What is business email compromise?

BEC is a scam where an attacker uses email — often from a compromised or spoofed account — to trick someone into transferring money or changing payment details. It typically involves no malware and relies on social engineering.

How can I prevent invoice redirection fraud?

Always verify changes to bank details out of band, using a phone number you already have on file rather than contact details from the email. Enforce MFA on email accounts and require dual approval for payment changes.

Does BEC involve malware?

Usually not. BEC relies on deception rather than malicious software, which is part of what makes it hard for traditional security tools to catch. Process controls and verification are the strongest defences.

Business email compromise: the threat quietly draining Australian SMBs

Some of the most expensive cyber incidents involve no virus, no encryption and no dramatic breach — just a convincing email and a payment sent to the wrong account. Business email compromise is quiet, effective and aimed squarely at finance teams. Here is how it works and how to shut it down.

Key takeaways

BEC manipulates people into transferring money or changing payment details.
It often relies on a compromised or spoofed email account rather than malware.
Finance and accounts-payable staff are the primary targets.
Process controls — verification, MFA and clean records — defend better than software alone.

What BEC actually is

Business email compromise (BEC) is a form of fraud where an attacker uses email to trick someone into transferring funds or revealing information. There is usually no malware — the weapon is a believable message, often from a compromised or spoofed account belonging to a supplier, executive or colleague.

The common playbooks

Invoice redirection — a "supplier" emails new bank details for an upcoming payment.
CEO fraud — an "executive" urgently requests a transfer, pressuring staff to bypass process.
Payroll diversion — an "employee" asks to update their salary bank account.
Account takeover — a genuinely compromised mailbox is used to hijack a real payment thread.

The amounts are often large and, once funds move, recovery is difficult.

Why finance teams are the target

BEC follows the money, so accounts-payable and finance staff are in the firing line. Attackers research their victims — supplier names, billing cycles, who approves what — frequently using information gleaned from a compromised mailbox or even from stolen accounting data. The more an attacker knows about your books, the more convincing the request.

How to defend against it

Technology helps, but process wins:

Verify out of band — confirm any change to bank details by phone using a known number, never the one in the email.
Enforce MFA on all email accounts to prevent takeover.
Build in friction — require dual approval for payments and detail changes above a threshold.
Train the team to treat urgency and secrecy as red flags.
Keep clean records so you can quickly confirm the legitimate history of a supplier and payment.

The role of trustworthy records

Reliable, tamper-evident accounting records make verification faster and fraud easier to spot — and if an attacker alters data in your systems, an independent backup lets you compare against a known-good copy. Combine that with strong account hygiene and BEC has far fewer openings.

What BEC actually is

The common playbooks

Why finance teams are the target

How to defend against it

The role of trustworthy records

Frequently asked questions

What is business email compromise?

How can I prevent invoice redirection fraud?

Does BEC involve malware?

Ransomware and your accounting data: how attackers target the books

Securing your Xero account: MFA, OAuth and access hygiene

Cyber insurance in Australia: the backups your policy expects