does not require sophisticated or a exploit. It requires a convincing email, a payment instruction, and an employee who acts on it. In financial services, where large transactions are routine and client relationships are built on trust, those conditions exist every day.
The 's annual cyber threat reports have consistently ranked BEC among the highest-loss threats to Australian businesses. Financial services accounts for a disproportionate share of reported losses. The transactions are larger, the instructions are more plausible, and the windows to reverse a transfer are narrow.
How BEC works
BEC takes several forms, but the mechanics are consistent. An attacker gains access to, or impersonates, a trusted email account and uses it to authorise a fraudulent payment or change.
CEO and executive fraud
An attacker spoofs or compromises the email account of a senior executive and sends a payment instruction to accounts payable or a broker assistant. The instruction is urgent, often confidential, and appears to come from someone with authority to approve the transfer. Staff act without running normal verification steps because the request appears to come from above.
Payment instruction fraud
A client's email is compromised, or an attacker intercepts or spoofs a client instruction, and sends a request to redirect an upcoming payment to a new account. In a financial advice context, this could be a request to change the bank account for a managed account withdrawal or a super rollover. By the time the legitimate client realises something is wrong, the funds are gone.
Invoice and supplier fraud
An attacker impersonates a supplier or service provider and sends an updated invoice with new payment details. For financial services firms processing subscription fees, platform costs, or compliance service invoices, this is a recurring exposure. The attacker does not need access to the firm's network. They only need to know who the firm pays.
Account takeover
BEC increasingly begins with account compromise rather than impersonation. An attacker uses , credential stuffing or malware to gain access to a legitimate or Gmail account. Once inside, they can monitor correspondence, intercept payment discussions, and send instructions from the real account with full access to the email history for context. Detection is harder because the sending address is genuine.
Why financial services is a primary target
Advisers and brokers handle high-value transaction instructions as a matter of course. A request to transfer $250,000 from a managed account is not unusual. That normalcy is exactly what attackers exploit.
Client relationships in financial services are often long-standing and personal. An email that references an upcoming meeting, a portfolio discussion or a recent market event reads as credible. Attackers who have compromised an email account, or who have spent time researching a firm through LinkedIn and its website, can craft requests that are difficult to distinguish from the real thing.
Dealer group and licensee structures add another layer of exposure. Authorised representatives often use personal or small practice email domains with weaker technical controls than the head licensee. A compromised AR email account can be used to send fraudulent instructions that appear to come from within the network.
The technical controls that matter
Multi-factor authentication on email
Account takeover BEC starts with . on Microsoft 365 and Google Workspace is the single highest-impact control for preventing it. If an attacker obtains a password through phishing or credential stuffing, MFA blocks them from using it. ASIC named MFA absence as a key failing in the FIIG Securities case. For BEC prevention, MFA on email is not optional.
Email authentication: DMARC, DKIM and SPF
, where an attacker sends email that appears to come from your domain or a client's domain, is stopped by correctly configured , and records. These three protocols together allow receiving mail servers to verify that an email claiming to come from your domain was actually sent by an authorised server. Without them, impersonation using your firm's domain is straightforward.
Many Australian financial services firms have SPF configured but DMARC either absent or set to monitoring mode only. A DMARC policy of p=reject, enforced across the domain, prevents spoofed emails from reaching recipients.
Macro configuration
Malicious Excel and Word macros are a common delivery mechanism for the credential-stealing malware that feeds into BEC. An attacker sends a spreadsheet or document with a macro payload. An employee opens it, enables macros, and the malware runs. Configuring Microsoft Office to block macros from internet-sourced files, and managing business-approved macro exceptions carefully, removes a primary attack path. This is control three.
Endpoint detection and response
When credential-stealing malware does reach an endpoint, (EDR) tools identify and contain it before credentials are exfiltrated. Continuous monitoring gives visibility into unusual mail access patterns, such as mass email forwarding rules being created in a compromised account, which is a reliable indicator of ongoing BEC activity.
Process controls are as important as technical ones
Most BEC attacks succeed not because the technical controls failed, but because the process controls were never in place.
Dual authorisation for payments above a threshold is the most effective single process control. Any transfer instruction above a set amount, or any change to bank account details, requires a second authorisation through a channel separate from email. A phone call to a known number. An in-person confirmation. Not a reply to the same email thread.
Payment instruction changes deserve particular attention. A request to change the bank account details for a client, supplier or creditor should trigger a verification call to a number already on file, not a number provided in the change request. This step stops payment instruction fraud almost entirely.
Staff awareness training was one of the seven controls ASIC named as absent in the FIIG Securities case. BEC is primarily a attack. Staff who understand what the attack looks like, and who know to pause and verify rather than act on urgency, are a genuine control layer.
Regulatory exposure
AFSL obligations under s912A of the Corporations Act require adequate technological and human resources and adequate risk management systems. BEC losses that result from absent controls are not just a financial problem. They are a potential licence compliance issue. ASIC's enforcement pattern, covered in detail in our ASIC cyber obligations article, shows that the same section 912A provisions used in FIIG apply to BEC-related control failures.
Where a BEC attack results in client funds being misdirected, the Privacy Act's may also apply if client account information was accessed. The NDB obligation requires notification to the and affected clients where a breach is likely to result in serious harm.
For APRA-regulated entities, a material BEC incident may trigger the 72-hour CPS 234 notification obligation. The Notifiable Data Breaches assessment and the APRA notification can run in parallel. Having a tested , with named contacts and documented decision trees, is the difference between a controlled response and a scramble.
Frequently asked questions
What is the most common form of BEC targeting financial services firms?
Payment instruction fraud is the highest-loss variant. An attacker compromises or spoofs a client email account and sends a request to redirect an upcoming payment. The instruction arrives in a familiar channel, references real account details, and the window to reverse a processed transfer is usually less than 24 hours. Account takeover BEC, where an attacker gains access to a real email account and monitors correspondence before intervening in a payment discussion, is increasing in frequency.
Does MFA on email prevent BEC?
MFA prevents account takeover BEC by blocking an attacker from using stolen credentials to access a real email account. It does not prevent domain spoofing, where the attacker sends email that appears to come from your domain without accessing an actual account. Stopping domain spoofing requires correctly configured DMARC, DKIM and SPF. Both controls are needed.
Are authorised representatives covered by the licensee's BEC controls?
The AFSL holder's licence obligations extend to supervision of authorised representatives. ASIC's case against Fortnum Private Wealth alleges failure to mandate minimum cyber standards across the AR network. Whether that includes BEC-specific controls like MFA on email and DMARC configuration on practice domains is precisely the kind of oversight question dealer groups need to have a documented answer for.
What should a financial services firm do immediately after discovering a suspected BEC incident?
Isolate the compromised account. Reset credentials and revoke active sessions. Check for mail forwarding rules and inbox rules created without authorisation. Contact the relevant bank immediately to attempt a recall of any fraudulent transfer. Begin documenting the incident for potential NDB notification and, if APRA-regulated, assess materiality against the 72-hour notification obligation. Engage your incident response provider if you have one.
How does the Essential Eight address BEC?
Three Essential Eight controls directly reduce BEC risk: MFA (control 7), macro configuration (control 3), and application patching to remove vulnerabilities that deliver credential-stealing malware (control 2). The Essential Eight financial services guide covers the maturity levels relevant to your firm size.
IronSights works with Australian financial services firms on the technical controls and staff awareness programmes that address BEC. A penetration test that includes gives a direct read on your firm's exposure. The Fortify managed service covers MFA deployment, endpoint detection and continuous monitoring across your environment.



