Here's the uncomfortable truth about business email compromise: the businesses that fall for it aren't careless or naive. They're busy. They trust their colleagues. And the attackers know exactly how to exploit that.
We've seen Perth businesses — professional services firms, construction companies, medical practices, family-run retailers — lose anywhere from a few thousand dollars to well over $100,000 in a single BEC incident. In every case, the email looked legitimate. In most cases, it had been sitting in a compromised inbox for weeks before the attack even started.
BEC is not a technology problem you can just patch. It's a process and behaviour problem — and fixing it requires understanding how these attacks actually unfold, not just what they're called. This guide covers both.
Business email compromise and phishing are related but different. Phishing is broad — spray-and-pray emails trying to steal passwords from anyone who clicks. BEC is targeted. The attacker has researched your business, knows who your suppliers are, understands your payment processes, and often already has access to one of your email accounts before they make a move. That's what makes it so effective, and so hard to spot.
How Business Email Compromise Actually Works
A BEC attack doesn't start with a suspicious email. It starts well before that, usually in one of three ways.
Entry Point 1: Account Takeover
The attacker gets hold of an employee's email credentials — often through a phishing email, a data breach from a third-party service the employee uses, or by trying common passwords against a Microsoft 365 or Google Workspace account that isn't protected by MFA. Once inside, they don't immediately do anything. They watch. They read through months of emails to understand who your suppliers are, what your typical invoice amounts look like, who authorises payments, and whether you're expecting any large transactions. Some attackers sit in a compromised inbox for 60 to 90 days just gathering intelligence before they act.
Entry Point 2: Domain Spoofing or Lookalike Domains
If they can't get inside your account, they don't need to. They register a domain that looks almost identical to yours — say, managedlCTsolutions.com.au instead of managedictsolutions.com.au (note the capital 'i' instead of a lowercase 'L'). Or they use a different TLD: managedictsolutions.com instead of .com.au. From that domain they send emails impersonating your CEO or a trusted supplier. Without DMARC enforcement on your domain, your actual email address can also be spoofed directly — meaning the "From" field shows your real address even though the attacker controls nothing.
Entry Point 3: Supplier Compromise
This one catches businesses off guard because they feel like they did everything right. Their own email security is solid. But a supplier's email gets compromised, and the attacker uses that legitimate supplier account to email your accounts team with updated bank details for the next invoice. Because it's coming from the real supplier address, it passes every spam filter and looks completely genuine. The first sign anything is wrong is when the actual supplier chases you for payment on an invoice you thought you'd already paid.
The 5 BEC Attack Types Hitting Perth Businesses Right Now
These aren't theoretical. They're the specific scenarios we deal with across Perth and WA businesses on a regular basis.
CEO / Executive Impersonation ("Urgent Wire Transfer")
An email arrives from someone appearing to be the CEO, MD or director, addressed to the accounts or finance team. It's marked urgent. It says something like: "I'm in a meeting and can't take calls. I need you to process a payment to this account today — I'll explain when I'm back in the office. Don't mention it to anyone yet." The request bypasses the normal approvals process by invoking authority and urgency at the same time.
Supplier Invoice Fraud ("Changed Bank Details")
Your accounts team receives an email — often from what appears to be a real supplier address — advising that their bank account details have changed, and asking you to update your records before processing the next invoice. The email may include a letterhead, an ABN, and a polite explanation about switching banks. Everything checks out visually. The next payment goes to the attacker's account.
Payroll Diversion ("Update My Bank Account")
The attacker accesses an employee's email account — or impersonates them convincingly — and emails HR or payroll asking to update their bank account details before the next pay run. If no verification process is in place, the employee's salary lands in the attacker's account on payday. The real employee doesn't know until their pay doesn't arrive.
Solicitor / Conveyancer Impersonation ("Settlement Payment")
This one is particularly nasty in Western Australia's property market. Shortly before a settlement date, the buyer or their agent receives an email that appears to be from their conveyancer or solicitor with final payment instructions and account details for the settlement funds. In reality, the conveyancer's email has been compromised, or the attacker has spoofed their domain. The buyer transfers their deposit or settlement amount — often hundreds of thousands of dollars — to the attacker. This is now common enough that the Law Society of Western Australia has published warnings about it.
