Business Email Compromise Prevention for Australian SMBs: Close the BEC Door Before It Becomes a Notifiable Data Breach

Your bookkeeper forwards you an email from a supplier you have paid every month for three years. The invoice looks right, the signature block is right, only the BSB and account number have changed. You authorise the payment. A week later the real supplier calls. While you are still working out where the money went, your IT contractor checks the mailbox and finds an auto-forwarding rule quietly copying every inbound email to an external address — and that rule has been running for six weeks. Now you are not just out of pocket; you are working out whether customer personal information left the building, and whether you have to tell the OAIC. Business Email Compromise Prevention from Cyber by Exegesis is the engagement designed to close that door before it opens.

The problem

ACCC Scamwatch consistently ranks business email compromise among the highest-loss scam categories reported by Australian businesses. But the financial loss is only half the story. When an attacker is sitting inside a mailbox long enough to study your invoicing pattern, they are also reading whatever else is in that inbox — client files, identity documents, contracts, payroll. For any organisation covered by the Privacy Act 1988, that secondary exposure is what turns a BEC incident into an eligible data breach under the OAIC’s Notifiable Data Breaches scheme.

The ACSC Small Business Cyber Security Guide is direct about the control gap: most Australian SMBs have not configured DMARC, SPF, and DKIM correctly on their sending domains, mailbox auto-forwarding rules sit unaudited for years, and payment-authorisation processes assume that an email instruction from a known sender is genuine. None of these controls are expensive. They are simply not in place until after the loss.

What Business Email Compromise Prevention does

Cyber by Exegesis runs a fixed-scope engagement targeting BEC and the data-exposure tail that follows it:

• A DMARC, SPF, and DKIM record audit and remediation across your sending domains, moving the domain in measured stages from open-to-spoofing to a quarantine or reject policy.
• A mailbox-rules audit across all staff mailboxes — auto-forwarding, transport rules, and external-redirect rules are a common attacker persistence mechanism that nobody has looked at in years.
• A payment-authorisation process redesign so that no supplier bank-detail change is ever actioned from email alone; verification happens out-of-band against a known phone number.
• A 45-minute staff training session focused specifically on invoice-redirect attacks, with anonymised Australian SMB examples.
• A short written report covering what was changed, what remains, and a 90-day review window — plus a one-page summary of how an unaddressed BEC compromise can become a notifiable data breach under the OAIC NDB scheme.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is preventive hardening. We are not your IT provider and we are not your incident responder; we set the controls and step back.

How it works

1. We confirm engagement scope on a short call, identify the sending domains in scope, and request read-only access to your DNS provider and email tenant (Microsoft 365 or Google Workspace).
2. We pull the current DMARC, SPF, DKIM, and mailbox-rules state into a baseline report and flag any forwarding rules that warrant immediate attention.
3. We propose record changes in two stages (none → monitor → quarantine/reject) and apply them across a one-to-two-week window so daily operations are not disrupted.
4. We sit with your accounts person for 30 minutes to redesign the supplier-bank-detail change process and document it.
5. We run the 45-minute staff training and leave you with the written report, the data-breach summary one-pager, and the 90-day review window.

Why this matters in Australia

BEC is not a city problem — it is a national one. ACCC Scamwatch reporting shows it affecting SMBs in every state and territory, from sole-trader trades businesses through to mid-sized professional services firms. For any Australian SMB with turnover above $3 million (and for many SMBs below that threshold in health, credit, or TFN-handling sectors), an unaddressed BEC compromise that exposes customer personal information is reportable to the OAIC and to affected individuals under the Notifiable Data Breaches scheme. Hardening DMARC, auditing mailbox rules, and tightening payment-change processes closes the door BEC attackers depend on — and removes the data-breach tail that comes with it.

Sources

• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Business Email Compromise Prevention (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens BEC Prevention for Australian SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector, state, and current email tenant — we will tell you when we are ready to take a brief from your business.