Business email compromise devastates Australia, but a few simple steps can foil attacks.

It was a mundane email sent to a delinquent client: “Payment of your invoice is overdue”. Nothing about it alluded to the deep financial and personal pain the owners of the small Melbourne construction business were set to endure at the hands of online criminals who had just fleeced them of more than $100,000.

But perpetrators of business email compromise (BEC), a form of cyber-crime described by seasoned security experts as “out of control” and operating on a “phenomenal” scale costing businesses billions of dollars a year, rarely offer victims clues of their crimes until it is too late.

The scams, experts agree, are on an epidemic scale with businesses in each Australian state and territory losing thousands of dollars every day. Criminal investigators say Australian businesses regularly lose “often more than $100,000 per incident”.

Yet public reports of these attacks have been minimal.

These attacks are a world apart in their technical complexity from the type of advanced state-sponsored hacking that captures headlines; BEC is mostly textbook swindling with an occasional click of automated hacking platforms.

It take different forms, all of which criminals deploy to devastating effect. Criminals, in an example known as whaling, will impersonate a company director in an email to a subordinate financial controller ordering them to pay money to their bank account.

In another, known as doctored invoicing, scammers will use automated tools to break into a business’ email inbox and alter the payable bank accounts on client invoices.

A brazen online criminal apparatus means criminals need not even hack email accounts and can simply buy that access from other criminals.

Chain of events

This is what happened to the Melbourne-based Buildr (we are concealing the victim’s true identity).

Buildr staff discovered they had been robbed only after their client informed them the invoice was paid two months earlier.

This chain of events made little sense to Buildr. Emails showed their project manager had sent the invoice to the client, along with a thank you note and glib wishes for the weekend.

There was no reply and the exchange fell silent for the next three months.

Follow up phone calls revealed the invoice the client received contained a bank account number that did not match that sent by Buildr.

Snapshot: security defence for small business Confirm account numbers with a phone call or text message prior to transferring money.

Turn on two-factor authentication wherever and whenever it is offered. This is often your best defence against most online threats.

Implement SPF, DKIM, and DMARC to help combat BEC email spoofing attacks. Password hygiene: Set unique, non-cliché, atypical passwords for email, business, and other important accounts. These can be pronounceable multi-phrased sentences with a few numbers or special characters. Strongly consider a password manager such as LastPass.

Report the crime: Private sector businesses report to the Federal Government’s ACORN portal. Critical infrastructure operators and big business call CERT Australia.



A Buildr IT technician suspected foul play and appealed to trusted information security contacts, finding Kayne Naughton – a Melbourne-based threat intelligence expert at Cosive, with a much-exercised history in computer forensics and combatting financially-driven cyber-crime.

“This isn’t even my day job, it’s barely my side job, and I’ve handled about $2 million in losses across Australian businesses in the last few years,” Naughton says.

“It’s out of control”.

The same attacker who targeted Buildr is thought to have stolen hundreds of thousands of dollars from more than a dozen Australian businesses using the same BEC techniques.

Rising tides

Business email compromise is exploding in growth and financial impact across the world. The FBI in October last year estimated BEC had cost businesses in all countries some US$5.3 billion.

The Australian Federal Government says businesses here have lost more than $20 million to BEC between 2016 and 2017, up from $8.6 million the previous year. It had in the three years to December received more than 2000 reports of BEC.

Government numbers on BEC attacks have steadily increased but remain it says “only a small percentage of total activity” thanks to “misreporting and underreporting”.

Losses from BEC are high. Multiple Australian organisations in the last three years have each lost millions of dollars in single unreported BEC attacks, security responders with first-hand knowledge of the incidents tell us.

Typical losses incurred by businesses vary between experts. Some find BEC victims lose about $10,000 an incident, while others handle cases between $25,000 and $50,000 each. Well-placed crime investigators say losses of $100,000 per incident in Australia are common.

Many of these losses are likely absent from government registers. Security experts working in private and public sectors agree that total of all cyber-crime losses reported to government is significantly less than the true costs because many victims, especially businesses, are reluctant to report incidents for fear of public exposure.

Security incident responders contracted to assist hacking and BEC victims are often made to sign non-disclosure agreements that can prevent them from supplying even anonymised crime data to the Federal Government. Many well-intentioned contractors try and fail to convince their clients to lift the reporting ban.