What Is Business Email Compromise?

Business Email Compromise (BEC) is one of the fastest-growing cyber threats facing Australian businesses. It’s simple, it’s targeted, and it can be incredibly costly.

In a typical BEC scam, a criminal impersonates a trusted person or supplier and tricks you or your team into paying a fake invoice, changing bank details, or sending sensitive information. Because the message looks legitimate and often arrives via a real email account, many businesses only realise what’s happened after the money or data is gone.

The good news? With the right mix of practical controls and clear legal processes, you can significantly reduce the risk-and respond quickly if something goes wrong.

Below, we break down what BEC is, how it works, the legal obligations you should know in Australia, prevention tips, and the immediate steps to take if you suspect an incident.

What Is Business Email Compromise (BEC)?

Business Email Compromise is a targeted attack where cybercriminals use email to deceive a business into transferring money or sharing confidential information. Instead of relying on malware alone, BEC focuses on social engineering-exploiting trust and familiarity in your everyday communications.

Attackers might spoof a supplier’s domain, compromise a real mailbox, or register a lookalike address. They then send convincing messages that appear to be from a CEO, finance manager, or vendor, typically asking for an urgent payment or a change to bank account details.

What makes BEC so effective is that it blends into normal business processes. It often doesn’t trigger antivirus alerts, and the email thread can look completely legitimate.

How Do BEC Attacks Work In Practice?

Not all BEC incidents look the same. Here are common patterns we see in Australia:

Invoice Fraud (Vendor Email Compromise)

Criminals compromise or impersonate a supplier’s email and send an updated invoice with new bank details. The real supplier’s email signature, formatting and tone are copied to avoid suspicion. If your team pays without verifying, the funds go straight to the attacker’s account.

CEO or Executive Impersonation

Also called “whaling,” this is where attackers pose as your CEO or a senior manager and request an urgent transfer, often while the real executive is travelling or unavailable. The email might ask finance to “keep this confidential,” which prevents normal checks and approvals.

Account Takeover

If an attacker gains access to a real mailbox (e.g. via a password reused on another service), they can monitor conversations for weeks. They wait for the right moment-like a pending payment-then change details or redirect the conversation to a fake address, so you don’t notice the switch.

Payroll Diversion

Attackers impersonate an employee and ask payroll to update bank details. The next salary payment is diverted, and the employee only discovers it after payday.

Vendor Onboarding Or Change Requests

During procurement or vendor onboarding, attackers submit realistic forms or bank change notices. Without a robust verification process, your system updates critical records based on a forged request.

Why BEC Matters For Australian Businesses

Aside from immediate financial loss, BEC incidents can trigger serious legal and reputational risks in Australia.

If personal information is accessed or disclosed-for example, customer contact details or ID documents-your business may have obligations under the Privacy Act 1988 (Cth), including the Notifiable Data Breaches (NDB) scheme. This can involve assessing the incident and, if eligible, notifying affected individuals and the Office of the Australian Information Commissioner (OAIC).

BEC can also lead to contract disputes with customers or suppliers if payments go astray or delivery is delayed. In some cases, public trust takes a hit (particularly if communications or invoices were sent from your domain or a compromised mailbox).

On the positive side, proactive steps-like strong payment verification, secure email configuration, and clear incident procedures-significantly reduce both the likelihood and the impact of BEC.

What Are My Legal Obligations If I’m Hit By BEC In Australia?

Every incident is different, but there are some common legal issues to consider if your business experiences BEC.

Privacy And Data Breach Obligations

If personal information is involved, you must promptly assess whether the incident is likely to result in serious harm to individuals. If it meets the NDB scheme’s threshold, you will need to make a data breach notification to the OAIC and notify affected individuals as soon as practicable.

Having a current, clear Privacy Policy helps you communicate how personal data is handled and sets expectations around security and incident response.

It’s also best practice to maintain and regularly test a Data Breach Response Plan, so your team knows who does what in the first 24-72 hours.

Contractual Duties And Payment Disputes

Check your contracts with customers and suppliers. They may set expectations around notices, invoice handling, authentication requirements and liability in the event of fraud. If funds were misdirected, move quickly to engage the banks’ fraud teams and document all efforts to recover payment.

Communications And Customer Trust

Clear, timely communication limits reputational damage. Consider whether your standard email footer is still fit for purpose-an email disclaimer can support your messaging about verification and bank details, but it’s not a substitute for robust controls.

Record-Keeping And Regulatory Engagement

Keep detailed records of your investigation, decisions, notifications and remediation. If the incident escalates (e.g. media interest, regulatory enquiries, or complaints), thorough documentation will be invaluable.

Practical Steps To Prevent Business Email Compromise

No control is perfect, but layering people, process and technology measures will dramatically reduce risk. Here’s a practical, business-friendly checklist to get started.

Strengthen Your Email And Account Security

• Turn on multi-factor authentication (MFA) for email, finance systems and admin accounts.
• Implement SPF, DKIM and DMARC to make domain spoofing harder and flag suspicious messages.
• Use strong, unique passwords via a reputable password manager; block legacy authentication methods.
• Limit forwarding rules and alert on suspicious inbox rules that auto-delete or divert messages.

