Business Email Compromise Prevention Guide

BEC is the highest-return, lowest-effort attack targeting Australian professional services firms. How it works, how to recognise it, and the controls that stop it.

Download PDF

Business Email
Compromise
Prevention Guide

The highest-return, lowest-effort attack targeting Australian professional services firms. How it works, how to recognise it, and the controls that actually stop it.

stealthcyber.io

What Business Email Compromise Is

Business email compromise (BEC) is a financially motivated attack where a criminal uses a legitimate or convincingly spoofed email account to deceive someone into transferring funds, changing payment details, or disclosing sensitive information.

It does not require sophisticated malware. It does not need to bypass endpoint protection. It exploits trust, process gaps, and time pressure. A single successful BEC attack against a professional services firm can result in losses of tens to hundreds of thousands of dollars in a single transaction.

The ACCC consistently reports BEC as one of the highest-loss scam categories for Australian businesses. The actual figure is higher than reported, because many losses go unreported due to professional embarrassment.

How BEC Attacks Actually Work

Type 1: Spoofed Domain

The attacker sends email from a domain that closely resembles a legitimate one. yourfirm.com.au becomes yourfirm.co or y0urfirm.com.au. Visually similar at a glance, particularly on mobile where the full address is often truncated.

Type 2: Compromised Supplier/Client Account

The attacker compromises a supplier or client email account and sends fraudulent payment instructions from a completely legitimate address. The email thread may reference real prior conversations. The only tell is the payment details.

Type 3: Compromised Internal Account

An internal staff member's account is compromised. The attacker monitors the mailbox, identifies upcoming transactions, and inserts fraudulent instructions at the right moment. They may create inbox rules to hide replies from the legitimate user.

Type 4: Executive Impersonation

The attacker impersonates a senior person, typically targeting finance staff with urgent payment requests. Often sent on a Friday afternoon or before a holiday. The urgency and authority combination overrides normal verification instincts.

The Red Flags

Train every staff member who handles payments, invoices, or financial data to recognise these:

Payment instructions that arrive by email only, with no prior verbal discussion

Requests to change bank account details, even from known contacts

Urgent payment requests outside normal business hours or process

Email addresses that are slightly different from what you expect on close inspection

Requests to keep the transaction confidential or not discuss with others

Unusual email formatting, signature changes, or slight differences in writing style

A familiar contact asking for something they have never asked for before

Payment requests that arrive just before a deadline, settlement, or close of business

A combination of these, particularly urgency plus a request to bypass normal process, should trigger a verification call to a known number before any action is taken.

Technical Controls

Implement these with your IT provider:

DMARC, DKIM, and SPF records are correctly configured and DMARC is set to quarantine or reject.

External email tagging is enabled in Microsoft 365.

Anti-impersonation policies are configured in Defender for Office 365 for all senior staff and finance personnel.

MFA is enforced on all email accounts.

Mailbox auditing and unified audit logging are enabled.

Inbox rules are monitored for unexpected configurations.

Automatic external forwarding is disabled at the tenant level.

Process Controls

Implement these in your operations:

A written policy exists that no payment details are changed based solely on an email instruction, regardless of who it appears to come from.

Any request to change bank account details requires verbal verification to a known phone number already on file.

Payment run authorisation requires two people to approve transactions above a defined threshold.

New payees above a defined threshold require verification via a second channel before the first payment is processed.

Finance and admin staff are briefed specifically on BEC tactics, not just general phishing awareness.

There is a clear escalation path for staff who receive a suspicious payment request. They should feel empowered to pause and verify.

If You Receive a Suspicious Email Right Now

Do not click any links or open any attachments in the email.

Do not reply to the email.

Do not call any phone number provided in the email.

Contact the apparent sender using a phone number you already have on file.

If the email requests a payment or account change, pause any related transaction until verification is complete.

Forward the email to your IT or security provider for analysis.

If you have already made a payment and suspect fraud, contact your bank immediately. Then contact your security provider and legal counsel.

If a BEC Attack Has Succeeded

Speed is everything. The window for recovering transferred funds closes quickly.

Contact your bank immediately and use the word "fraud." Request an urgent recall.

Contact the recipient bank if known through your bank's fraud team.

Contact your cyber insurance provider and notify them.

Contact your legal counsel.

Engage your security provider to investigate the scope of any underlying account compromise.

Document everything: the email, the transaction, the timeline, and every action taken.

Do not notify the fraudulent recipient that you are aware. This can cause them to move funds faster.

Report to the ACSC via ReportCyber and to ACORN.

The Uncomfortable Reality

Most BEC losses are not recovered. Fund recovery is possible in some cases if the bank is contacted quickly, but it is not guaranteed and becomes less likely with every hour that passes.

The controls above are not complicated or expensive. The verification process costs a two-minute phone call. The technical controls are configurations, not new platforms. The businesses that suffer significant BEC losses almost always had the information they needed to prevent it.

The difference is whether anyone acted on it before the event rather than after.

Concerned about BEC exposure?

Stealth Cyber helps Australian professional services firms implement the technical and process controls that prevent BEC attacks. Get in touch for an independent assessment of your current exposure.

Website

stealthcyber.io

contact@stealthcyber.io

Phone

AU: +61 7 5230 8381

US: +1 (855) 774-2595

Offices

Gold Coast, Australia

São Paulo, Brazil

Texas, United States