Security

Business Email Compromise: What It Actually Looks Like

No malware, no hacking skill required, and it's one of the most financially damaging threats facing small businesses today. Here's how BEC actually plays out, why it's so convincing, and the process changes that genuinely stop it.

Ask most business owners what a "cyber attack" looks like and they'll picture something technical — a hacker, malware, a firewall breach. Business Email Compromise (BEC) is none of those things, and that's exactly why it's so effective. It's a fraud technique, not a hacking technique, and it consistently ranks among the most costly threats facing small businesses in Australia and elsewhere — according to the Australian Signals Directorate's most recent Annual Cyber Threat Report, the average self-reported cost of a cybercrime incident to an Australian small business has continued to climb year on year, with business email compromise and invoice fraud among the leading contributors.

What BEC actually is

Business Email Compromise is when an attacker impersonates — or genuinely gains access to — a trusted email identity, then uses that trust to redirect money or extract sensitive information. There's no single technical mechanism here; it's a category of social engineering, and it takes a few recognisable shapes.

The common patterns

These are described at the level of "what to watch for," not as a technical walkthrough — the specifics vary, but the underlying shape repeats.

  • Invoice redirection. An attacker, having gained visibility into a genuine email thread between a business and a supplier, waits for a real invoice to become due, then sends updated banking details — timed to look like a routine, expected update rather than anything suspicious.
  • Executive impersonation. An urgent request, apparently from a senior figure in the business, asking for an unusual payment, a gift card purchase, or a sensitive document — often timed for when the real person is known to be travelling or otherwise hard to reach for a quick verbal check.
  • Lookalike supplier domains. A domain that looks correct at a glance but isn't quite the genuine supplier's domain, used to send a convincing but fraudulent request.

What ties these together is patience. Attackers frequently monitor a compromised mailbox or thread for an extended period — sometimes weeks — learning the normal rhythm, tone, and timing of genuine correspondence before acting. That patience is what makes the eventual request look so unremarkable.

Why it works

BEC succeeds by exploiting trust and established process, not a technical flaw. There's frequently no malware involved at all, which means antivirus software and firewalls — built to catch technical threats — have nothing to detect. The email often looks entirely legitimate, because in the account-compromise version of this attack, it's coming from a genuinely real, previously-trusted mailbox.

The combination worth treating as a red flag isn't any single detail — it's urgency plus a change to payment details plus pressure to act through the email channel alone, without the normal verification a business would otherwise apply. Any one of those alone might be innocent. All three together is the pattern to slow down for.

What actually stops it

This is fundamentally a process problem, not a purely technical one — which is good news, because the fixes are mostly about habits rather than expensive tooling.

  • Verify any change to payment or banking details out-of-band. A phone call to a known, independently-verified number — not a number supplied in the email itself — before acting on any change, no matter how routine or urgent it looks.
  • Adopt a firm policy: no financial change proceeds on email instruction alone. Make this a standing rule everyone in the business knows, so no individual has to make a judgement call under pressure in the moment.
  • Enable multi-factor authentication on every email account, particularly for anyone who handles payments or has visibility into financial correspondence — this closes off the account-compromise version of the attack at the source.
  • Check sender domains carefully when anything financial is being requested or changed, rather than trusting the display name alone.
  • Treat urgency as a reason to slow down, not speed up. Genuine business requests can almost always tolerate a short delay for verification; manufactured urgency is one of the most consistent signals across BEC attempts.

If it happens anyway

  1. Contact your bank immediately to attempt a recall. The window to reverse a fraudulent transfer is short, and speed matters more than anything else at this stage.
  2. Report it to ReportCyber, the Australian Cyber Security Centre's reporting portal, so the incident is on record and can potentially be linked to a wider pattern.
  3. Notify the genuine supplier or contact who was impersonated, since they may be unaware their identity or thread was used, and other businesses in their network may be at risk too.
  4. Review how the compromise happened — a compromised mailbox needs its credentials reset and MFA enabled if it wasn't already, regardless of whether any money actually moved.

The reassuring part: unlike a lot of cyber risk, this doesn't require an enterprise security budget to defend against. A firm verification policy, MFA on every account, and a habit of treating urgency with suspicion closes off the vast majority of BEC attempts — at essentially no cost.

Frequently asked questions

What is Business Email Compromise?

A fraud technique where an attacker impersonates or accesses a trusted email identity to trick a business into redirecting money or information, typically relying on social engineering rather than malware.

Why does Business Email Compromise work so well?

It exploits trust and urgency rather than a technical vulnerability, so standard antivirus and firewall defences have nothing to detect.

What's the single most effective defence against BEC?

Verifying any change to payment details through a separate, independently-verified channel before acting on it.

What should a business do immediately if it suspects a BEC payment has been made?

Contact the bank immediately to attempt a recall, report the incident to ReportCyber, and notify any suppliers or contacts who may have been impersonated.

Want a straight assessment of where your business's email security actually stands? Get in touch.

Get in touch →