Business Email Compromise Prevention for Melbourne SMBs: Close the Invoice-Redirect Gap Before an Attacker Finds It

Your bookkeeper opens an email that looks like it came from a supplier you have paid every month for three years. The PDF invoice is the right format, the amounts match the project, and there is a short note explaining the bank account has changed — please update it on file. The payment goes out on Friday afternoon. On Monday the supplier rings asking about the overdue invoice. The money has already moved through two mule accounts and your bank is sympathetic but not hopeful. Business Email Compromise Prevention from Cyber by Exegesis is the engagement designed to harden a Melbourne SMB before that Friday afternoon.

The problem

ACCC Scamwatch consistently reports business email compromise among the highest-dollar-loss scam categories affecting Australian businesses. The attack pattern is unglamorous: an attacker either takes over a legitimate mailbox or registers a lookalike domain, observes an invoice cycle, and intercepts at the moment a supplier-bank-detail change will be accepted without challenge. Most SMBs have DMARC either missing or stuck on a permissive p=none policy. SPF and DKIM records drift as new SaaS tools are added and never reconciled. Mailbox auto-forwarding rules sit silently in user accounts that no one has audited since onboarding. Payment-authorisation processes rely on the goodwill of a single accounts person reading a single email.

The ACSC Small Business Cyber Security Guide is direct on this point: BEC defence is a combination of technical email-authentication hygiene and a payment process that refuses email-only instructions to change banking details. It is not a product you buy. It is a set of controls you close.

What Business Email Compromise Prevention does

Cyber by Exegesis runs a fixed-scope engagement targeting BEC specifically:

• A DMARC, SPF, and DKIM record audit and remediation across your sending domains, moving you from open-to-spoofing toward a quarantine or reject policy in measured stages.
• A mailbox-rules audit across all staff accounts — auto-forwarding and transport rules are a common attacker persistence mechanism and almost no SMB has looked at them.
• A payment-authorisation process redesign — supplier-bank-detail changes require out-of-band verification against a known phone number, never an email-only instruction.
• A 45-minute staff training session focused on invoice-redirect attacks, with anonymised real Australian SMB examples.
• A short written report with what was changed, what remains, and a 90-day review window.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. The scope here is preventive hardening. We are not your IT provider and we are not your incident responder; we set the controls and step back.

How it works

1. We confirm the engagement scope on a short call, identify the sending domains, and request read-only access to your DNS provider and email tenant (Microsoft 365 or Google Workspace).
2. We pull the current DMARC, SPF, DKIM, and mailbox-rules state into a baseline report.
3. We propose record changes in two stages (none → monitor → quarantine/reject) and apply them across a one to two week window so you see no operational disruption.
4. We sit with your accounts person for 30 minutes to redesign the supplier-bank-detail change process and document it.
5. We run the 45-minute staff training and leave you with the written report and the 90-day review window.

Why this matters in Melbourne

Melbourne hosts a dense concentration of mid-sized professional services, construction, manufacturing, and not-for-profit organisations — all of which run on recurring supplier-invoice cycles and project-milestone payments. That is exactly the operating pattern BEC targets. A construction SMB paying subcontractors weekly, a not-for-profit paying grant recipients monthly, an accounting practice settling client disbursements — each is one well-timed email away from a six-figure loss that ACCC Scamwatch will quietly add to next year’s totals. A Melbourne SMB that hardens DMARC, audits mailbox rules, and tightens its payment-change process closes the door BEC attackers depend on, and does so for a fraction of the cost of a single redirected invoice. If an incident does occur and personal information is involved, the OAIC Notifiable Data Breaches scheme may also apply — another reason to close the gap before, not after.

Sources

• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme (in the event a BEC incident results in an eligible data breach): https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Business Email Compromise Prevention (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens BEC Prevention for Melbourne SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector and current email tenant — we will tell you when we are ready to take a brief from your business.