How Business Email Compromise Works — And How to Stop It

What Is Business Email Compromise?

Business email compromise (BEC) is a category of fraud in which an attacker uses email — either a compromised legitimate account or a convincing impersonation — to trick a business into making an unauthorised payment or disclosing sensitive information. The Australian Cyber Security Centre consistently ranks BEC as the costliest cybercrime type by total financial loss, ahead of ransomware and data theft.

The name is slightly misleading: while business email systems are often the vector, the compromise is fundamentally of trust — specifically, the trust that organisations place in email communications from known counterparties. Attackers exploit this trust systematically, and the techniques they use have become increasingly sophisticated over the past decade.

The Three Main BEC Attack Patterns

Pattern 1: Email Account Compromise

The attacker gains access to a legitimate email account — typically through credential phishing, a data breach, or password reuse. Once inside the account, they do not immediately act. Instead, they monitor communications for weeks or months, building an understanding of payment processes, relationships, and upcoming transactions.

When an opportunity arises — a large payment about to be made, a new supplier being onboarded — they intervene from within the legitimate account. The email requesting updated banking details arrives from the supplier's real email address, references real conversations, and is indistinguishable from a genuine communication. The victim has no technical way to detect the fraud through standard email checks.

Pattern 2: Domain Spoofing

The attacker registers a domain that closely resembles the target supplier's domain and uses it to send fraudulent emails. Common techniques include:

• Homoglyph attacks: Replacing characters with visually similar ones (rn → m, 1 → l)
• Subdomain impersonation: supplier.legitimate-company.com
• TLD substitution: smithplumbing.com instead of smithplumbing.com.au
• Typosquatting: smth-plumbing.com.au or smithpluming.com.au

These domains are typically registered days or weeks before the attack, which is why domain age is such a powerful detection signal. A request for banking details from a domain registered three weeks ago is almost certainly fraudulent.

Pattern 3: Display Name Deception

The simplest and most technically rudimentary attack: the attacker sends email from a completely different domain but sets the display name to match the expected supplier. "John Smith <accounts@legitimate-supplier.com.au>" becomes "John Smith <randomaccount@gmail.com>" — with only the display name visible in most email clients' default view.

This attack is defeated by checking the actual sender domain, not just the display name. DMARC enforcement on the impersonated domain would not help here, since the attacker is not pretending to send from that domain.

Why BEC Is So Difficult to Detect After the Fact

BEC losses are among the hardest to recover in Australia. Unlike card fraud — where the bank typically bears liability for unauthorised transactions — BEC payments are authorised payments. The victim instructed their bank to make the payment. The bank executed that instruction. The bank has no legal obligation to recover funds sent to a mule account, and Australian law does not create one.

International recovery is even more difficult. BEC operations frequently route funds through multiple jurisdictions within hours of the initial transfer, making tracing and freezing essentially impossible by the time the fraud is discovered. The ACCC reports that less than 8% of BEC losses are recovered.

The Role of Supplier Verification in BEC Prevention

BEC attacks at the supplier payment stage have a structural vulnerability: the attacking domain is almost always new. The legitimate supplier has a domain registered years ago, with an established certificate history, a real web presence, and properly configured email authentication records. The attacking domain has none of these things.

A structured supplier verification process — one that checks domain age, WHOIS data, email infrastructure (SPF, DMARC, DANE), and reputation against threat intelligence databases — will surface a newly registered attacking domain before payment is made. This is true even when the fraud is discovered through Pattern 1 (account compromise), because the attacker will typically route payments to a new bank account that their fraudulent domain controls.

Practical Defences That Work

These are the controls that consistently prevent BEC at the supplier payment stage:

Verify banking details by callback

Any request to change supplier banking details must be verified by a phone call to a number you already hold — not a number provided in the email or on an accompanying document. This single control defeats the vast majority of BEC payment-redirection attacks.

Check the sending domain, not the display name

Train AP staff to examine the actual email address, not just the display name. A supplier whose emails have always arrived from accounts@smithplumbing.com.au should raise immediate suspicion if a banking change request arrives from any other domain.

Run systematic verification on new suppliers and banking changes

A structured check that covers domain age, WHOIS data, email authentication, and reputation signals catches the attacking domain that an account compromise attack will route funds through. Even if the request came from a legitimate email account, the new bank account will be controlled through a new domain — and that domain will fail verification.

Maintain an audit trail

A timestamped verification report for every supplier and every banking-detail change creates accountability and provides the documentation needed for insurance claims and regulatory reporting if a fraud does occur despite your controls.

The Uncomfortable Truth About BEC

BEC succeeds because it exploits genuine trust relationships. The emails look legitimate because they arrive from legitimate accounts or convincing lookalikes. The invoices look real because they reference real transactions. The banking details look plausible because there is no obvious reason to question them.

Defending against BEC is not about making your staff more suspicious of everything — it is about building processes that provide objective verification data, so that your staff can make decisions based on evidence rather than instinct. An automated supplier check that takes 60 seconds and surfaces domain age, email authentication status, and threat intelligence data is not a replacement for human judgement. It is the information that human judgement needs to work correctly.