Business email compromise (BEC) is now one of the most financially damaging cyber threats facing Australian organisations. Unlike ransomware, which announces itself loudly, BEC is quiet by design. Attackers impersonate trusted colleagues, executives, or suppliers, then manipulate recipients into transferring funds or surrendering sensitive credentials. The Australian Signals Directorate has consistently flagged BEC as a top-tier threat, and losses reported to the ACSC run into the hundreds of millions annually. What makes BEC so dangerous is not technical complexity but human trust, and that makes it uniquely hard to defend against with technology alone.
What business email compromise actually is
BEC is a category of fraud in which an attacker uses a legitimate-looking email to deceive someone inside an organisation into taking a harmful action, usually authorising a payment to a fraudulent account, sharing login credentials, or disclosing sensitive data. The term covers several related attack patterns. In CEO fraud, attackers impersonate a senior executive and pressure an employee to make an urgent wire transfer. In vendor impersonation, they pose as a known supplier and send a convincing invoice with altered bank details. In account takeover variants, they compromise a real mailbox and use it to intercept or redirect legitimate business correspondence.
What these attacks share is a reliance on social engineering rather than malware. Many BEC emails arrive with no malicious attachment or link at all, which means traditional antivirus and spam filters are largely blind to them. The attacker's investment is in research: learning the names of executives, understanding payment processes, and timing their approach to coincide with a genuine transaction already in motion.
Why Australia is a prime target
Australian businesses are disproportionately targeted for several structural reasons. The economy has a large number of small and medium businesses that process significant payments but often lack dedicated security teams. Property transactions, legal settlements, and agribusiness supply chains move large sums in relatively short timeframes, creating high-value interception opportunities. Remote and hybrid work has also expanded the attack surface: employees now routinely approve transactions over email without the informal verification that once happened face-to-face.
The ACSC's annual cyber threat reports have repeatedly noted that Australian small businesses are among the most common BEC victims, precisely because their processes are often informal. A finance officer at a mid-sized construction firm may deal directly with a handful of suppliers, approve invoices without a secondary sign-off, and have never received training on payment redirection fraud. That is exactly the profile BEC attackers look for.
The threat is also evolving. Generative AI tools have made it significantly easier to produce convincing, grammatically perfect phishing and impersonation emails in Australian English, eliminating the telltale language errors that once helped recipients spot fakes. Social engineering attacks in general are becoming harder to distinguish from legitimate business communication.
The anatomy of a typical BEC attack
Most BEC attacks follow a recognisable sequence, even if the specifics vary. First, the attacker conducts open-source reconnaissance: scanning LinkedIn for finance and procurement roles, reading press releases for executive names, monitoring social media for announcements of mergers, property purchases, or supplier relationships. This research takes hours, not weeks, and produces a target profile tailored to the organisation.
Second, the attacker establishes a believable sender identity. This might involve registering a lookalike domain (substituting a capital "I" for a lowercase "l", for example, or using a country-code variant like ".co" instead of ".com.au"), or it might involve compromising an actual email account through a prior phishing attack. Account takeover BEC is particularly dangerous because the attacker has access to real email history and can pick up mid-thread, making the deception almost impossible to detect visually.
Third, the attacker introduces the request, typically framed as urgent and confidential. "I'm in a board meeting, please process this transfer before close of business" is a classic construction. The urgency and secrecy discourage the recipient from seeking a second opinion. Many BEC attacks succeed on the first contact, inside minutes.
How to defend against BEC
No single control stops BEC. Effective defence requires layering technical controls, process changes, and staff awareness in ways that interact and reinforce each other.
Technical controls
Email authentication protocols are the foundation. DMARC (Domain-based Message Authentication, Reporting and Conformance), combined with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), allows receiving mail servers to verify that an inbound message genuinely came from the domain it claims to originate from. DMARC with a "reject" or "quarantine" policy is one of the most effective controls against domain spoofing. Critically, it protects not just your inbound mail but also your outbound reputation: if your domain is impersonated in an attack on a partner organisation, DMARC gives their mail server the tools to block it.
Many Australian organisations have SPF and DKIM in place but have never moved their DMARC policy from "none" (reporting only) to an enforcing mode. That monitoring-only posture provides data but no protection. The ACSC's published advisories have urged organisations to enforce DMARC for years, and it remains one of the most straightforward hardening steps available.
Beyond email authentication, organisations should consider banner warnings for external senders, automatic flagging of display-name spoofing (where the name shows as "CEO Name" but the underlying address is a lookalike domain), and integration with threat intelligence feeds that track known BEC infrastructure. Modern secure email gateways from vendors like Proofpoint and Mimecast include BEC-specific detection layers, though no vendor solution catches everything.
Process controls
Technical controls alone are not sufficient because some BEC attacks bypass them entirely, particularly account takeover variants where the attacker is using a legitimate, authenticated mailbox. Process controls fill this gap.
The most impactful single process change is out-of-band verification for any payment instruction that arrives via email, particularly those involving a new payee, a change to existing bank details, or an unusual urgency. This means calling the supplier or executive back on a known phone number, not a number provided in the suspicious email itself. It sounds obvious but is resisted in practice because it feels slow and implies distrust. Normalising this verification step culturally, so that asking for confirmation is routine rather than an accusation, is a management challenge as much as a technical one.
Dual-authorisation for high-value transfers is equally important. If two people in different roles must approve a payment above a defined threshold, a single manipulated individual cannot complete the fraud. Many SMEs operate without this control simply because they have not formalised their payment processes.
Staff awareness
BEC attacks target people. Training needs to go beyond a generic phishing awareness module once a year. Finance, procurement, and executive assistant roles warrant dedicated training that uses realistic BEC scenarios relevant to the organisation's own supplier relationships and payment processes. Simulated BEC exercises, where the organisation's own security team or an external firm sends test impersonation emails to finance staff, are particularly effective at building muscle memory.
Training should also explicitly address the psychology of urgency and authority. Most BEC requests succeed because they combine a trusted identity with pressure to act fast. Teaching employees to recognise and resist that pressure, and to understand that pausing to verify is valued not punished, reduces susceptibility significantly.
What to do if your organisation is targeted
If a fraudulent transfer has been made, speed is critical. Contact your bank immediately and request a payment recall. Australian banks have internal fraud escalation paths, and in cases involving same-day OSKO payments or international wires, the window for recovery is short but real. Simultaneously, report the incident to the ACSC via ReportCyber. If a staff member's email account was compromised as part of the attack, follow your data breach response plan promptly, because a compromised mailbox likely means personal data was accessed, which may trigger your Notifiable Data Breach obligations under the Privacy Act.
Preserve all email evidence before resetting accounts. Law enforcement and your bank will need it. Engage your cyber insurer early if you have coverage, as delayed notification can affect claim eligibility.
The bigger picture
BEC is not going away. As Australian regulators push harder on identity verification and payment fraud controls, attackers will adapt, leaning more heavily on AI-generated content and compromised account access to stay ahead of defences. The organisations that hold up best are those that treat BEC as a business process risk, not merely a security problem: one that requires the same governance attention as financial controls more broadly. That means board-level visibility, periodic tabletop exercises, and clear ownership of both the technical and procedural controls that collectively make fraud harder to complete.
