Business Email Compromise: The $98M Threat to Australian SMBs in 2026
Business Email Compromise (BEC) is not a new threat. But in 2026, it's the single most expensive cybercrime targeting Australian businesses.
The ACCC's Targeting Scams report documented $98 million in verified BEC losses in 2025. The real figure is likely 3-5x higher. Most SMBs don't report it. Some don't even know it happened until the money's been gone for weeks.
How BEC Actually Works
BEC is not hacking in the Hollywood sense. There's no hooded figure typing furiously. It's social engineering at scale, and it works because it exploits trust.
The Attack Chain
Reconnaissance: Attacker researches your business on LinkedIn, your website, and ASIC. They learn who your suppliers are, who handles payments, and what's normal for your organisation.
Email Compromise or Spoof: The attacker either:
- Compromises a real vendor's email account (via credential stuffing or phishing)
- Spoofs the domain with a lookalike (e.g.,
@c0mpany.comvs@company.com) - Registers a domain that's visually identical
The Ask: A fake invoice arrives. Bank details have "changed." The amount is plausible. The tone is urgent but professional. It looks exactly like every other invoice your accounts team processes.
The Payment: Your team pays. The money lands in the attacker's account.
The Disappearance: Within 24 hours, funds are distributed through money mule networks. Often overseas. Gone.
The Numbers
| Metric | Value |
|---|---|
| Average BEC loss per Australian SMB | $35,000 |
| Average time to detect | 30 days |
| Recovery rate of funds | Less than 10% |
| Percentage involving vendor impersonation | 77% |
| Percentage involving CEO/executive impersonation | 23% |
Sources: ACCC Targeting Scams Report 2025, Australian Cyber Security Centre, FBI IC3
Red Flags Your Team Should Watch For
Train every person who handles payments to recognise these signals:
- Invoice bank details changed without a prior phone call or in-person verification
- Urgent payment requests with threats of service cutoff or legal action
- Slight changes to email addresses (e.g.,
@c0mpany.com,@companvy.com, extra characters) - Payment requests from new contacts at existing vendors
- Requests to change established payment schedules without clear justification
- Emails sent at unusual hours (2am on a Sunday)
- Grammar that's "almost right" but slightly off for that sender
ISO 27001 SMB Starter Pack — $147
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for SMBs worldwide.
Get the Starter Pack →The Defence Playbook for SMBs
1. Verify Bank Detail Changes via Phone
This single control stops 90% of BEC attacks. When bank details change on an invoice, call the vendor using a number from your records (not from the email). Confirm the change.
2. Implement Dual-Authorisation for Payments
Any payment over $5,000 requires two people to approve. This creates a human checkpoint that catches anomalies.
3. Deploy DMARC, SPF, and DKIM
These email authentication protocols make it significantly harder for attackers to spoof your domain. They also protect your business from being used as a vector against your customers.
- SPF: Specifies which mail servers can send email from your domain
- DKIM: Adds a digital signature to emails
- DMARC: Tells receiving servers what to do if SPF or DKIM fails
4. Train Accounts Staff Quarterly
BEC tactics evolve. Your training should too. Use real examples. Run simulations. Make it relevant to the tools and vendors your team actually uses.
5. Implement Payment Delays for New Payees
A 24-hour delay on first-time payments to new bank accounts costs nothing and catches most BEC attempts.
What to Do If You're Hit
- Contact your bank immediately (within 24 hours, recovery is sometimes possible)
- Report to ReportCyber (Australian Cyber Security Centre)
- Report to Scamwatch (ACCC)
- Contact your cyber insurance provider
- Forensically preserve the phishing email (don't delete it)
- Change credentials for any compromised email accounts
- Notify affected vendors so they can warn other customers
Bottom Line
BEC doesn't require sophisticated technology to execute. It requires trust. And trust is what makes it so effective.
The defence is simple, cheap, and effective: verify changes via phone, dual-authorise payments, and train your team to be suspicious.
$98 million in losses last year. Don't be part of the next report.
Need help securing your business against BEC and other email threats? Get in touch.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →