Business Email Compromise Prevention for Perth SMBs: Close the Invoice-Redirect Gap Before It Costs You

Your bookkeeper forwards an email from a supplier you have been paying for two years. The wording is right, the signature is right, and the only thing different is a sentence about updated bank details “due to a change of banking provider”. You pay the invoice on Friday. On Monday the real supplier rings asking when the payment is coming. The money is in a mule account, your bank is investigating but not optimistic, and you are working out whether the OAIC needs to know. Business Email Compromise Prevention from Cyber by Exegesis is the fixed-scope engagement designed to harden a Perth SMB before that email lands.

The problem

ACCC Scamwatch consistently ranks business email compromise among the highest-loss scam categories reported by Australian businesses. The pattern is unglamorous: an attacker either compromises a real mailbox or spoofs a supplier domain that has no DMARC enforcement, waits until there is an active invoice in motion, and substitutes the payment details. The technical preconditions are almost always the same — sending domains without enforced DMARC, SPF records that have drifted, DKIM that was set up once and never reviewed, and mailbox auto-forwarding rules that nobody has audited.

The ACSC Small Business Cyber Security Guide is direct on this: BEC is not stopped by a single product. It is stopped by a combination of email-authentication controls and a payment process that refuses to act on email alone. Most Perth SMBs only tighten both after they have already lost money to a redirected invoice.

What Business Email Compromise Prevention does

Cyber by Exegesis runs a fixed-scope engagement targeting BEC specifically:

• A DMARC, SPF, and DKIM audit and remediation across your sending domains, moving you from “no policy” or “none” through monitor to a quarantine or reject policy in measured stages.
• A mailbox-rules audit across all staff — auto-forwarding and transport rules are a common attacker persistence mechanism that almost no SMB has reviewed in years.
• A payment-authorisation process redesign — a single email is never sufficient to change a supplier’s bank details; the change requires out-of-band verification against a phone number you already hold.
• A 45-minute staff training session focused on invoice-redirect attacks, with five anonymised Australian SMB examples.
• A written report of what was changed, what remains open, and a 90-day review window.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. The scope of this engagement is preventive hardening. We are not your IT provider and we are not your incident responder; we set the controls and step back.

How it works

1. We confirm the engagement scope on a short call, identify the sending domains in scope, and request read-only access to your DNS provider and email tenant (Microsoft 365 or Google Workspace).
2. We pull the current DMARC, SPF, DKIM, and mailbox-rules state into a baseline report.
3. We propose record changes in two stages (none → monitor → quarantine/reject) and apply them across a one to two week window so you see no operational disruption.
4. We sit with your accounts person for 30 minutes to redesign the supplier-bank-detail change process and document it.
5. We run the 45-minute staff training and leave you with the written report and the 90-day review window.

Why this matters in Perth

Perth’s SMB economy is heavily weighted to mining services, engineering consultancies, professional services, and trades businesses operating on supplier-invoice payment cycles — often with FIFO-related delays that leave invoices in flight for weeks at a time. That is exactly the operating pattern BEC attackers target: a long invoice tail, an interstate or overseas supplier whose details are hard to verify in person, and an accounts team under time pressure. A Perth SMB that enforces DMARC, audits mailbox rules, and tightens its payment-change process closes the door that BEC attackers depend on — typically for less than the cost of a single redirected invoice. If a BEC incident does result in unauthorised access to customer personal information, the OAIC Notifiable Data Breaches scheme may also apply.

Sources

• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme (in the event a BEC incident results in an eligible data breach): https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Business Email Compromise Prevention (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens BEC Prevention for Perth SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector and current email tenant — we will tell you when we are ready to take a brief from your business.