Proudly supported by

Australian Government logo


Resources Hub / Small business cyber basics / 3 scams used in business email compromise

3 scams used in business email compromise

According to the latest Australian Cyber Security Centre (ACSC) report, cyber crime increased by 23% in the 2022-23 financial year, compared to the previous period.

For businesses, the second-highest reported cyber crime was business email compromise.

While the term, business email compromise, might sound complex, there’s a high chance you’ve received a scam email just like this but haven’t known its technical name.

What is business email compromise?

Business email compromise, also known as BEC, is a type of email phishing scam. In BEC, the cyber attacker pretends to be someone you know, like a supplier or boss, and will try to trick victims into transferring money or goods.

Pro tip: there’s another type of cyber crime called “email compromise”. It’s very similar to BEC, however, no financial fraud occurs. It’s important to be aware of because it’s the leading cyber crime businesses report.

As cyber criminals become more clever, emails can be very sophisticated and convincing to staff members who are unaware of them.

Before targeting a business, online hackers might research the business and people they are targeting so the emails appear more believable. It can go as far as to refer to people you might work with or mention personal details.

The 3 types of scams used in BEC

The ACSC has recognised three categories of BEC scams and what can happen in an attack.

1. Invoice fraud

In this scenario, criminals gain access to a company’s genuine invoices and edit the contact and bank details on them. They will then send the fake invoice to customers instructing them to pay it. Unfortunately, many people don’t realise the payment details are different and transfer the money straight into the bank account of a cyber criminal.

2. Employee impersonation

In employee impersonation scams, hackers pretend to be someone you work with to defraud you. A common approach is impersonating a person high-up in the business (like a boss!) and having a fake invoice created or requesting money be transferred. In these cases, the emails might try to make an employee feel special and to keep it confidential. To learn more on this, you can read a real-life story of this happening to one boss when they were on holidays and their emails were compromised.

Another method is asking to change a worker’s banking details so that when the employee is paid, it goes directly into the pocket of the cyber criminal.

3. Company impersonation

Criminals will pretend to be a large, well-known organisation (like Amazon or Microsoft) and will go as far as registering a fake domain with the same name. After doing that, they will send an email to a business requesting a quote for their supplies and negotiate for the goods to be delivered before the invoice is paid. After receiving the goods, the invoice will be sent to the real organisation who didn’t even know the order was taking place.

What are the warning signs of a BEC attack?

Uncommon or inconsistent sender addresses

The email address in a BEC attack can be one of the easiest red flags to spot:

  • The “from” email address isn’t the same as the sender display name
  • The “reply-to” header doesn’t match the sender’s address
  • The sender’s email domain is different to the company it’s pretending to be. For example, an email might have the sender name as Michelle from Microsoft but the email address is or

Strange requests from a colleague

CEO impersonation is a frequent type of BEC so it’s important to be on the lookout for unusual emails received from senior leaders requesting payment or financial details. Some questions you can ask yourself:

  • Is this a normal request? For example, would the boss want banking details about a fellow employee?
  • Is this the right process or way for someone to ask? It’s best to follow standard procedures and don’t trust a request if it makes you deviate from that.
  • Does that person usually email you about anything finance-related?

Unexpected invoices

Before paying an invoice, double-check it is something the business was expecting. If you’re feeling unsure, you can always confer with a team member or your accountant.

After confirming this information, check the details on the invoice. Has the payment information changed from previous invoices? If something looks different, call the supplier directly using contact information from their website. Remember: cyber criminals might change the contact details on the invoice to further confuse you.

Urgent wording

Just like in other scam emails, cyber criminals will prey on your emotions by creating a sense of urgency. In an employee impersonation scam, they might pretend they’ve lost their credit card and need money urgently transferred.

Typos and grammatical errors

Always be wary of an email with spelling mistakes, broken English or grammatical errors. This is both in the contents of the email and the email address it’s been sent from.

With Cyber Wardens, you can keep your digital floors clean and free of cyber criminals fishing.

Learn easy and simple cyber security tips for your small business

More helpful resources for you and your business

It happened to me!

Have you got a Cyber attack story to share? Your story can help other small businesses protect themselves.

It happened to me!

Have you got a Cyber attack story to share? Your story can help other small businesses protect themselves.