Business Email Compromise Prevention for Adelaide SMBs: Stop a Mailbox Takeover Becoming a Notifiable Data Breach

Your bookkeeper mentions, almost in passing, that her Outlook has been “doing weird things” — emails she didn’t send, replies to threads she doesn’t remember. By the time you log in, there’s an auto-forward rule sending every message containing the word “invoice” to a Gmail address you don’t recognise. The attacker has been reading your client correspondence for six weeks. Now you have two problems: the money already redirected, and the fact that client personal information has been accessible to an unauthorised third party for over a month. Business Email Compromise Prevention from Cyber by Exegesis is the engagement designed to close that door in your Adelaide SMB before you are reading the OAIC notification guidance at 11pm.

The problem

A compromised mailbox is not just a payments problem — it is a data breach problem. Mailboxes in Australian SMBs routinely contain tax file numbers, identity documents sent by clients, draft contracts, medical certificates, and superannuation details. Under the OAIC Notifiable Data Breaches scheme, unauthorised access to personal information that is likely to result in serious harm is an eligible data breach, and in-scope entities must notify both the OAIC and affected individuals.

The ACSC Small Business Cyber Security Guide is direct about the mechanics: most Australian SMBs have not configured DMARC, SPF, and DKIM correctly; mailbox auto-forwarding rules sit unaudited for years; and payment-authorisation processes assume that an email from a known sender is from that sender. The control gap is small and inexpensive to close — but most Adelaide SMBs only close it after a mailbox has already been read by someone who shouldn’t have been reading it.

What Business Email Compromise Prevention does

Cyber by Exegesis runs a fixed-scope engagement targeting BEC and the data exposure that follows from it:

• A DMARC, SPF, and DKIM record audit and remediation across your sending domains, taking your domain from open-to-spoofing to quarantine or reject policy in measured stages.
• A mailbox-rules audit across all staff — auto-forwarding rules and transport rules are the most common attacker persistence mechanism, and the one most likely to silently exfiltrate client PII for weeks.
• A payment-authorisation process redesign — a single email is never enough to change a supplier’s bank details; the change requires out-of-band verification with a known phone number.
• A 45-minute staff training session focused on invoice-redirect attacks, with five real Australian SMB examples (anonymised).
• A short written report mapping what was changed, what remains, and — critically — a one-page note on when a BEC incident becomes an OAIC-notifiable data breach, so you know in advance what triggers the clock.

Cyber by Exegesis is the cyber consultancy line of Exegesis, the same company behind the DRMO live product. Our scope here is preventive hardening. We are not your IT provider and we are not your incident responder; we set the controls and then step back.

How it works

1. We confirm the engagement scope on a short call, identify the sending domains in scope, and request read-only access to your DNS provider and email tenant (Microsoft 365 or Google Workspace).
2. We pull the current DMARC, SPF, DKIM, and mailbox-rules state into a baseline report, flagging any forwarding or transport rules that look like attacker persistence.
3. We propose record changes in two stages (none → monitor → quarantine/reject) and apply them across a one-to-two-week window so you see no operational disruption.
4. We sit with your accounts person for 30 minutes to redesign the supplier-bank-detail change process and document it.
5. We run the 45-minute staff training, deliver the written report, and leave you with the NDB trigger note and a 90-day review window.

Why this matters in Adelaide

Adelaide’s SMB base skews towards professional services, health practices, defence-adjacent consultancies, and family-owned trades businesses — sectors that hold meaningful volumes of personal information in mailboxes without a dedicated security function. ACCC Scamwatch consistently ranks business email compromise among the highest-loss scam categories reported by Australian businesses, and the secondary harm — unauthorised access to client PII sitting in those mailboxes — is exactly the scenario the OAIC NDB scheme was written for. An Adelaide SMB that hardens DMARC, audits mailbox rules, and tightens its payment-change process closes the door on both the payment loss and the notifiable breach that often follows.

Sources

• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• Cyber by Exegesis — Business Email Compromise Prevention (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens BEC Prevention for Adelaide SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector and current email tenant — we will tell you when we are ready to take a brief from your business.