Internal IT / Help Desk Impersonation ("Verify Your Account")
An email arrives appearing to be from your IT team or Microsoft support, asking the recipient to verify their account credentials, approve a multi-factor authentication request, or log in via a link to resolve a security issue. The link goes to a convincing fake login page that harvests credentials. This is increasingly used as a first step — stealing credentials to enable a more targeted BEC attack later rather than immediately seeking money.
Warning Signs Your Email May Already Be Compromised
The average time between a business email being compromised and the attack being detected is around 197 days. In that window, the attacker is learning. Here's what to watch for — some of these are subtle, and that's deliberate.
- Inbox rules you didn't create. Check your email rules immediately if you suspect anything. Attackers routinely create rules that forward copies of incoming email to an external address, or that move specific emails (like replies to their fraudulent messages) straight to the Deleted folder so you never see them. In Microsoft 365, go to Settings → View all Outlook settings → Rules. In Google Workspace, check Settings → Filters and Blocked Addresses.
- Emails in your Sent folder that you didn't write. If the attacker is sending from inside your account, those emails exist in your Sent Items unless they've been smart enough to delete them. Worth checking if you suspect anything is off.
- Colleagues asking about emails you never sent. "Hey, did you send me something about updating payment details?" — if you're getting questions like this, take them seriously immediately.
- Login activity from unusual locations. Microsoft 365 shows sign-in logs in the admin centre. Google Workspace shows account activity at the bottom of Gmail. If you see logins from countries you haven't visited, or at times when you weren't working, your account has been accessed by someone else.
- MFA prompts you didn't trigger. If you receive an authenticator notification asking you to approve a login and you're not currently logging in — deny it and change your password immediately. Someone has your password and is attempting to log in right now.
- Password reset emails you didn't request. This is an attacker testing whether your account password is the same one from a breach list they've found your credentials on.
Don't wait. Change your email password immediately from a different device if possible. Enable MFA if it isn't on. Then call your IT provider — not email them, call them — and report what you've found. The faster you act, the more options you have. If a fraudulent payment has already left the business, call your bank's fraud line as the very next step.
7 Steps to Protect Your Perth Business from BEC
None of these are particularly complex. Most of them are free, or already included in whatever email platform you're using. The challenge is actually implementing them rather than intending to.
Enable MFA on Every Email Account — No Exceptions
This is the single most impactful thing you can do. MFA means that even if an attacker has your password — from a breach, from a phishing attempt, from guessing it — they still can't log in without the second factor. In Microsoft 365, enable MFA through the admin centre or Security Defaults. In Google Workspace, enforce it through Admin → Security → 2-Step Verification. Make it mandatory for everyone, including part-time staff and contractors who have access to your systems. There are no meaningful exceptions. Anyone without MFA is a door left unlocked.
Set Up DMARC, DKIM and SPF on Your Domain
These three DNS records are the technical backbone of email authentication. SPF tells receiving mail servers which servers are allowed to send email from your domain. DKIM cryptographically signs each outgoing email so recipients can verify it hasn't been tampered with. DMARC ties them together and tells the world what to do when an email fails those checks — quarantine it, reject it, or just log it. Without DMARC set to enforcement (p=quarantine or p=reject), anyone can send an email that appears to come from your domain. Check your current status at MXToolbox or dmarcian.com — most Perth SMB domains we see have either no DMARC record at all, or one set to p=none (monitoring only), which provides no actual protection against spoofing.
Build a Phone-First Verification Rule for Payments
This is a policy change, not a technical one — and it's arguably more effective than any IT control. The rule is simple: any change to bank account details, any payment above a set threshold (we suggest $2,000–$5,000 as a starting point for Perth SMBs), and any urgent payment request that bypasses normal process must be verbally confirmed by phone before it's processed. Use a number you already have in your records — not a number provided in the email. Make this policy written, make it known to your finance and admin staff, and make it non-negotiable. An attacker can send a convincing email. They can't easily fake a phone call from your actual supplier or CEO.
