Picture this. Your accounts payable officer gets an email from what looks like your CEO. It is urgent. It asks for a wire transfer before the end of day, with a note to keep it confidential. The email address looks right. The tone matches. Three hours later, $85,000 is gone. This is not a hypothetical. It is happening to Perth businesses right now, and business email compromise is the single most reported cybercrime in Australia.
In this blog, we break down exactly how Business Email Compromise attacks work, who they target, what a real attack looks like, and most importantly, what Perth businesses can do right now to stop them before they cause serious financial damage.
What Is Business Email Compromise (BEC)?
Business email compromise is a type of cyberattack where criminals impersonate a trusted person, such as your CEO, a supplier, a lawyer, or a colleague, through email to trick employees into transferring money or handing over sensitive information.
What makes BEC so dangerous is that, unlike traditional malware attacks, there are no suspicious links, no infected attachments, and no obvious red flags that your spam filter can catch. These are plain text emails, carefully written, often referencing real projects, real people, and real business processes.
BEC is not a new threat. But in 2026, it has become dramatically harder to detect. The reason is artificial intelligence. Security researchers found that in 2024, up to 40 percent of BEC emails were AI-generated, meaning they were crafted with perfect grammar, accurate tone mimicry, and personalised detail pulled from LinkedIn profiles, company websites, and previous email threads. What used to be caught by a spelling mistake or an odd phrase is now indistinguishable from a legitimate message.
For Perth businesses, the message is clear. Email is no longer a passive communication channel. It is the frontline of cybercrime, and email protection is necessary.
How a BEC Attack Actually Works
Understanding how these BEC attacks unfold is one of the most effective ways to stop them.
Phase 1: Research and Reconnaissance
Before a single email is sent, the attacker has already spent days or weeks learning about your business. They scan your website, LinkedIn, and staff profiles to identify who handles payments, who the CEO is, and which suppliers you use regularly.
Phase 2: Building the Impersonation
Armed with that intelligence, the attacker constructs their disguise. They might register a domain nearly identical to yours, swapping an "m" for "rn" or adding an extra letter that is easy to miss. In more sophisticated cases, they use malware to silently access a real internal email account and monitor conversations for weeks, waiting for the right moment to strike.
Phase 3: The Social Engineering Play
The scammer sends an email designed to trigger action without triggering suspicion. It carries urgency, authority, and a nudge to bypass normal channels. Phrases like "handle this quietly" or "do not discuss with anyone until it is settled" are deliberate social engineering tactics designed to short-circuit your verification instincts.
Phase 4: The Transfer and Disappearance
Once funds are sent, they move fast. Money is split across multiple accounts or converted to cryptocurrency within hours, making recovery extremely difficult. If you suspect a fraudulent transfer has been made, contacting your bank immediately is critical. Every hour of delay significantly reduces your chances of getting that money back.
Who Do BEC Attackers Target?
One of the most dangerous myths about Business Email Compromise is that it only goes after large corporations. The truth is that attackers go after whoever has access to money or sensitive information, and smaller businesses are often the easier target precisely because they lack the security infrastructure of a larger organisation, thus needing expert IT Support.
In Australia, the AFP has singled out construction as a prime BEC target, but legal firms, accounting practices, real estate agencies, healthcare providers, and manufacturing businesses all appear regularly in incident reports. Perth has a heavy concentration of every one of them.
Within any organisation, these roles attract the most attention from attackers:
Finance and accounts payable staff: Direct access to banking systems and payment authorisation makes them the most frequently targeted role in any BEC campaign
CEOs and CFOs: Either impersonated to instruct staff below them, or approached directly as a source of authority and sensitive data
HR professionals: They hold employee banking details, payroll records, and personal identification data that can fuel both immediate fraud and future attacks
New and junior employees: Less familiar with internal processes and less confident challenging requests that appear to come from authority figures
IT administrators: Targeted for system access that gives attackers a deeper foothold inside your business
Common Types of BEC Scams
Not all BEC attacks look the same. Criminals use a range of techniques depending on the target and the opportunity they have identified. Here are the types of Business Email Compromise most likely to affect Perth businesses.
