What is business email compromise (BEC)?

BEC is a type of cyber attack where criminals gain access to or impersonate a legitimate business email account to trick employees into making fraudulent payments or sharing sensitive information. It typically targets finance teams and accounts payable staff.

How much does BEC cost Australian businesses?

BEC cost Australian businesses $84 million in the 2023-24 financial year. The average loss per confirmed BEC incident reached $55,000 in FY2023-24, up from $39,000 the year prior.

How do I know if an email has been compromised?

Warning signs include unexpected changes to bank details, subtle email address differences, requests to bypass normal approval processes, unusual urgency, and emails sent outside normal business hours. However, the most sophisticated BEC attacks are nearly indistinguishable from legitimate emails, which is why automated verification is essential.

THREAT GUIDE

Business Email Compromise

The #1 cyber threat targeting Australian businesses. A compromised email, a changed bank detail, and your next payment goes straight to a criminal.

$84M lost in FY2023-24

$55K average loss per incident

+138% increase for large businesses

What is business email compromise?

Business email compromise is when a criminal gains access to a legitimate business email account (or creates a convincing fake) and uses it to trick your team into making fraudulent payments.

Unlike phishing (which casts a wide net), BEC is targeted and researched. The attacker knows your business, your suppliers, your payment schedule, and your team's names. The emails they send don't look suspicious. They look normal. That's what makes BEC so dangerous.

BEC is the delivery mechanism behind most payment redirection fraud. The scammer compromises the email, then uses it to redirect payments. It's also increasingly used alongside AI-generated content to make attacks even harder to detect.

The numbers in Australia

$84M

Total BEC losses reported to ReportCyber

Self-reported losses from 1,400+ incidents in FY2023-24.

ASD Annual Cyber Threat Report, FY2023-24

$55,000

Average loss per BEC incident

Up from $39,000 the year prior. The cost per incident is accelerating.

ASD Annual Cyber Threat Report, FY2023-24

+138%

Increase in BEC losses for large businesses

Large organisations saw total BEC financial losses more than double in a single year.

ASD Annual Cyber Threat Report, FY2024-25

15%

of all business cyber incidents are BEC

With another 19% involving email compromise without direct financial loss, meaning 34% of business cyber incidents involve email.

ASD Annual Cyber Threat Report, FY2024-25

How a BEC attack unfolds

BEC attacks are patient, researched, and targeted. Most victims don't realise they've been hit until weeks later.

Reconnaissance

The attacker researches your business. They identify suppliers, payment contacts, invoice formats, and email patterns. They may use LinkedIn, your website, or public records to build a profile.

Email compromise or impersonation

They either gain access to a supplier's email (via phishing or credential stuffing) or create a lookalike domain. Some attackers sit inside compromised accounts for weeks, reading email threads and learning the tone.

The fraudulent request

Using the compromised or spoofed email, they send a request to change bank details. It arrives within an existing email thread, uses the right formatting, and references real invoice numbers. It looks completely normal.

Payment and extraction

Your team processes the update. The next payment goes to the fraudulent account. The attacker withdraws immediately, often to an overseas account. Recovery rate: approximately 4%.

Common types of BEC attacks

BEC isn't one attack. It's a category. Here are the most common forms targeting Australian businesses.

Supplier impersonation

Scammer poses as a known supplier and requests bank detail changes. The most common form, responsible for the majority of payment redirection losses.

CEO / executive fraud

An email appearing to come from the CEO or CFO requests an urgent wire transfer. Often targets new employees or junior finance staff who won't question authority.

Invoice manipulation

The attacker intercepts a real invoice in transit and alters the bank details before forwarding it to accounts payable.

Payroll diversion

Scammer impersonates an employee and asks HR or payroll to change their direct deposit details. The next payday, the salary goes to the criminal's account.

How ezyshield stops BEC attacks

BEC succeeds because it exploits trust: trust in emails, trust in names, trust in processes. ezyshield replaces trust with verification.

It doesn't matter if the email is fake

ezyshield verifies the payee directly: their identity, their ABN, and their bank account ownership. Even if a scammer sends a perfect email, the verification happens independently of any email channel.

Bank detail changes trigger re-verification

When someone requests a bank detail change, ezyshield doesn't just update the record. It flags the change and requires the original verified contact to re-confirm through our verification flow. Scammers can't bypass this.

Every check is logged and immutable

Every verification and re-verification is recorded in a tamper-proof audit trail. If a scammer does somehow get through, you have the evidence trail showing exactly what was checked and when.

See How ezyshield Works

BEC attacks are getting smarter. Your verification should too.

ezyshield verifies the person, the business, and the bank account, regardless of what the email says.

Book a Demo View Statistics