Business Email Compromise: The $3 Billion Scam Targeting Australian Businesses Right Now
Your finance team receives an email from the CEO asking for an urgent funds transfer. The email address looks right. The tone sounds familiar. The request seems plausible. They transfer the money. And then they find out the CEO never sent that email. This is Business Email Compromise (BEC) — and it is the single most financially damaging cybercrime affecting Australian businesses today. No malware required. No ransomware. Just a convincing email and a well-timed request. Understanding how BEC works — and how to stop it — is one of the most important things an Australian SMB can do right now. What Is Business Email Compromise? Business Email Compromise is a sophisticated fraud attack where cybercriminals impersonate a trusted person – usually a CEO, supplier, or finance contact – to trick employees into transferring money or sensitive data. BEC attacks come in several forms: The Australian Federal Police has reported BEC losses in the hundreds of millions annually. Globally, the FBI estimates cumulative BEC losses have exceeded USD $50 billion. Learn how our cybersecurity services protect Gold Coast businesses from email-based threats Why BEC Is So Effective Against SMBs Business Email Compromise works because it exploits trust and urgency – two things that are deeply embedded in how businesses operate. Attackers spend time researching their targets before striking. They study: SMBs are disproportionately targeted because they often lack formal financial controls – single approvals for large transfers, no secondary verification requirements, and staff who have not been trained to recognise impersonation. The Technical and Human Defences Against BEC Stopping Business Email Compromise requires both technical controls and human processes working together. Technical Controls: Process Controls: Explore our Security Awareness Training to prepare your team against BEC What to Do If You Suspect a BEC Attack If you or a staff member suspects a Business Email Compromise attempt or has already made a fraudulent transfer: Speed is critical. The faster you act, the higher the chance of recovering funds. Learn how Netlogyx Managed IT Support provides rapid incident response Has Your Business Reviewed Its BEC Exposure? Email fraud is the highest-cost cybercrime targeting Australian businesses. A 30-minute review with Netlogyx can reveal whether your email domain is protected, your staff are trained, and your financial processes include the right safeguards. Frequently Asked Questions Q: How do attackers get so much information about our business to make BEC emails convincing?A: Most of it is publicly available – LinkedIn profiles, your website, press releases, and social media. Attackers spend time on open-source intelligence gathering before launching a targeted BEC campaign. Q: We have email filtering – does that protect against BEC?A: Basic spam filters alone are not sufficient. BEC emails often come from legitimate-looking domains with no malware attached, so they pass basic filters. Advanced email security with AI-based header analysis and domain impersonation detection is required. Q: Is BEC covered by cyber insurance?A: Some policies cover social engineering and funds transfer fraud. However, coverage depends on whether minimum security controls were in place at the time. This is another reason to implement proper email authentication and financial controls. The Most Expensive Email You Will Ever Receive Looks Completely Normal Business Email Compromise is not about technical sophistication. It is about human trust, organisational process gaps, and a lack of email authentication. The defences are straightforward – but they must be implemented deliberately. Netlogyx helps Australian SMBs close these gaps before they become a loss. (We are not looking to replace your current provider, just offering an alternative perspective) Written by Neil Frick Sources & References
Read MorePhishing Attack Prevention: What the Booking.com and Super Fund Attacks Teach Australian SMBs
When hackers compromised Booking.com’s supply chain in April 2026, the real attack started the next day with a flood of hyper-targeted phishing emails to genuine customers. When 20,000 Australian superannuation accounts were drained in the April 2025 super fund attacks, the attackers did not hack the funds. They used credentials stolen from unrelated breaches to log in as the real members. Every day in Australia, phishing emails, smishing texts, and vishing calls are bypassing technology and walking straight into inboxes that belong to trusted staff. Phishing attack prevention is no longer about training staff to spot bad grammar. It is about rebuilding the layers of defence that assume one email will get through, because it will. Why 2025 Was the Year Phishing Got Personal The modern phishing attack is almost unrecognisable compared to five years ago. In 2025 and 2026, Australian businesses are facing: The ACSC recorded over 84,700 cybercrime reports in FY2024-25, with business email compromise, identity fraud, and phishing dominating the categories. The Booking.com Supply Chain Phishing Attack In April 2026, Booking.com confirmed that attackers had accessed customer names, emails, addresses, and booking details via a compromised third party. The immediate follow-up was a wave of convincing phishing emails to those customers, referencing real bookings and asking for payment “verification.” This is the phishing attack of 2026: legitimate data stolen from one source, weaponised against real customers the next day, with specific and verifiable detail that defeats traditional detection. The Super Fund Credential Stuffing Attack In April 2025, more than 20,000 super accounts across AustralianSuper, REST, Hostplus, Australian Retirement Trust, and Insignia Financial were compromised. Attackers did not breach the super funds. They used credentials stolen from unrelated data breaches, betting that users had reused the same password. Four AustralianSuper members lost a combined $500,000. A 74-year-old Queensland woman lost $406,000 overnight. The attack was pure phishing-derived credential harvesting combined with password reuse. The Six Layers of Modern Phishing Attack Prevention Technology alone will not stop phishing. People alone will not either. Modern phishing attack prevention requires six overlapping layers: Recommended Link: Security Awareness Training That Actually Works The Process Controls That Matter as Much as Technology Technology stops the easy attacks. Process stops the sophisticated ones: Recommended Link: Email and Office 365 Security for Australian Businesses How Confident Are You That Your Next Phishing Email Will Be Caught?Phishing attack prevention is now a layered discipline. A single control is not enough. Frequently Asked Questions Q: What is the single most effective phishing attack prevention control?A: Phishing-resistant MFA on every business system. Microsoft’s own data shows it blocks more than 99.9% of automated credential attacks. It is not perfect, but nothing else comes close. Q: How often should staff receive phishing training?A: Quarterly at minimum, with monthly phishing simulations for high-risk roles such as finance, executive assistants, and HR. Annual training alone is not enough. Q: If a staff member falls for a phishing email, who is responsible?A: This is why a “pause and verify” culture matters. Staff who report incidents quickly should be supported, not punished. Blame cultures make phishing worse because staff hide mistakes. The Booking.com incident, the super fund attack, the Qantas call-centre compromise, and every other major 2025-2026 Australian breach share one common feature: phishing, in some form, was the entry point. Phishing attack prevention is no longer an IT checkbox. It is the front line of your entire business. The question is whether you are treating it that way today, or whether you will be explaining to customers why you did not. (We are not looking to replace your current provider, just offering an alternative perspective) Written by Neil Frick Sources & References
Read More