1. CEO Fraud
The attacker impersonates your CEO or a senior executive and contacts someone in the finance team with an urgent request to transfer funds. The email often carries instructions to keep the matter confidential, which discourages the target from verifying the request with a colleague.
2. Invoice and Payment Redirection Scams
The attacker impersonates a supplier or vendor and sends an updated invoice with altered bank account details. Perth businesses in construction, property development, and professional services are exposed because of their high-volume, high-value payment environments.
3. Account Compromise
Rather than impersonating someone from outside, attackers gain access to a real internal email account. They monitor the account silently, often for weeks, setting up forwarding rules to intercept financial communications. When a major payment is due, they strike with devastating precision because they are operating from a legitimate account.
4. Attorney and Legal Impersonation
Scammers pose as lawyers or legal representatives, typically contacting junior or newer employees who have less familiarity with proper verification procedures. The legal framing adds authority, and the often-confidential nature of legal matters discourages the target from asking questions.
5. Payroll Diversion
Attackers contact your HR or payroll team posing as an employee and request a change to direct deposit banking details. The employee's next pay cycle is redirected entirely to the attacker's account, and it often goes unnoticed until the legitimate employee complains about a missing paycheck.
Signs Your Perth Business May Already Be Targeted
One of the most unsettling things about BEC is that reconnaissance often happens long before the attack lands. Here are warning signs that your business may already be in someone's sights.
Emails appearing to come from your CEO or a senior manager arrive at unusual times, late at night or over a weekend, carrying urgent financial requests and instructions not to verify with anyone else
Email forwarding rules appear that nobody set up, or messages are disappearing from sent folders, a strong indicator that a real account has been quietly compromised
A supplier contacts you about an invoice or payment you never received, suggesting scammers may have already intercepted communications between you
Your finance team receives a request to update banking details for a regular supplier, one of the most common setups for a payment redirection scam
An employee receives an email from what appears to be HR or payroll requesting changes to their banking details or sensitive personal information
Any one of these warrants immediate investigation. Do not reply to the suspicious email. Call the supposed sender directly using a number you already have on file.
The Real Cost of BEC: Financial and Operational Damage
When a BEC attack succeeds, the financial loss is only the beginning. The full impact on a Perth business can include legal and regulatory costs if customer or employee data is compromised, the cost of forensic investigation and remediation, reputational damage with clients and partners, lost productivity during recovery, and potential liability if clients suffer losses as a downstream consequence.
For small businesses, a loss of $49,000 (the average self-reported cost of a cybercrime incident to a small Australian business according to the ASD's 2023-24 Cyber Threat report) can mean the difference between staying afloat and closing. For a medium-sized Perth business managing regular supplier payments across construction, manufacturing, or professional services, the exposure is even greater.
Beyond the immediate financial hit, BEC attacks that involve account compromise can give attackers persistent access to your business communications for weeks. During that time, they can gather intelligence for future cyber attacks against you, your clients, or your suppliers.
How to Prevent and Detect BEC Attacks
The good news is that the BEC scam is preventable. The combination of technical controls, staff training, and verified processes creates layers of protection that make your business a significantly harder target. Here is what every Perth business should have in place.
1. Verify Payment Requests Through a Secondary Channel
Any request to transfer money, update banking details, or change payment information should be verbally verified by calling the requestor directly using a phone number you already hold on file. Do not use contact details provided in the suspicious email. This one step alone would stop the majority of BEC attacks.
2. Implement Multi-Factor Authentication on All Email Accounts
MFA adds a critical layer of protection that makes it significantly harder for attackers to access real email accounts even when they have stolen credentials. Ensure MFA is enabled across your entire organisation, not just for senior staff.
3. Configure Email Authentication Protocols
DMARC, SPF, and DKIM are technical email authentication standards that make it harder for attackers to spoof your domain. Properly configured, these protocols prevent criminals from sending emails that appear to come from your business address. In 2024, DMARC moved from best practice to a mandatory requirement in many industries. If you have not set this up, it should be a priority.
4. Train Your Team Regularly on Social Engineering Tactics
Your staff are both your greatest vulnerability and your strongest line of defence. Regular cybersecurity awareness training should teach employees how to spot red flags in emails, including unusual urgency, requests to bypass normal procedures, and email addresses that are close but not quite right.
