Business email compromise: How to protect yourself and your business

Estimated reading time
 5 min

Jump to

• What are email compromise scams?
• How do business email compromise scams work?
• How can my email account become compromised?
• 4 common examples of email compromise scams
• How to spot an email compromise scam
• Ways to protect yourself and your business from business email compromise
• What can you do if you’ve been scammed?
• Who can you contact if you’ve been scammed?

video

You’re processing payments at work when you receive an email from a familiar supplier asking to update their bank account details. The message looks legitimate - it even includes a recent invoice. You make the change and send the payment.

But later, the supplier contacts you, chasing up a missed payment. That’s when you realise the email was fake, and you’ve just paid a scammer.

This is a nightmare-turned-reality for many businesses. In 2024, Australians self-reported nearly $84 million in losses to ReportCyber due to business email compromise (BEC) scams, with each confirmed incident costing businesses an average of over $55,000¹

While business email compromise scams often target businesses, everyday Australians are also at risk. With email being a part of daily life, it's crucial to recognise the red flags of email compromise scams.

Read on to learn how to spot email compromise scams, explore real-world examples, and discover ways to help you protect yourself and your business.
 

What are business email compromise scams?

A business email compromise scam is a type of cybercrime where criminals use a hacked or spoofed email account to trick you into sending money to a fraudulent bank account. They typically impersonate trusted or familiar business contacts to achieve this. Those impersonated may include:

• Company executives
• Colleagues
• Accountants
• Lawyers
• Suppliers

These scams target businesses of all sizes and typically rely on trust and urgency to succeed. 
 

How do business email compromise scams work?

1. Research the targets: Cybercriminals use social media, job sites, and company websites to identify potential targets and connections.
 

2. Compromise or spoof email accounts: They may hack email accounts or create spoofed emails that look like they’re from trusted people inside or connected to the business.
 

3. Send fake emails: Using the compromised or spoofed email, they send messages to a target recipient - often requesting urgent payments or sensitive information.
 

4. Stand by: The goal is to trick the recipient into sending money, sharing confidential information, or clicking malicious links.
 

How can my email account become compromised?

• Phishing emails: Scammers could send you a fake email to trick you into clicking harmful links or entering your login details. Once they get your information, they can access your account.


• Weak passwords: Using simple or repeated passwords across multiple accounts makes it easier for hackers to break in.


• Malware: Clicking on infected attachments or links can install malware on your device that can capture personal and financial information.


• Session hijacking: Cybercriminals can quietly take over your online sessions to access your account/s without login credentials - often through unsecured Wi-Fi, malware, or malicious links.

Your actions matter - whether that’s clicking a suspicious link or attachment or using weak passwords, these actions can open the door to cybercriminals. To keep your email safe, it's important to follow good online habits.
 

4 common examples of email compromise scams

These scams can play out in several ways, but the below are some common scenarios you might encounter:

1. Executive impersonation

You receive an urgent email from someone pretending to be a company executive or senior leader, like the CEO, asking you to transfer funds, purchase gift cards or approve a payment immediately. These scams rely on authority and urgency to pressure victims.
 

2. Invoice Fraud

Cybercriminals hack into a third-party’s (e.g. a builder or contractor) email account, intercept a legitimate invoice, and change the bank details. The fake invoice is then sent to the customer, who unknowingly transfers money directly to a fraudulent account. The cybercriminal might also send fake invoices from a spoofed email pretending to be the third-party to achieve the same goal.
 

3. Change of payment details

You receive an unexpected email from a regular supplier, third-party contact or an employee asking you to update their bank account details. If you follow through without verifying the change, future payments may go straight to the cybercriminal.

video

4. Home deposit redirect

While most of these scams operate within the business realm, they can affect everyday Australians too. For example, you’ve just purchased a house and it’s time to transfer your deposit to the real estate firm. You’re about to head to the bank, when you receive an email from the realtor who provides the ‘correct’ banking details. You make the payment, but your deposit goes straight into the hands of a cybercriminal.
 

How to spot an email compromise scam

• Unexpected contact or requests: Be aware, if you don’t usually have email contact with your company’s CEO, but they reach out with a personal request, or a supplier suddenly emails you with an urgent update to their banking details.
  
  
• Modified payment details on an invoice: Be suspicious if you receive an invoice with different payment details to previous invoices from that client or supplier.

• Dodgy domains: A cybercriminal will often pick an email domain that closely resembles the true sender. But there’s usually one or two small details that were changed in the hopes you won’t notice, such as substituting the letter N for the letter M.
  
  
• Poorly written text or inconsistent message formats: Check for grammatical or spelling errors you wouldn’t expect to see in an email from a company executive. Also look out for anything in the tone that doesn’t match the way the sender usually writes.
  
  
• A missing or faked email signature: More often than not, these types of cybercriminal won’t have your company’s email signature. And if they do, check for any inconsistencies with your own work email signature.
  

Ways to protect yourself and your business from business email compromise

Business email compromise is a constant threat to Australian businesses, with cybercriminals targeting companies of all sizes and individuals alike.

As business email compromise becomes more sophisticated, it's important to arm yourself with as many precautions as possible. Here are some tips that might help:

• Verify requests. Always verify whether payment requests or changes to payment details are genuine. Call the sender using trusted contact details, rather than the contact details contained within the message.
  
  
• Keep security software updated. Ensure all your [company] devices have up-to-date antivirus and anti-malware protection.
  
  
• Implement payment verification protocols. Ensure you have protocols in place requiring verification before payments are sent out.
  
  
• Use Multi-Factor Authentication (MFA). Enable MFA on all business accounts to add an extra layer of protection.
  
  
• Check for red flags. For example, out of character emails from known contacts, invoices with new banking details, slight changes in email addresses (e.g. added numbers or misspelt names).
  
  

What can you do if you’ve been scammed?

If you’ve been targeted by one of these scams, then we’re here to take you through some immediate actions to protect yourself or your business from further financial harm.

• Notify your manager and/or the appropriate channels at your workplace as soon as possible
  
  
• If you have shared financial information or believe you have transferred money to a scammer, notify your bank immediately. If you are an ANZ customer, please contact us immediately.
  
  
• If you shared credit card details, block or cancel those cards immediately. If your cards are with ANZ, you can do this through the app. Learn more.
   

Who can you contact if you’ve been scammed?

• Report the scam to the Police through the Australian Signals Directorate’s ReportCyber portal. This resource is there for reports of scams where money or personal information has been lost.
  
  
• Help others by reporting to Scamwatch to help them prevent future losses, monitor trends and educate the population about emerging threats. 
  
  
• You can also contact IDCare, a not-for-profit organisation providing support to those experiencing identity and cyber security concerns.