Enable External Email Warning Banners
Microsoft 365 and Google Workspace both support external sender warnings — a banner that appears at the top of any email arriving from outside your organisation that alerts the recipient. This is particularly useful for catching impersonation attempts where the attacker uses a lookalike domain. In Microsoft 365, configure this through the Exchange admin centre under Mail flow → Rules, or use Defender's anti-phishing policies to flag first-time senders. It sounds minor but staff who know to look for the banner become meaningfully more likely to pause before acting on an unusual request.
Run Regular Sign-In Log Reviews
In Microsoft 365, you can view sign-in logs for your entire tenant in the Azure Active Directory admin centre under Monitoring → Sign-ins. Look for sign-ins from unusual countries, logins at abnormal hours, multiple failed authentication attempts followed by a success, and sign-ins from unfamiliar IP addresses or client applications. This should be reviewed at least monthly — or set up as an alert in Microsoft Sentinel or Defender if you have Business Premium licences. For Google Workspace, the same information is available under Admin → Reports → Audit → Login. Most Perth businesses never look at these logs until after a compromise. Get into the habit of checking before you have a reason to.
Run a Short BEC Awareness Session with Your Team
Technical controls catch a lot. But staff who know what BEC looks like catch the rest. A 30-minute awareness session — in person, over Teams, or even a short video — covering the five attack types above, what an invoice fraud attempt looks like in practice, and what to do when something feels off, meaningfully reduces successful attacks. Cover the specifics: how to check if an email address is actually what it claims to be (look at the full address, not just the display name), what the external sender banner looks like, and who to call when something seems suspicious. You don't need a slick training platform — a conversation and a one-page reference card is enough to start with.
Check That Your Cyber Insurance Actually Covers BEC
Standard business insurance policies — public liability, professional indemnity, business interruption — almost always exclude cybercrime losses, including BEC. You need a specific cyber liability policy, and even then you need to read the policy carefully: some cyber policies exclude social engineering losses (which BEC technically involves), or require you to demonstrate that specific technical controls were in place at the time of the incident. If you're not sure whether your current coverage includes BEC, call your broker and ask directly. It's a conversation worth having before you need to make a claim rather than after.
What to Do If Your Perth Business Has Been Hit by BEC
Speed is everything. Here's the order of operations — keep this somewhere accessible so you're not working it out under pressure.
- Contact your bank's fraud team immediately — not your branch, the dedicated fraud line. Ask them to place a recall or stop on the payment. For domestic transfers, there's a realistic chance of recovery if you act within the same business day. For international transfers, the window is much shorter and recovery rates are low.
- Change all compromised account passwords from a clean, unaffected device. If you're not sure which accounts were accessed, change everything: email, banking, payroll systems, cloud file storage.
- Enable MFA immediately on any accounts where it isn't already active.
- Check and delete any inbox rules you didn't create. In Microsoft 365 this is under Settings → View all Outlook settings → Rules. Remove anything you don't recognise.
- Report to ReportCyber at cyber.gov.au. This is the Australian Cyber Security Centre's reporting portal. Reporting doesn't guarantee recovery but it helps ACSC track BEC trends affecting Australian businesses, and a report reference may be required by your insurer.
- Preserve evidence — don't delete the fraudulent emails, the accounts they came from, or any communication related to the incident. Your IT provider, insurer and potentially law enforcement will need these.
- Notify affected parties — if supplier bank details were involved, notify that supplier. If employee payroll was diverted, notify affected staff immediately. If client data may have been accessed during the compromise, your Privacy Act obligations may require you to notify the Office of the Australian Information Commissioner (OAIC).
- Call your IT provider to run a full compromise assessment. This means checking sign-in logs, inbox rules, app permissions, forwarding rules and whether any data was exfiltrated. A security assessment after a BEC incident is not optional — it's how you make sure the attacker is fully out, not just that their immediate access has been removed.
If you have cyber insurance and intend to make a claim, call your insurer or broker before you start cleaning up the incident — some insurers require you to notify them first and may have a preferred incident response provider. Acting without notifying them first can affect your claim.