5. Establish Clear Payment Approval Processes
Any wire transfer or payment above a set threshold should require dual approval and cannot be authorised on the basis of a single email request alone. Build verification steps into your financial workflows as standard practice, not as an optional extra for suspicious cases.
6. Monitor for Unusual Email Activity
Regularly audit your email systems for forwarding rules you did not set up, unusual login locations, or access at odd hours. Proactive monitoring catches account compromise before the attacker has a chance to act.
7. Respond Immediately if You Suspect an Attack
If you believe a fraudulent transfer has been made, contact your bank immediately to attempt to freeze or reverse the payment. Report the incident to the AFP via ReportCyber. Alert your IT support team to investigate the compromised email environment. Speed is everything. The longer the delay, the lower the chance of recovery.
For many Perth businesses, partnering with a managed IT support provider is the most practical and cost-effective way to get all of these protections in place and maintained consistently, without needing a dedicated in-house security team.
How IT Support Perth Protects Local Businesses from BEC
At IT Support Perth, we have spent over 20 years helping Perth businesses stay secure. We understand the specific risk profile of local industries including construction, legal services, accounting, and professional practices, because we work with them every day.
Our cybersecurity solutions for BEC prevention include:
Email security configuration and DMARC setup to protect your domain from spoofing
Multi-factor authentication deployment across your entire organisation
24/7 monitoring of your email environment and network activity to detect suspicious behaviour early
Staff cybersecurity awareness training tailored to real-world BEC scenarios relevant to Perth businesses
Incident response support if you suspect an attack is already underway
Ready to Act on BEC Before It Hits Your Business?
The average BEC loss for an Australian business is $55,000. For many Perth SMBs, that is a quarter's revenue, a year's profit margin, or the difference between surviving and shutting the doors. The threat is real. The tactics are getting smarter. And the window to act is always shorter than you think. Working with an MSP means you do not have to figure this out alone.
If you are not confident that your business has the protections in place to detect and stop a BEC attack, now is the time to find out. Our Perth-based team is ready to help.
Claim your free IT security assessment today and find out where your business stands before a scammer does.
FAQs
1. What is business email compromise(BEC)?
BEC is a cyberattack where criminals impersonate a trusted person through email to trick employees into transferring money or handing over sensitive information. Attackers research their targets carefully, craft convincing impersonations, and exploit urgency and trust to bypass normal verification instincts.
2. What is a real-world example of a BEC attack?
A fraudster impersonating a hardware supplier scammed Facebook and Google out of $121 million over two years. Toyota Boshoku Corporation lost $37 million after attackers exploited complex internal approval chains. Closer to home, Australian businesses lost over $152.6 million to BEC in 2024, with Perth businesses in construction, legal services, and accounting among the most frequently targeted industries.
3. What is the difference between BEC and phishing?
Traditional phishing sends mass emails with malicious links hoping someone clicks. BEC is the opposite. It is targeted, personalised, and contains nothing technically malicious, no links, no attachments, no malware. That is why a single BEC incident can drain tens of thousands to millions of dollars from a business in one transaction, while a phishing attack typically aims for credentials or small amounts.
4. Who are the primary targets of BEC attacks?
Any small or medium-sized business that handles money or sensitive data is at risk. Finance and accounts payable staff are the most frequently targeted, followed by CEOs, CFOs, HR professionals, and new employees who are less likely to question requests from authority figures.
5. How common is BEC in Australia?
BEC is the single most reported cybercrime for Australian businesses, accounting for 13 percent of all cybercrime reports. Australians lost over $152.6 million to BEC in 2024, a 66 percent increase from the previous year. The average loss per incident for small and medium businesses sits at $55,000, and industry experts believe reported losses represent only a fraction of the real total.
6. Can multi-factor authentication stop a BEC attack?
MFA is essential but not enough on its own. When attackers compromise a real internal email account through social engineering, they can bypass MFA entirely. Effective protection requires multiple layers including DMARC configuration, 24/7 monitoring, staff training, and verified payment processes working together.



