How to protect your business from Business Email Compromise (BEC)

A stern looking woman wearing glasses makes a phone call on a landline telephone with a curly cord.

Imagine a customer receives an email from one of your business's email accounts requesting payment of an invoice. Your customer opens the invoice and pays using the bank details provided in the invoice.

Just one problem – the account’s financial details are fake!

Your business just became one of the thousands of Australian businesses caught up in a business email compromise.

Business email compromise, or BEC, is a scam where a cybercriminal impersonates a legitimate business or representative to trick an employee, customer or vendor into transferring money or sensitive information.

Here are 4 types of BEC scams:

  • Executive fraud: The cybercriminal impersonates an executive officer’s email and instructs staff to transfer funds or pay an invoice to a fake account.
  • Legal impersonation: The cybercriminal impersonates a lawyer or legal firm representative requesting payment for an urgent and sensitive matter.
  • Invoice fraud: The cybercriminal impersonates a trusted supplier and sends a fake invoice to your business or they use your business email and target your customers. In these scams, the cybercriminal often has control of the supplier’s email account and can access legitimate invoices and change the bank account details.
  • Data theft: Instead of requesting funds, a cybercriminal may impersonate a trusted person who needs your information. This information can then also be used as part of a larger and more damaging scam.

Because these scams are usually well-researched and rely more on social manipulation than technical exploits (such as malicious links or attachments), they can get through anti-virus programs and spam filters.

Meet Phoebe

For months Melbourne retailer Phoebe Bell believed she was emailing one of her suppliers. In reality, she was communicating with a cybercriminal who would eventually steal $10,000 from her homewares business, Sage & Clare.

Bell says she never had any reason to doubt she was communicating with the real supplier. ‘The language, tone of voice, fonts, graphics – it was all the same,’ she points out. ‘This was a highly polished scam created purely to target small businesses and fleece them of their hard-earned money.’

After Bell paid the supplier, a series of strange emails saying there had been a problem with the payment prompted her to call the supplier directly. The supplier said they hadn’t heard from her in months, at which point Bell realised she’d been the victim of a scam.

When reflecting on what BEC has cost her, Bell notes that ‘it’s a big loss for a small business … it hits hard.’

Bell believes cybercriminals see small businesses as easy targets because they don’t usually have many account processes in place.

How to protect your business

Now that you know what to look out for, the best defence for your business is teaching your staff to be on the lookout for the following warning signs:

  • The email is unexpected. For example, the invoice came from a supplier you haven’t dealt with in a while, or the payment amount differs from previous amounts.
  • The email asks for an urgent payment or threatens serious consequences if payment isn’t made.
  • The email is sent from someone in a position of authority, particularly someone who wouldn’t normally send payment requests.
  • The email address does not look quite right. For example, the domain name doesn’t exactly match the supplier’s company name. Double-check by looking at previous correspondence.
  • The supplier provides new bank account details.

Remember: if something doesn’t feel right, it probably isn’t.

Encourage your staff to trust their instincts and check anything suspicious by picking up the phone and speaking directly to the requester, whether that be a supplier or your business's CEO, before paying accounts. Use a phone number obtained from an independent source, such as the company’s website. If the email originates from an internal account, staff should ring the email account owner and alert your business's ICT team.

If you don't have one already, consider introducing a purchase order system to your business. The Business Victoria financial policy and procedures template can help.

How to report a BEC

If you have sent money or banking details to a scammer contact your bank immediately.

If any of your customers’ personally identifiable information has been compromised, mandatory reporting to the Office of the Information Commissioner (OAIC) may be required under the reportable data breaches scheme.

If you have been a victim of a cybercrime such as fraud, report it to the Australian Cybercrime Online Reporting Network (ACORN).

Scams should also be reported to the Australian Competition and Consumer Commission’s Scamwatch.

Further information

For further information on how to avoid BEC take a look at the Australian Cyber Security Centre’s BEC advice.

For information on the latest online threats and tips on how to manage them, sign up to Stay Smart Online’s free alert service.

To report a cyber security incident, call 1300 CYBER1 (1300 292 371) or go to