Business Email Compromise Prevention for Australian SMBs: Close the Invoice-Redirect Gap Before an Attacker Finds It

Your bookkeeper opens an email that looks like it came from a supplier you have paid every month for three years. The signature block is right, the invoice PDF is right, and there is a short, friendly line saying the bank account has changed — please update the records. The payment goes through. A fortnight later the real supplier rings, and the conversation that follows is the one no Australian SMB owner wants to have: with the bank, with the insurer, possibly with the OAIC, and certainly with the team. Business Email Compromise Prevention from Cyber by Exegesis is the fixed-scope engagement built to harden an Australian SMB before that email lands.

The problem

ACCC Scamwatch consistently reports business email compromise as one of the highest-loss scam categories affecting Australian businesses. The attacker’s playbook is mundane and effective: compromise a real mailbox or impersonate a known supplier, watch the invoice cycle, then redirect a payment with a single believable email. The technical preconditions are common across Australian SMBs — DMARC, SPF, and DKIM records that were never finished, mailbox auto-forwarding rules nobody has reviewed in years, and a payment-change process that trusts an email instruction.

The ACSC Small Business Cyber Security Guide is blunt about what works: tighten the email-authentication stack, audit mailbox rules, and refuse to act on bank-detail changes that arrive only by email. None of that is exotic, and none of it requires a new product. Most Australian SMBs simply have not done it yet — and BEC attackers know that.

If a BEC incident also exposes customer personal information, the OAIC Notifiable Data Breaches scheme may require notification — turning a payment loss into a regulatory event as well.

What Business Email Compromise Prevention does

Cyber by Exegesis runs a fixed-scope engagement focused specifically on BEC:

• A DMARC, SPF, and DKIM record audit and remediation across your sending domains, moving you from open-to-spoofing toward a quarantine or reject policy in measured stages.
• A mailbox-rules audit across all staff accounts — auto-forwarding and transport rules are a standard attacker persistence mechanism that almost no SMB reviews routinely.
• A payment-authorisation process redesign — supplier bank-detail changes require out-of-band verification via a known phone number, never an emailed instruction alone.
• A 45-minute staff training session on invoice-redirect attacks, using real Australian SMB examples (anonymised).
• A short written report covering what was changed, what remains, and a 90-day review window.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same parent company behind the DRMO live product. The scope here is preventive hardening. We are not your IT provider and we are not your incident responder; we set the controls, document them, and step back.

How it works

1. We confirm the engagement scope on a short call, identify the sending domains in scope, and request read-only access to your DNS provider and email tenant (Microsoft 365 or Google Workspace).
2. We pull the current DMARC, SPF, DKIM, and mailbox-rules state into a baseline report.
3. We propose record changes in two stages (none → monitor → quarantine/reject) and apply them across a one to two week window so you see no operational disruption.
4. We sit with your accounts person for 30 minutes to redesign the supplier-bank-detail change process and document it.
5. We run the 45-minute staff training and leave you with the written report and the 90-day review window.

Why this matters in Australia

BEC is a national problem for Australian SMBs, not a capital-city one. ACCC Scamwatch reporting reflects losses across every state and territory, and the National Anti-Scam Centre flags business email compromise as a persistent threat to small businesses regardless of sector or location. Any Australian SMB that pays suppliers by EFT on emailed invoices is in scope for this attack — a regional accounting practice, a logistics operator in an outer suburb, a wholesaler trading interstate. The controls that close the door are the same everywhere: authenticated email, audited mailbox rules, and a payment process that does not accept a bank-detail change by email alone.

Sources

• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Business Email Compromise Prevention (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens BEC Prevention for Australian SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector, state, and current email tenant — we will tell you when we are ready to take a brief from your business.