Microsoft 365-Specific BEC Protections Worth Enabling
If your Perth business runs Microsoft 365, there are several built-in controls that directly address BEC risk. Most are either disabled by default or never configured during initial setup.
Anti-Phishing Policies in Microsoft Defender
These policies go beyond basic spam filtering. The anti-phishing policies in the Microsoft 365 Defender portal let you configure impersonation protection for specific users (typically your executives) and domains (your own domain plus key supplier domains). When someone tries to email your staff using a name that looks like your CEO, or a domain that resembles yours, Defender applies the policy action — typically quarantine or a safety tip warning. Enable this under Defender → Email & Collaboration → Policies & rules → Anti-phishing.
First Contact Safety Tips
This adds a visible banner to emails from senders your recipient hasn't corresponded with before. It's simple and effective — staff learn to look for it when a first-contact email arrives with an unusual request. Configure it within your anti-phishing policy under "Safety tips and indicators."
Mailbox Audit Logging
Make sure mailbox audit logging is enabled across your tenant. This records what happens inside each mailbox — including emails read, deleted, or moved, inbox rules created, and access by delegates. In the event of a compromise, this data is essential for understanding what the attacker accessed. Verify it's on by running Get-OrganizationConfig | Select-Object AuditDisabled in Exchange Online PowerShell — it should return False.
Restricted App Permissions (OAuth App Consent)
One of the less well-known BEC attack vectors involves getting an employee to authorise a malicious third-party app access to their Microsoft 365 account. The attacker sends a convincing email with a link that appears to be a legitimate business tool — the employee clicks, logs in with their Microsoft credentials, and grants the app access. Unlike password-based logins, this access persists even after a password change. In Microsoft 365, restrict user consent under Azure Active Directory → Enterprise Applications → Consent and Permissions. Require admin approval for any new app that requests access to company data.
Frequently Asked Questions
What is business email compromise (BEC)?
Business email compromise is when an attacker impersonates a trusted person — a CEO, supplier, solicitor or IT team — via email to trick staff into transferring money, changing bank details, or handing over sensitive information. It's targeted and researched, which is what separates it from generic phishing. The impersonation is convincing precisely because the attacker has done their homework on your business first.
Does MFA stop BEC attacks?
MFA stops the most common entry point — someone logging into your email with a stolen password. But it doesn't protect against domain spoofing, lookalike domain attacks, or supplier compromise. Think of MFA as the most important single control, but not the only one. Pair it with DMARC enforcement, payment verification procedures and staff awareness to cover the full BEC attack surface.
Can I get my money back after a BEC fraud?
Sometimes — but speed is everything. Domestic bank transfers recalled within the same business day have a realistic chance of recovery. International transfers are much harder and recovery rates are low. Your bank's fraud team is the first call. Cyber insurance may cover losses if your policy includes social engineering or funds transfer fraud cover. Report to ReportCyber regardless of whether you expect recovery — it contributes to the national picture of BEC activity affecting Australian businesses.
What should I do if I receive a suspicious payment request email?
Call the person making the request directly — using a phone number from your existing records, not anything in the email. That's it. One phone call resolves the question instantly. The reason BEC works is that people feel awkward questioning a payment request from the CEO or a known supplier. The policy needs to be normalised: verification calls are routine, not an insult to anyone's integrity. If the request is genuine, the call takes thirty seconds. If it's fraud, you've just saved your business from a potentially devastating loss.
How do I check if my Microsoft 365 email has been compromised?
Check three things immediately: sign-in logs in the Azure AD admin centre for logins you don't recognise, inbox rules in Outlook settings for forwarding or deletion rules you didn't create, and your Sent Items for emails you didn't write. If you find anything suspicious, change your password immediately and call your IT provider. Don't use the same computer or device to do this if you think it may also be compromised.
Is Your Perth Business Protected Against BEC?
Most Perth SMBs have gaps in their BEC defences — often without knowing it. Managed ICT Solutions offers a free email security review: we check your DMARC configuration, MFA status, Microsoft 365 security settings, sign-in logs and inbox rules, and give you a clear picture of where you stand and what to do about it.
Book a Free Email Security Review Call (08) 9242 4511