Lock Down Payment And Change-Of-Details Processes

• Adopt “trust but verify” for new or changed bank details-verify via a known phone number (not the one in the email) before updating records or paying.
• Require a second approver for high-value or unusual payments; set daily payment limits.
• Use secure portals for invoices and statements instead of email where possible.

Train Your Team To Spot Red Flags

• Run short, regular awareness sessions on BEC tell-tales: urgency, secrecy, bank detail changes, typos in domains, and unusual tone or timing.
• Encourage a “pause and check” culture-no one should be penalised for verifying a request.

Implement Clear Policies And Playbooks

• Document security expectations in an Acceptable Use Policy and an Information Security Policy.
• Establish and test an incident playbook within your Data Breach Response Plan.
• Set rules for finance verification, vendor onboarding and bank detail changes-make these procedures mandatory.

Tighten Third-Party And Supplier Controls

• Ensure vendors that receive or process your data sign a Data Processing Agreement with clear security and incident notification obligations.
• Use a Non-Disclosure Agreement when sharing sensitive information with contractors or new partners.
• Periodically validate supplier domains and contacts; beware lookalike web addresses.

Harden Your Communication Practices

• Warn clients proactively that your bank details won’t change via email, and to call a known number if in doubt.
• Keep email signatures and templates consistent to make spoofed emails easier to spot.
• Consider adding a short security note or email disclaimer reminding recipients to verify payment changes.

What Should I Do If I Suspect A BEC Incident?

Speed matters. A clear, calm response in the first hours can minimise losses and legal exposure.

1. Stop The Bleeding: If a payment was sent in error, immediately contact your bank’s fraud team to trigger a recall or “freeze” process. Provide the transaction ID, time, beneficiary account and your suspicion of fraud.
2. Secure Accounts: Reset passwords and revoke sessions for affected accounts. Enforce MFA across impacted users immediately.
3. Preserve Evidence: Don’t delete suspicious emails or logs. Preserve headers, forwarding rules, mailbox logs and server logs for investigation.
4. Verify The Scope: Check whether any personal information or confidential data was accessed or exfiltrated. Look for unauthorized inbox rules, unusual logins, or data downloads.
5. Activate Your Plan: Follow your Data Breach Response Plan. Assign roles (technical, legal, comms, finance) and keep a dated incident log of decisions and actions.
6. Assess Privacy Obligations: If personal information is involved, undertake a risk assessment to determine if the NDB scheme applies and, if required, prepare a data breach notification.
7. Communicate Safely: Use an out-of-band channel (e.g. phone, Teams/Slack) to brief internal stakeholders. For customers or suppliers who may be affected, draft clear, factual messages with next steps and support contacts.
8. Report The Crime: Consider reporting to your local police and cyber reporting portals. Banks may also need a crime reference to progress recovery.
9. Engage Insurers And Advisors: Notify your cyber insurer promptly if you have cover. Contact your legal and IT security advisors for guidance and evidence handling.
10. Conduct A Post‑Incident Review: Identify root causes, patch gaps, and update controls, training and procedures so you’re stronger next time.

Essential Policies And Contracts To Reduce BEC Risk

Legal documents won’t stop every attack, but they set expectations, drive the right behaviours and help you respond quickly if something happens. Consider the following:

• Privacy Policy: Explains how you collect, store and protect personal information, and how individuals can contact you or make complaints.
• Information Security Policy: Sets out your security standards (access control, password rules, email security, verification steps) so staff and contractors understand their obligations.
• Acceptable Use Policy: Defines what staff can and can’t do on company systems (e.g. no auto-forwarding to personal email, safe handling of attachments, verification of requests).
• Data Breach Response Plan: Provides a playbook for triaging and managing incidents, including roles, timelines, evidence preservation and notification steps.
• Data Processing Agreement: Ensures suppliers that process your data meet security and notification standards, and cooperate during incidents.
• Non-Disclosure Agreement: Helps protect confidential business information when working with third parties.
• Email Disclaimer: Supports your external communications by reminding recipients to verify bank detail changes, though it should complement-never replace-robust verification procedures.

These documents should be tailored to your operations and embedded into daily practice. Policies work best when they’re short, practical and reinforced with training and leadership buy‑in.

Key Takeaways

• Business Email Compromise is a targeted, social engineering attack that exploits trust in everyday email workflows to steal money or data.
• Common BEC patterns include invoice fraud, executive impersonation, account takeover, payroll diversion and vendor change-of-details scams.
• In Australia, if personal information is involved, you may have obligations under the Privacy Act and NDB scheme, including timely assessment and possible notification.
• Layered controls-MFA, email authentication (SPF/DKIM/DMARC), payment verification, staff training and clear approval rules-significantly reduce risk.
• Document expectations with practical policies and contracts, such as a Privacy Policy, Information Security Policy, Acceptable Use Policy, Data Processing Agreement and a tested Data Breach Response Plan.
• If you suspect BEC, act fast: engage the bank, secure accounts, preserve evidence, assess privacy obligations, communicate clearly and document your response.

If you’d like a consultation on preventing or responding to Business Email Compromise in your organisation, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.