Business Email Compromise Prevention for Sydney SMBs: Close the Invoice-Redirect Gap Before an Attacker Finds It

Your bookkeeper forwards you an email from a supplier you have worked with for three years. The PDF invoice looks right, the signature block is correct, the only change is a new BSB and account number “due to a banking switch”. You authorise the payment. A fortnight later the real supplier rings about an overdue account, and you are on the phone to your bank, your insurer, and possibly the OAIC — trying to work out whether customer data was exposed along with the cash. Business Email Compromise Prevention from Cyber by Exegesis is the fixed-scope engagement designed to harden a Sydney SMB before that email lands.

The problem

ACCC Scamwatch consistently identifies business email compromise as among the highest-loss scam categories reported by Australian businesses. The attack pattern is unglamorous: a criminal either compromises a legitimate mailbox or spoofs a trusted sender’s domain, watches the invoice traffic, and intervenes at the moment a payment is about to be made. Most Sydney SMBs have never configured DMARC, SPF, and DKIM correctly. Mailbox auto-forwarding rules — a common attacker persistence mechanism — sit unaudited for years. Payment-authorisation processes assume that an email from a known address is a known instruction.

The ACSC Small Business Cyber Security Guide is blunt about this: BEC defence is not a single product, it is a combination of email-authentication records, mailbox hygiene, and a payment process that refuses to act on email alone. The controls are inexpensive. Most businesses only put them in place after they have already lost money.

What Business Email Compromise Prevention does

Cyber by Exegesis runs a fixed-scope engagement targeting BEC specifically:

• A DMARC, SPF, and DKIM record audit and remediation across your sending domains, moving you from open-to-spoofing to a quarantine or reject policy in measured stages.
• A mailbox-rules audit across every staff account — auto-forwarding rules, transport rules, and external redirects that nobody has reviewed since the tenant was set up.
• A payment-authorisation process redesign — a single email is never sufficient to change a supplier’s bank details; the change must be verified out-of-band against a known phone number on file.
• A 45-minute staff training session focused on invoice-redirect attacks, using anonymised real Australian SMB examples.
• A short written report covering what was changed, what remains, and a 90-day review window.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. The scope here is preventive hardening. We are not your IT provider and we are not your incident responder; we set the controls and step back.

How it works

1. We confirm scope on a short call, identify the sending domains in scope, and request read-only access to your DNS provider and email tenant (Microsoft 365 or Google Workspace).
2. We pull the current DMARC, SPF, DKIM, and mailbox-rules state into a baseline report.
3. We propose record changes in two stages (none → monitor → quarantine/reject) and apply them across a one to two week window to avoid disrupting legitimate mail flow.
4. We sit with your accounts person for 30 minutes to redesign the supplier-bank-detail change process and document it.
5. We run the 45-minute staff training and hand over the written report and the 90-day review window.

Why this matters in Sydney

Sydney concentrates Australia’s professional services SMBs — law firms, accountants, brokerages, architecture practices, consultancies — that move client money on supplier-invoice schedules. That operating pattern is exactly what BEC targets, and ACCC Scamwatch reporting reflects it: Sydney-headquartered SMBs are over-represented in BEC loss data. If a BEC incident exposes personal information held on behalf of your clients, you may also have an OAIC Notifiable Data Breaches obligation on top of the cash loss. A Sydney SMB that hardens DMARC, audits mailbox rules, and tightens its payment-change process closes the door BEC attackers depend on — usually for less than the cost of a single redirected invoice.

Sources

• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme (in the event a BEC incident results in an eligible data breach): https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Business Email Compromise Prevention (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens BEC Prevention for Sydney SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector and current email tenant — we will tell you when we are ready to take a brief from your business.