The Hidden Cost of Business Email Compromise
Business email compromise (BEC) is costing Australian workers money they can’t afford to lose. The business email compromise statistics are staggering, with losses amounting to almost $84 million in the Australian 2023–24 financial year. So, why the sudden spike in BEC attacks? The higher prevalence of hybrid and remote work arrangements has a lot to do with it. Employees are accessing business platforms and systems from home and publicly available networks, which are almost always less secure than at the workplace.
Australia is far from the only location affected. In fact, business email compromise fraud has severely disrupted business operations worldwide, causing billions in financial losses. Luckily for Australian businesses, NSI has a knowledgeable cybersecurity team that knows how to prevent business email compromise.
What Is Business Email Compromise?
BEC is a scam whereby cybercriminals use deception to trick people into sending money or sensitive information. While hacking involves breaking into systems, BEC is a slightly more stealthy tactic, relying on impersonation and social engineering to make requests that look legitimate.
Apart from the obvious acronym — BEC — business email compromise is often called ‘CEO fraud’, ‘email spoofing’, or ‘invoice scams’. BEC typically involves pretending to be someone the recipient trusts — like a senior executive, colleague, supplier, or even a client. The goal? To make the target act fast, without questioning the request.
A typical BEC attack unfolds in three key stages:
- Infiltration: The attacker may gain access to a legitimate email account (often through phishing or credential theft), or create a near-identical fake email address and use publicly available information to craft a convincing message.
- Impersonation: Leveraging gathered intelligence or external information, the attacker sends a fraudulent email posing as a trusted contact.
- Action: The victim receives a message — sometimes convincing and often framed as urgent — and is prompted to take action, such as transferring funds or sharing sensitive information.
Because the emails can appear credible and often mimic real business processes, BEC attacks can catch you off guard. Understanding how these scams work is the first step towards preventing them.
Corporate vs SME BEC Risk Profiles
Business email compromise doesn’t just target major corporations. It affects organisations of all sizes, but the nature of the risk — and the ability to detect and respond to it — differs significantly between corporates and small- to medium-sized enterprises (SMEs).
| Corporates | SMEs |
|---|---|
| High-value targets for BEC attacks (due to brand visibility, larger transactions, and complex supply chains) | Often viewed as easier targets (due to weaker controls and limited resources) |
| Multi-layered defences (MFA, secure gateways, SOC monitoring, incident response playbooks) | Leaner IT teams, rarely dedicated cybersecurity staff or formal protocols |
| Structured approval processes for payments and account changes | Informal workflows based on trust, making impersonation attacks more likely to succeed |
| Ongoing staff training, phishing simulations, and security awareness | Ad hoc or limited training, leaving staff underprepared |
| Enterprise-grade breach detection tools | Rely solely on default email platform settings |
| Greater recovery ability from financial/reputational loss | May experience serious financial, legal, or operational fallout from a single attack |
For corporates: Even with advanced systems, BEC still finds its way through human channels. Focus on reinforcing processes, testing controls, and encouraging a ‘verify-first’ culture.
For SMEs: You don’t need big budgets to be cyber-smart. Enforce multi-factor authentication, question every time-sensitive request, and invest in affordable breach detection tools.
BEC isn’t about the size of your business — it’s about the size of the opportunity you present to a scammer.
How to Detect Business Email Compromise Early
Spotting a BEC attempt early can save your business from serious financial and reputational damage. Here are key red flags and tools to help you identify threats before they cause harm.
- Altered or misspelt domain names (e.g. ‘@yourbusness.com’ instead of ‘@yourbusiness.com’)
- Unusual tone or urgency, especially in payment/account change requests
- Invoice details or bank info that differ from past communications
- Emails sent outside business hours or from unexpected locations
- Requests to bypass approval processes
- SPF (Sender Policy Framework): Blocks unauthorised use of your domain in email sending.
- DKIM (DomainKeys Identified Mail): Verifies email integrity and sender identity with cryptographic signatures.
- SIEM (Security Information and Event Management): Aggregates and analyses logs to detect suspicious activity.
- Email logging: Tracks email activity to spot irregularities.
Tip for SMEs: Platforms like Google Admin and Microsoft 365 offer built-in tools to alert you to suspicious activity — often at no extra cost.
Early detection is one of the most effective defences against BEC.
Prevention Tactics for Corporations
- Implement Role-Based Access Control (RBAC) to limit user access
- Run phishing simulations regularly, especially for finance and executives
- Enforce strict vendor verification for payments
- Use zero-trust frameworks and AI-enhanced threat detection
- Document all security processes for accountability and compliance
For example, the Toyota parts supplier scam cost $37 million — highlighting the importance of verification.
Prevention Tactics for SMEs
- Enable multi-factor authentication and use password managers
- Set up two-person approval for financial transactions
- Train staff on red flags and phishing awareness
- Verify bank details via a trusted contact
- Use alerts and monitoring tools in Google Workspace or Microsoft 365
One Victorian SME nearly lost $900,000 in a BEC scam — but recovered most due to quick action. Detection makes the difference.
Types of BEC Scams to Watch Out For
- False Invoice Scheme: Impersonate a supplier and send a fake invoice with altered payment details.
- CEO Fraud: Impersonate executives to rush employees into authorising payments.
- Data Theft: Trick departments into handing over sensitive staff info.
- Email Account Compromise (EAC): Hack an employee’s real account and send fraudulent emails from it.
- Attorney Impersonation: Pretend to be legal counsel and request urgent funds during sensitive periods.
Being aware of these tactics is your first line of defence. Train your team to pause, verify, and question before acting on unexpected requests.
Stay Safe with a Security Audit from NSI
BEC attacks can catch even the most intelligent people off guard. These scams exploit trust and urgency, so protecting your team with training and proactive measures is essential.
How’s your business faring? Get a pulse check from NSI — cybersecurity experts. Speak with our cyber team and book your audit today. It’s better to be safe than scammed.
