent
Email encryption: Protect sensitive communications

Process Controls

Technical measures alone aren't enough. Implement robust processes:

Verification procedures: Always verify payment changes via a known phone number (not one from the email)
Dual authorisation: Require two people to approve significant transactions
Callback verification: For any change to vendor payment details, call the vendor directly
Document management: Maintain accurate vendor contact records
Regular training: Keep staff updated on current BEC tactics

Critical rule: If someone asks you to change payment details via email, ALWAYS verify by calling them on a number you already have on file—never call a number provided in the email.

What to Do If You're Targeted

Act quickly: If you've transferred money, contact your bank immediately to attempt recall
Report internally: Notify IT and management immediately
Report to authorities: File a report with the ACSC (cyber.gov.au/report) and Australian Federal Police via ReportCyber
Preserve evidence: Don't delete emails or modify anything
Review and improve: Analyse how the attack succeeded and close gaps

How We Researched This Article

This article was compiled using information from authoritative industry sources to ensure accuracy and relevance for Australian businesses.

Sources & References

•
Australian Cyber Security Centre - Business Email Compromise
ACSC guidance on BEC threats and prevention
•
Scamwatch - Business Scams
ACCC consumer protection information on BEC
•
FBI Internet Crime Complaint Center (IC3)
US law enforcement data on BEC losses and trends
•
Australian Federal Police - ReportCyber
Official reporting channel for cybercrime in Australia

* Information is current as of the publication date. Cybersecurity guidelines and best practices evolve regularly. We recommend verifying current recommendations with the original sources.

Frequently Asked Questions

Why are BEC attacks so successful?

BEC attacks exploit human trust rather than technical vulnerabilities. They're carefully crafted to appear legitimate, often using real business context and exploiting time pressure. Unlike mass phishing, BEC targets specific individuals who can authorise payments.

Can email filtering stop BEC?

Email filtering helps but isn't foolproof. BEC emails often don't contain malware or malicious links—they're just text requesting legitimate-seeming actions. Advanced threat protection can catch some BEC, but process controls and user awareness remain essential.

Who is most at risk of BEC?

Finance teams, accounts payable, HR, and executive assistants are primary targets. Anyone with authority to transfer money, change payment details, or access sensitive information is at risk. Small businesses are increasingly targeted because they often lack controls.

Can we recover money lost to BEC?

Sometimes, if you act immediately. Contact your bank within hours (not days) to attempt to recall the transfer. Success rates decrease rapidly with time. Even if recall fails, reporting helps authorities track criminal networks and may help recover funds in some cases.