Business Email Compromise Prevention for Brisbane SMBs: Close the BEC Door Before It Becomes a Notifiable Data Breach

Your bookkeeper forwards you a calm-sounding email from a supplier asking to update their bank details ahead of next week’s invoice run. It looks fine. The signature block is right, the thread history is intact, the language matches how that supplier writes. What your bookkeeper cannot see is that the supplier’s mailbox was compromised three weeks ago, an auto-forwarding rule is quietly copying every message to an attacker, and the email you are reading was sent from inside that real mailbox. By the time you discover it, you are not just out the money — you are working out whether customer data sitting in those threads triggers a notification to the OAIC. Business Email Compromise Prevention from Cyber by Exegesis is the engagement designed to harden a Brisbane SMB before that email lands.

The problem

ACCC Scamwatch consistently lists business email compromise among the highest-loss scam categories reported by Australian businesses. But the financial loss is only half the story for SMBs that hold customer personal information. When an attacker sits in a mailbox for weeks reading invoice threads, contracts, HR exchanges and ID documents attached “just for verification”, the incident stops being a payment-redirect problem and becomes a data breach problem. Under the OAIC Notifiable Data Breaches scheme, unauthorised access to personal information that is likely to result in serious harm is an eligible data breach — and a compromised mailbox almost always meets that test.

The control gap is mundane. Most Brisbane SMBs have not configured DMARC, SPF, and DKIM to actually reject spoofed mail. Mailbox auto-forwarding and inbox rules sit unaudited from the day the tenant was set up. Payment-authorisation processes assume the email thread is genuine. The ACSC Small Business Cyber Security Guide is direct about this: BEC defence is a combination of technical controls and a tightened payment process — not a product purchase.

What Business Email Compromise Prevention does

Cyber by Exegesis runs a fixed-scope engagement targeting BEC and its data-breach tail specifically:

• A DMARC, SPF, and DKIM record audit and remediation across your sending domains, moving you from open-to-spoofing toward a quarantine or reject policy in measured stages.
• A mailbox-rules audit across all staff — auto-forwarding and transport rules are the persistence mechanism attackers rely on, and they sit unread for years.
• A payment-authorisation process redesign — a supplier bank-detail change is never authorised by email alone; it requires out-of-band verification against a known phone number.
• A 45-minute staff training session focused on invoice-redirect attacks, with anonymised Australian SMB examples.
• A short written report covering what was changed, what remains open, and an NDB-readiness note flagging which mailboxes hold the kind of personal information that would force a notification decision if compromised.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is preventive hardening. We are not your IT provider and we are not your incident responder; we set the controls and step back.

How it works

1. We confirm scope on a short call, identify the sending domains in play, and request read-only access to your DNS provider and email tenant (Microsoft 365 or Google Workspace).
2. We pull the current DMARC, SPF, DKIM, and mailbox-rules state into a baseline report, flagging any forwarding rules that already look suspicious.
3. We propose record changes in two stages (none → monitor → quarantine/reject) and apply them across a one to two week window so you see no operational disruption.
4. We sit with your accounts person for 30 minutes to redesign the supplier-bank-detail change process and document it.
5. We run the 45-minute staff training and leave you with the written report, the NDB-readiness note, and a 90-day review window.

Why this matters in Brisbane

Brisbane’s SMB base — construction and trades head offices, professional services, healthcare clinics, logistics operators servicing the Port of Brisbane and the resources corridor — runs on supplier-invoice cycles and routinely holds customer PII in email. That is the exact operating pattern BEC targets, and it is also the pattern that turns a payment fraud into an OAIC-notifiable breach. A Brisbane SMB that hardens DMARC, audits mailbox rules, and tightens its payment-change process closes the door BEC attackers depend on — usually for less than the cost of one redirected invoice, and well before the breach notification clock starts.

Sources

• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Business Email Compromise Prevention (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens BEC Prevention for Brisbane SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector and current email tenant — we will tell you when we are ready to take a brief from your business.