Business email compromise (BEC) is one of the most financially damaging forms of cyber crime affecting Australian businesses. Unlike ransomware, it works quietly — using legitimate email access to redirect payments, harvest data, or impersonate executives — often before anyone realises something is wrong.
How BEC Works
BEC begins with account compromise through phishing, credential stuffing, or purchasing credentials from criminal markets. Once inside, the attacker observes: reading email threads, understanding payment processes, identifying key relationships. When the opportunity is right, they act — a payment instruction that looks identical to legitimate correspondence, a supplier bank account change, an executive instruction to process an urgent transfer.
Why Australia Is Targeted
English is the primary business language, reducing the friction of crafting convincing correspondence. Australian payment systems clear funds quickly. And many Australian M365 environments lack MFA, have legacy authentication enabled, and have no Conditional Access — making credential compromise straightforward.
Controls That Work
MFA on All Accounts
An attacker with valid credentials but no second factor cannot access an MFA-protected account. No exceptions — including shared mailboxes and service accounts.
Payment Verification Procedures
A simple procedure — verify any change to bank account details by calling a known contact on a known number before processing — prevents the majority of invoice fraud attempts. The call does not need to be complex. It just needs to happen.
Configure SPF, DKIM, and DMARC
Email authentication records make it harder for attackers to send emails appearing to come from your domain. Many Australian business domains have incomplete or missing records.
