Business Email Compromise Prevention for Melbourne SMBs: Close the Mailbox Door Before It Becomes a Notifiable Data Breach

Your office manager notices something odd one Tuesday morning — an email she sent to a client last week appears in the client’s inbox, but with the reply going somewhere else. By Wednesday you realise an attacker has been quietly sitting inside one of your staff mailboxes for weeks, reading client correspondence, and forwarding anything containing a “RE: invoice” or “RE: contract” out to an external address. Now you are not just facing a payment-redirect problem — you are looking at unauthorised access to client personal information, and your lawyer is asking whether this is notifiable under the OAIC’s NDB scheme. Business Email Compromise Prevention from Cyber by Exegesis is the engagement designed to harden a Melbourne SMB before a mailbox compromise becomes a data breach you have to notify.

The problem

Most Melbourne SMBs think of business email compromise as a payment scam. The harder truth, captured in the ACSC Small Business Cyber Security Guide, is that BEC is almost always a data-handling incident first and a payment incident second. By the time an attacker is in a position to redirect an invoice, they have already read your client correspondence, pulled contact lists, and very likely exfiltrated attachments containing personal information. If your business holds customer PII and your turnover crosses the $3M threshold (or you operate in a regulated sector), that exfiltration is the kind of unauthorised access the OAIC’s Notifiable Data Breaches scheme is built around.

The control gaps are mundane. DMARC, SPF, and DKIM records are misconfigured or absent. Mailbox auto-forwarding rules sit unaudited, often for years. Payment-authorisation processes assume good faith on a single emailed instruction. Closing those gaps is not expensive — but most SMBs only close them after they have already had to draft a notification to the OAIC and ring affected clients.

What Business Email Compromise Prevention does

Cyber by Exegesis runs a fixed-scope engagement targeting BEC and the data-breach risk that sits behind it:

• A DMARC, SPF, and DKIM record audit and remediation across your sending domains, moving your domain in measured stages from open-to-spoofing through to a quarantine or reject policy.
• A mailbox-rules audit across all staff — auto-forwarding rules and transport rules are a common attacker persistence mechanism, and they are exactly the mechanism by which a mailbox compromise turns into ongoing data exfiltration.
• A payment-authorisation process redesign — a single email is never enough to change a supplier’s bank details; the change requires out-of-band verification with a known phone number.
• A 45-minute staff training session focused on invoice-redirect attacks and the data-handling consequences when a mailbox is compromised.
• A short written report covering what was changed, what remains, and a 90-day review window — useful evidence of reasonable steps if you ever have to engage with the OAIC.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is preventive hardening. We are not your IT provider and we are not your incident responder; we set the controls and then step back.

How it works

1. We confirm the engagement scope on a short call, identify the sending domains in scope, and request read-only access to your DNS provider and email tenant (Microsoft 365 or Google Workspace).
2. We pull the current DMARC, SPF, DKIM, and mailbox-rules state into a baseline report, flagging any auto-forwarding rules that look like attacker persistence.
3. We propose record changes in two stages (none → monitor → quarantine/reject) and apply them across a one to two week window so you see no operational disruption.
4. We sit with your office manager or accounts person for 30 minutes to redesign the supplier-bank-detail change process and document it alongside your existing privacy-incident response notes.
5. We run the 45-minute staff training and leave you with the written report and the 90-day review window.

Why this matters in Melbourne

Melbourne carries a heavy concentration of professional services SMBs — health practices, education providers, accountants, legal firms, NDIS providers — that hold significant volumes of customer personal information under standing service relationships. That is precisely the operating pattern where a BEC incident escalates straight into NDB-scheme territory: the unauthorised access is not theoretical, the personal information involved is sensitive, and the OAIC’s expectation that you can demonstrate reasonable steps is real. A Melbourne SMB that hardens DMARC, audits mailbox rules, and tightens its payment-change process closes the door BEC attackers depend on — and removes the most common pathway by which a quiet mailbox compromise becomes a notifiable data breach.

Sources

• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• Cyber by Exegesis — Business Email Compromise Prevention (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens BEC Prevention for Melbourne SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector and current email tenant — we will tell you when we are ready to take a brief from your business.