Business Email Compromise Prevention for Brisbane SMBs: Close the Invoice-Redirect Gap Before an Attacker Finds It

Your bookkeeper forwards you an email from a long-standing supplier — same signature block, same friendly tone, with a quick note that they have switched banks and could you update the payee details before Friday’s run. You approve it. The next month the real supplier rings about an overdue account, and the conversation that follows is the one no Brisbane business owner wants to have: with your bank, with your insurer, and possibly with the OAIC. Business Email Compromise Prevention from Cyber by Exegesis is the engagement designed to harden a Brisbane SMB before that email ever lands.

The problem

ACCC Scamwatch consistently ranks business email compromise among the highest-loss scam categories reported by Australian businesses. The mechanics are unglamorous: an attacker compromises a real mailbox or spoofs a known supplier, watches for an active invoice cycle, and then sends a single message redirecting payment to an account they control. Most Brisbane SMBs have not configured DMARC, SPF, and DKIM correctly on their sending domains. Mailbox auto-forwarding rules sit unaudited for years. Payment-authorisation processes assume the email is real because the email “looks right”.

The ACSC Small Business Cyber Security Guide is blunt about this: BEC defence is not a single product purchase. It is a combination of email-authentication records, mailbox-rule hygiene, and a payment process tightened so that the kind of email instruction an attacker depends on simply cannot move money on its own.

What Business Email Compromise Prevention does

Cyber by Exegesis runs a fixed-scope engagement targeting BEC specifically:

• A DMARC, SPF, and DKIM record audit and remediation across your sending domains, moving your domain in measured stages from open-to-spoofing to a quarantine or reject policy.
• A mailbox-rules audit across all staff — auto-forwarding rules and transport rules are a common attacker persistence mechanism that nobody at your business has looked at in years.
• A payment-authorisation process redesign — a single email is never enough to change a supplier’s bank details; the change requires out-of-band verification with a known phone number.
• A 45-minute staff training session focused on invoice-redirect attacks, including five real Australian SMB examples (anonymised).
• A short written report with what was changed, what remains, and a 90-day review window.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is preventive hardening. We are not your IT provider and we are not your incident responder; we set the controls and then step back.

How it works

1. We confirm the engagement scope on a short call, identify the sending domains in scope, and request read-only access to your DNS provider and email tenant (Microsoft 365 or Google Workspace).
2. We pull the current DMARC, SPF, DKIM, and mailbox-rules state into a baseline report.
3. We propose record changes in two stages (none → monitor → quarantine/reject) and apply them across a one to two week window so you see no operational disruption.
4. We sit with your accounts person for 30 minutes to redesign the supplier-bank-detail change process and document it.
5. We run the 45-minute staff training and leave you with the written report and the 90-day review window.

Why this matters in Brisbane

Brisbane’s SMB base skews toward construction, trades, logistics, mining services, and professional services — sectors that move large supplier payments on regular cycles, often with subcontractors and interstate vendors whose bank details change occasionally for legitimate reasons. That is exactly the operating pattern BEC targets: a plausible mid-cycle bank-detail change from a known counterparty. ACCC Scamwatch reporting shows BEC sitting consistently among the highest-loss categories for Australian businesses, and Queensland SMBs are not exempt. A Brisbane SMB that hardens DMARC, audits mailbox rules, and tightens its payment-change process closes the door BEC attackers depend on — usually for less than the cost of one redirected invoice.

Sources

• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme (in the event a BEC incident results in an eligible data breach): https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Business Email Compromise Prevention (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens BEC Prevention for Brisbane SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector and current email tenant — we will tell you when we are ready to take a brief from your business.