What is BEC (Business Email Compromise)?
Business Email Compromise is a targeted scam where criminals impersonate or take over a trusted email account — often an executive, supplier or solicitor — to trick staff into paying fraudulent invoices or sharing sensitive information. Unlike bulk phishing, BEC attacks are researched, convincing and often involve no malware at all.
Why BEC matters for Australian businesses
With cyberattacks on Australian businesses increasing year on year, understanding your security tools and strategies is critical. The Australian Cyber Security Centre reports an attack every six minutes, and small and medium businesses are increasingly targeted. Having the right defences in place is not optional — it is essential for protecting your data, your clients, and your reputation.
For small and medium businesses in particular, understanding BEC is essential to maintaining a secure, efficient, and resilient IT environment. Whether you are reviewing your current defences or planning improvements, knowing how these threats work and how to stop them will help you have more informed conversations with your IT provider and make better decisions for your business.
Related terms
Phishing • MFA • Email Filtering
How All IT Services can help
At All IT Services, we help businesses across Sydney, Brisbane, Melbourne, and regional NSW defend against BEC as part of our comprehensive cybersecurity solutions. If you have questions about how this fits into your IT strategy, contact our team for a no-obligation consultation.
Frequently Asked Questions
What is business email compromise?
BEC is a scam where attackers impersonate or hijack a legitimate business email account to redirect payments or extract sensitive data, usually through carefully crafted, malware-free messages.
How common is BEC in Australia?
Very. BEC is consistently among the highest-loss cybercrimes reported to the ACSC, with Australian businesses losing tens of millions of dollars to it every year.
How can my business prevent BEC?
Enforce MFA on email accounts, add DMARC/SPF/DKIM email authentication, train staff to verify payment changes by phone, and set dual approval for bank detail changes and large transfers.