Business Email Compromise Prevention for Perth SMBs: Stop a Hijacked Mailbox Becoming a Notifiable Data Breach

Your office manager’s mailbox is compromised on a Tuesday. By Friday, the attacker has been reading her email for three days, has set a quiet auto-forwarding rule on the side, and has used her account to send an invoice to one of your clients. You only find out when the client rings to confirm new bank details. Now you have two problems at once: the money you may have lost, and the fact that an attacker has spent four days inside a mailbox containing client PII, contracts, and identity documents. Business Email Compromise Prevention from Cyber by Exegesis is the engagement designed to keep a Perth SMB out of that situation — and out of the OAIC notification that often follows.

The problem

Business email compromise is not just a payment scam. When an attacker controls a real mailbox, they have unauthorised access to whatever personal information sits in that mailbox — client identity documents, payroll details, supplier records, contract attachments. Under the OAIC Notifiable Data Breaches scheme, an eligible data breach involving personal information that is likely to result in serious harm must be reported to the OAIC and to affected individuals. A hijacked mailbox at an in-scope SMB is exactly that kind of event.

The ACSC Small Business Cyber Security Guide makes the technical baseline plain: email authentication (DMARC, SPF, DKIM), mailbox-rule hygiene, and a payment-authorisation process that does not rely on email alone. Most Perth SMBs we look at have one or two of these in place and assume the others are handled. They are not. Auto-forwarding rules sit on accounts of staff who left two years ago. DMARC is on p=none and has been since the domain was registered. The payment process trusts an email signature.

What Business Email Compromise Prevention does

Cyber by Exegesis runs a fixed-scope engagement targeting BEC, with the data-breach exposure in mind:

• A DMARC, SPF, and DKIM record audit and remediation across your sending domains, moving you from open-to-spoofing to a quarantine or reject policy in measured stages.
• A mailbox-rules audit across every active account — auto-forwarding and transport rules are the most common persistence mechanism an attacker leaves behind, and the one most likely to keep exfiltrating personal information after you think you have cleaned up.
• A payment-authorisation process redesign — supplier bank-detail changes require out-of-band verification using a known phone number, never an email reply.
• A 45-minute staff training session focused on invoice-redirect attacks, using anonymised Australian SMB examples.
• A short written report covering what changed, what remains, and a 90-day review window — plus a one-page note on when a mailbox compromise becomes an eligible data breach under the OAIC NDB scheme.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is preventive hardening before an incident, not incident response after one.

How it works

1. We confirm the scope on a short call, identify your sending domains, and request read-only access to your DNS provider and email tenant (Microsoft 365 or Google Workspace).
2. We pull the current DMARC, SPF, DKIM, and mailbox-rules state into a baseline report and flag any rules or forwarders that already look suspicious.
3. We propose DMARC changes in two stages (none → monitor → quarantine/reject) and apply them across a one to two week window so day-to-day mail flow is undisturbed.
4. We sit with your accounts person for 30 minutes to redesign the supplier-bank-detail change process and document it.
5. We run the 45-minute staff training and leave you with the written report, the NDB one-pager, and a 90-day review window.

Why this matters in Perth

Perth’s SMB base is concentrated in professional services, mining-services contractors, and trades businesses that handle client and contractor PII as a matter of course — identity documents, white card details, tax file numbers, banking information. A compromised mailbox at one of these businesses is rarely just a payment-fraud event; it is almost always a personal-information exposure event as well. For an in-scope entity, that triggers the OAIC NDB obligations and a 30-day assessment clock. Closing the BEC door — DMARC enforced, mailbox rules audited, payment process tightened — closes the most common path to that notification before it opens.

Sources

• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• Cyber by Exegesis — Business Email Compromise Prevention (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens BEC Prevention for Perth SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector and current email tenant — we will tell you when we are ready to take a brief from your business.