← Back to BlogBusiness Security

Business Email Compromise: The $46,000 Mistake Aussie SMBs Keep Making

Business Email Compromise: The $46,000 Mistake Aussie SMBs Keep Making

There's a specific type of cybercrime that doesn't need malware, viruses, or any technical wizardry. It just needs a convincing email address and a bit of patience. It's called Business Email Compromise (BEC), and it's quietly devastating Australian small businesses at an alarming rate.

What is Business Email Compromise?

BEC is when a scammer impersonates a trusted person — your boss, a supplier, a client, your accountant — to trick someone in your business into making a fraudulent payment or handing over sensitive information.

There's no malware. No suspicious attachments. Just an email that looks completely normal asking for something that seems routine. That's what makes it so dangerous.

The most common BEC scenarios:

The fake invoice: A scammer monitors your email communications (either by compromising an account or just doing research on LinkedIn) and learns about a legitimate supplier relationship. They then send a fake invoice from a near-identical email address, notifying you that the supplier's bank details have changed. You pay. The supplier never receives the money. You're out thousands.

The CEO request: An email appears to come from your MD or CEO: "Hey, I need you to make an urgent transfer to this account. I'm in a meeting and can't talk — just get it done." The urgency, the authority, the casual tone — it all feels right. Except it's a scammer who spoofed the email address.

The employee payroll redirect: An email from what looks like an employee's personal account asks HR or payroll to update their bank details before the next pay run. The details are the scammer's account. The employee discovers they weren't paid. HR discovers they've paid a criminal.

Why do these work?

Because they exploit trust and urgency, not technical vulnerabilities. Your antivirus software can't stop an email that's just... an email. And humans, especially busy ones who process hundreds of emails a day, can absolutely miss a subtle difference in a domain name.

How to protect your business:

  1. Verify bank detail changes by phone. Always. Never update payment details based solely on an emailed request. Call the supplier on a number you already have (not one in the email) and confirm.
  1. Create a two-person rule for payments. Any transfer above a certain threshold requires sign-off from two people. Full stop.
  1. Enable email authentication (SPF, DKIM, DMARC). These technical controls make it harder for criminals to spoof your domain. Ask your IT provider to set these up.
  1. Train your staff. Your finance team, your HR team, your admin staff — anyone who processes payments or handles sensitive data needs to know what BEC looks like.
  1. Trust but verify. If a request feels unusual — even if it looks like it came from your CEO — it's always okay to double-check. A brief reply asking "can you confirm this by phone?" is not going to annoy your actual boss. Your actual boss will appreciate it.

The uncomfortable truth

BEC doesn't target tech-illiterate people. It targets busy people. Helpful people. People who want to do their jobs well and respond to requests promptly. The scam is designed to work against your best professional instincts.

The fix isn't complicated: a couple of simple verification processes and a well-trained team can stop BEC cold.

Train your whole team with Phishbate — free →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →