You’ve probably heard of phishing, where cyber criminals send texts, emails or social media posts which appear to be from individuals or organisations you think you can trust. Business email compromise takes phishing one step further.

Using phishing techniques, cyber criminals can steal information such as log in and financial details by impersonating other businesses, often large corporations. Business email compromise takes phishing one step further, where criminals could use those details to log in to your own account and impersonate you, your staff members or your business.

Cyber criminals can be very convincing

In business email compromise, criminals might impersonate you and send out fake invoices or supplier requests, or impersonate a member of your staff to obtain confidential details about your business. They might use your logos and email signatures or log in to your email account to commit crimes.

Here's what to do if you think you’ve been targeted – and steps you can take to protect your business.

Take action sooner rather than later

It can be very stressful to find that you have been the victim of business email compromise, but there are steps you can take right away.

If you find out your email account has been compromised, you can report the incident at ReportCyber. You should also let your staff members and clients know so they can watch our for unusual emails or requests from your account – and alert your email provider too.

If you have made a payment and discovered you’ve been the victim of a scam, call your bank or financial institution straight away. Let them know it was a fraudulent transaction and lodge a report with ReportCyber.

Help to keep your accounts secure

If your account has been compromised, your email provider may advise you to run anti-virus and anti-malware protections on your devices as a first step, then change your email password. Make sure you choose a strong password and use multi-factor authentication to keep your account extra secure.

Make secure payments

Payment redirection scams were estimated to have cost Australian businesses $227 million in 2021, according to the ACCC. PayID is a free system that can help protect you from scammers intercepting your invoices and changing the payment details to their own. PayID is as simple as using the mobile number or email address of the person or business you wish to pay to make a payment to, or registering your own PayID with your bank to get paid. Unlike a traditional payment where you need both a BSB and an account number, you can use PayID instead. It is free to register and helps to stop scams because unlike a traditional payment, the payer can see a confirmation screen, which includes the intended PayID name, before they confirm the payment.

Let your team know the warning signs

It’s important to make sure everyone involved in your business knows the warning signs of a business email compromise. Let your team know to be alert for any unexpected change of bank details, urgent payment requests or threats, unusual requests for payments or information from other members of the team (whose account may have been hacked) and any emails which don’t look right.

Be alert for suspicious messages

If you receive a message from an individual, company or government department which seems suspicious, get in touch with the organisation directly to let them know. Use their legitimate contact channels, such as the phone number on their official website, not the details provided in the suspicious message. If you receive an invoice from one of your regular suppliers and there are different account details listed, call your supplier (using their official contact details) to confirm this change. They may have had their account hacked and the invoice details changed before it was sent to you.

More information

Learn more about cyber security, how to protect your business from scammers and PayID.

For more details on business email compromise and other cyber security issues, visit:

You can also sign up for alerts to learn about new scams and how to avoid these – or sign up for our SBDC e-news for small business news every fortnight.

Legal and risk
19 July 2022