How Business Email Compromise Works — And How to Stop It

What Is Business Email Compromise?

Business email compromise (BEC) is a category of fraud in which an attacker uses email — either a compromised legitimate account or a convincing impersonation — to trick a business into making an unauthorised payment or disclosing sensitive information. The Australian Cyber Security Centre consistently ranks BEC as the costliest cybercrime type by total financial loss, ahead of ransomware and data theft.

The name is slightly misleading: while business email systems are often the vector, the compromise is fundamentally of trust — specifically, the trust that organisations place in email communications from known counterparties. Attackers exploit this trust systematically, and the techniques they use have become increasingly sophisticated over the past decade.

The Three Main BEC Attack Patterns

Pattern 1: Email Account Compromise

The attacker gains access to a legitimate email account — typically through credential phishing, a data breach, or password reuse. Once inside the account, they do not immediately act. Instead, they monitor communications for weeks or months, building an understanding of payment processes, relationships, and upcoming transactions.

When an opportunity arises — a large payment about to be made, a new supplier being onboarded — they intervene from within the legitimate account. The email requesting updated banking details arrives from the supplier's real email address, references real conversations, and is indistinguishable from a genuine communication. The victim has no technical way to detect the fraud through standard email checks.

Pattern 2: Domain Spoofing

The attacker registers a domain that closely resembles the target supplier's domain and uses it to send fraudulent emails. Common techniques include:

• Homoglyph attacks: Replacing characters with visually similar ones (rn → m, 1 → l)
• Subdomain impersonation: supplier.legitimate-company.com
• TLD substitution: smithplumbing.com instead of smithplumbing.com.au
• Typosquatting: smth-plumbing.com.au or smithpluming.com.au

These domains are typically registered days or weeks before the attack, which is why domain age is such a powerful detection signal. A request for banking details from a domain registered three weeks ago is almost certainly fraudulent.

Pattern 3: Display Name Deception

The simplest and most technically rudimentary attack: the attacker sends email from a completely different domain but sets the display name to match the expected supplier. "John Smith <accounts@legitimate-supplier.com.au>" becomes "John Smith <randomaccount@gmail.com>" — with only the display name visible in most email clients' default view.

This attack is defeated by checking the actual sender domain, not just the display name. DMARC enforcement on the impersonated domain would not help here, since the attacker is not pretending to send from that domain.

Why BEC Is So Difficult to Detect After the Fact

BEC losses are among the hardest to recover in Australia. Unlike card fraud — where the bank typically bears liability for unauthorised transactions — BEC payments are authorised payments. The victim instructed their bank to make the payment. The bank executed that instruction. The bank has no legal obligation to recover funds sent to a mule account, and Australian law does not create one.

International recovery is even more difficult. BEC operations frequently route funds through multiple jurisdictions within hours of the initial transfer, making tracing and freezing essentially impossible by the time the fraud is discovered. The ACCC reports that less than 8% of BEC losses are recovered.

The Role of Supplier Verification in BEC Prevention

BEC attacks at the supplier payment stage have a structural vulnerability: the attacking domain is almost always new. The legitimate supplier has a domain registered years ago, with an established certificate history, a real web presence, and properly configured email authentication records. The attacking domain has none of these things.

A structured supplier verification process — one that checks domain age, WHOIS data, email infrastructure (SPF, DMARC, DANE), and reputation against threat intelligence databases — will surface a newly registered attacking domain before payment is made. This is true even when the fraud is discovered through Pattern 1 (account compromise), because the attacker will typically route payments to a new bank account that their fraudulent domain controls.

Practical Defences That Work

These are the controls that consistently prevent BEC at the supplier payment stage:

Verify banking details by callback

Any request to change supplier banking details must be verified by a phone call to a number you already hold — not a number provided in the email or on an accompanying document. This single control defeats the vast majority of BEC payment-redirection attacks.

Check the sending domain, not the display name

Train AP staff to examine the actual email address, not just the display name. A supplier whose emails have always arrived from accounts@smithplumbing.com.au should raise immediate suspicion if a banking change request arrives from any other domain.

Run systematic verification on new suppliers and banking changes

A structured check that covers domain age, WHOIS data, email authentication, and reputation signals catches the attacking domain that an account compromise attack will route funds through. Even if the request came from a legitimate email account, the new bank account will be controlled through a new domain — and that domain will fail verification.

Maintain an audit trail

A timestamped verification report for every supplier and every banking-detail change creates accountability and provides the documentation needed for insurance claims and regulatory reporting if a fraud does occur despite your controls.

"BEC succeeds because it exploits genuine trust relationships. Defending against it is not about making your staff more suspicious — it is about building processes that provide objective verification data so decisions can be made on evidence, not instinct."

The Uncomfortable Truth About BEC

BEC succeeds because it exploits genuine trust relationships. The emails look legitimate because they arrive from legitimate accounts or convincing lookalikes. The invoices look real because they reference real transactions. The banking details look plausible because there is no obvious reason to question them.

Defending against BEC is not about making your staff more suspicious of everything — it is about building processes that provide objective verification data, so that your staff can make decisions based on evidence rather than instinct. An automated supplier check that takes 60 seconds and surfaces domain age, email authentication status, and threat intelligence data is not a replacement for human judgement. It is the information that human judgement needs to work correctly.

Uncommon Insights

Uncommon Insight #1: The Australian Taxation Office (ATO) considers business email compromise (BEC) payments to be 'unauthorised transactions' under the Electronic Funds Transfer (EFT) Code of Conduct. This means that Australian businesses can dispute the transaction with their bank, and the bank may be liable for the loss under the ePayments Code. However, this is only the case if the business has in place reasonable security measures to prevent such transactions, as per the Corporations Act 2001 (Cth) s 601HG.

Uncommon Insight #2: ASIC's Regulatory Guide 221 (RG 221) on 'Facilitating online financial services disclosures' requires Australian financial institutions to have robust verification processes in place to detect and prevent BEC scams. Specifically, RG 221 s 221.24 states that institutions must 'take reasonable steps to verify the identity of the person or entity requesting the transaction'. This means that Australian businesses can hold their financial institutions liable for BEC losses if the institution fails to meet these verification requirements.

Uncommon Insight #3: The Australian Cyber Security Centre's (ACSC) '2022 Cyber Threat Report' found that 70% of BEC attacks in Australia involved the use of legitimate but compromised business email accounts. This highlights the importance of implementing robust email security measures, such as multi-factor authentication (MFA) and email encryption, as per the ACSC's 'Essential Eight' mitigation strategies. However, it also underscores the need for Australian businesses to implement effective account takeover detection and response measures, as per the ACSC's 'BEC Guide for Businesses'.

Uncommon Insight #4: The Australian Securities and Investments Commission (ASIC) has identified a growing trend of BEC scammers using Australian businesses as 'money mules' to launder stolen funds. This is often achieved through the use of fake invoices or payment requests, which are then used to transfer funds to the scammer's account. ASIC's 'Money Mule' guidance notes that Australian businesses can be held liable for facilitating these transactions, even if they are unaware of the scam. This highlights the need for Australian businesses to implement effective know-your-customer (KYC) and anti-money laundering (AML) measures to prevent and detect these types of scams.