Business Email Compromise Prevention for Adelaide SMBs: Close the Invoice-Redirect Gap Before an Attacker Finds It

Your bookkeeper forwards you an email from a supplier you have worked with for three years. The PDF invoice looks right, the wording sounds right, and the only thing different is a new BSB and account number “for this quarter’s payments”. The transfer goes out on Friday afternoon. The following Tuesday the real supplier rings, confused about why their invoice is still unpaid. The money is gone, and the conversations that follow — with your bank, your insurer, and possibly the OAIC — are the ones nobody at your business has rehearsed. Business Email Compromise Prevention from Cyber by Exegesis is the engagement designed to harden an Adelaide SMB before that email lands.

The problem

ACCC Scamwatch consistently ranks business email compromise among the highest-loss scam categories reported by Australian businesses. The mechanics are unglamorous: an attacker compromises a legitimate mailbox or spoofs a known supplier domain, watches the invoicing rhythm, and inserts new payment details at the right moment. Most SMBs have never properly configured DMARC, SPF, or DKIM. Mailbox auto-forwarding rules sit in place from a staff member who left two years ago. Payment-authorisation processes rely on email approval and visual recognition of a supplier name. The control gap is small and cheap to close — but most Adelaide SMBs only close it after a redirected payment they cannot recover.

The ACSC Small Business Cyber Security Guide is direct about this: BEC defence is not a single product purchase. It is a combination of email-authentication records, mailbox hygiene, and a payment process that refuses to act on an email instruction alone.

What Business Email Compromise Prevention does

Cyber by Exegesis runs a fixed-scope engagement targeting BEC specifically:

• A DMARC, SPF, and DKIM audit and remediation across your sending domains, moving you from open-to-spoofing to a quarantine or reject policy in measured stages.
• A mailbox-rules audit across all staff — auto-forwarding and transport rules are a common attacker persistence mechanism that nobody at your business has reviewed.
• A payment-authorisation process redesign — a single email is never sufficient to change a supplier’s bank details; the change requires out-of-band verification using a known phone number.
• A 45-minute staff training session focused on invoice-redirect attacks, including five real Australian SMB examples (anonymised).
• A short written report covering what was changed, what remains, and a 90-day review window.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is preventive hardening. We are not your IT provider and we are not your incident responder; we set the controls and step back.

How it works

1. We confirm scope on a short call, identify the sending domains in scope, and request read-only access to your DNS provider and email tenant (Microsoft 365 or Google Workspace).
2. We pull the current DMARC, SPF, DKIM, and mailbox-rules state into a baseline report.
3. We propose record changes in two stages (none → monitor → quarantine/reject) and apply them across a one to two week window so you see no operational disruption.
4. We sit with your accounts person for 30 minutes to redesign the supplier-bank-detail change process and document it.
5. We run the 45-minute staff training and leave you with the written report and the 90-day review window.

Why this matters in Adelaide

Adelaide’s SMB economy leans on sectors — defence supply chain, viticulture and food export, professional services, and health — where payment runs to suppliers are predictable, recurring, and large enough to make a single redirected invoice catastrophic. Defence-adjacent suppliers in particular hold customer and project data that brings the OAIC Notifiable Data Breaches scheme into play if a BEC incident escalates into an eligible data breach. An Adelaide SMB that hardens DMARC, audits mailbox rules, and tightens its payment-change process closes the door BEC attackers depend on — usually for less than the cost of one redirected invoice.

Sources

• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme (in the event a BEC incident results in an eligible data breach): https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Business Email Compromise Prevention (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens BEC Prevention for Adelaide SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector and current email tenant — we will tell you when we are ready to take a brief from your business.