Bell & Senior Logo

What is business email compromise (BEC) and how can I protect my business?

Cyber Risk

Business Email Compromise (BEC) is now the single largest source of financial loss from cyber incidents in Australia, with the ACSC reporting losses exceeding $227 million in a single year. Unlike ransomware, BEC attacks rely on social engineering rather than technical exploits, making them particularly difficult to detect.

1. How BEC Attacks Work

Common BEC scenarios include:

  • Invoice fraud: Attackers compromise a supplier’s email or create a convincing lookalike, then send invoices with altered bank details.
  • CEO fraud: An attacker impersonates the CEO or CFO, urgently requesting a wire transfer for a “confidential” transaction.
  • Conveyancing fraud: Attackers intercept property transaction communications and redirect settlement funds to fraudulent accounts.
  • Lawyer impersonation: Fraudsters pose as lawyers to redirect trust fund disbursements.

If your business falls victim to BEC:

  • You may bear the loss. Banks are generally not liable for authorised payments, even if you were deceived.
  • Recovery is difficult. Once funds are transferred offshore, they are rarely recovered.
  • You may face claims from clients or suppliers whose money was misdirected while in your custody.
  • Directors may face scrutiny if inadequate controls are found to have contributed to the loss.

3. Essential Protective Measures

To protect your business:

  • Implement multi-factor authentication (MFA) on all email accounts.
  • Verify all payment changes verbally using a known phone number (not one provided in the email).
  • Train staff regularly on recognising social engineering tactics.
  • Use email filtering that flags external emails or first-time senders.
  • Establish dual-authorisation for payments above a threshold.
  • Include payment verification clauses in supplier and client contracts.

4. Specific Risk: Property Transactions

Conveyancing transactions are particularly vulnerable to BEC due to large sums, time pressure, and multiple parties. We recommend:

  • Never change payment details based solely on email instructions.
  • Confirm all trust account details by phone before settlement.
  • Include warnings about email fraud in client correspondence.

5. What to Do If You’ve Been Targeted

  • Notify your bank immediately – rapid action may allow funds to be frozen before they leave Australia.
  • Report to police and the ACSC at cyber.gov.au.
  • Engage legal counsel to assess your liability and recovery options.
  • Notify your cyber insurer if you have coverage.

BEC Prevention & Response

We assist businesses in developing robust payment verification procedures and respond rapidly when BEC incidents occur.

Suspect BEC fraud? Contact Bell & Senior immediately. Call (07) 5532 8777.

Previous Question What are my legal obligations under Australia's cyber security laws? Next Question What is ransomware and what are my legal options if attacked?
← Back to Technology