Glossary · Business Email Compromise
BEC
An email-based fraud where attackers impersonate executives or vendors to redirect payments or extract sensitive data — no malware involved, hard for traditional tooling to catch.
BEC (Business Email Compromise) is the phishing variant that costs Australian businesses the most money, year after year. There’s no malware payload, no exploit chain — just a convincing email that persuades someone in finance to redirect a payment, or someone in HR to release sensitive employee data.
The ACSC consistently flags BEC as one of the costliest attack types reported by Australian businesses in its annual Cyber Threat Report.
How BEC works in practice
- Vendor impersonation — attacker compromises (or spoofs) a known vendor’s mailbox and emails the buyer with “updated banking details” timed to a real invoice.
- Executive impersonation — attacker sends a finance staffer an urgent email from a near-identical domain (or a compromised executive account), instructing an immediate transfer.
- Mailbox takeover — attacker phishes a real user’s credentials, sits inside the mailbox for weeks studying conversations, and then injects a fraudulent message into an existing thread.
- Payroll redirection — attacker emails HR asking to update direct-deposit details for an executive.
The defining feature is that none of it triggers an EDR alert — the malicious activity is a legitimate email sent through a legitimate account.
Defences
- Vendor invoice verification policy — bank-detail changes confirmed via a callback to a known number, never via reply.
- Payment authorisation controls — dual approval over a threshold, segregation of duties.
- Conditional Access + impossible-travel detection to catch mailbox takeovers early.
- Awareness training focused specifically on BEC patterns, not generic phishing.
Symsafe builds these into the Microsoft 365 hardening baseline and the cybersecurity awareness programme.