Scammers stole more than $152.6 million from Australian businesses using business email compromise (BEC) attacks in 2024. That figure represents a 66 per cent increase from the $91.6 million reported in 2023, according to the National Anti-Scam Centre's Targeting Scams report.
BEC is not a new threat — but it is an accelerating one. And the businesses bearing the brunt of it are not large enterprises with dedicated security teams. They are small and medium businesses running lean finance operations, often with a single bookkeeper or finance manager processing payments through software like Xero.
If your organisation pays suppliers electronically, you need to understand how BEC works, why it is getting worse, and what practical steps you can take to avoid becoming part of next year's statistics.
What Is Business Email Compromise?
Business email compromise is a form of cybercrime where an attacker impersonates a trusted party — typically a supplier, executive, or employee — to trick someone into redirecting a legitimate payment to a fraudulent bank account.
Unlike phishing emails that cast a wide net, BEC attacks are targeted and researched. Criminals study your business relationships, payment cycles, and communication patterns before making their move. The Australian Cyber Security Centre (ACSC) classifies BEC as one of the top three self-reported cybercrimes for businesses in Australia, accounting for 13 per cent of all reports lodged through ReportCyber.
The most common pattern works like this:
- Reconnaissance — Attackers research your business, identify your suppliers, and learn who handles payments.
- Compromise or impersonation — They either hack into a legitimate email account or create a convincing lookalike domain.
- The request — A professional-looking email asks your finance team to update a supplier's bank details, often citing a bank change or restructure.
- Payment — Your team updates the details in your accounting system and processes the next payment to the new (fraudulent) account.
- Discovery — Days or weeks later, the real supplier asks where their payment is. By then, the money has been moved offshore.
The Numbers: BEC in Australia Is Getting Worse
The data paints a clear picture of a problem that is growing, not shrinking.
$152.6 million lost in 2024. The National Anti-Scam Centre's Targeting Scams report, published in March 2025, confirmed that payment redirection scams — the category that captures BEC — saw a 66 per cent increase in reported losses compared to 2023.
$84 million in the 2023–24 financial year. The Australian Signals Directorate's Annual Cyber Threat Report recorded almost $84 million in self-reported BEC losses, with the majority of cybercrime reports coming from small businesses.
3,300+ incidents reported annually. The Australian Federal Police noted that more than 3,300 BEC incidents were reported to the ACSC in a single year, with nearly half resulting in direct financial loss.
Construction is a prime target. In October 2025, the AFP issued a specific warning about BEC attacks targeting the construction sector, citing its high-value transactions, frequent invoicing, and limited cybersecurity resources. Investigations linked these attacks to offshore criminal syndicates, with individual losses exceeding $1 million.
These are only the reported numbers. The AFP and ACSC consistently note that BEC is significantly underreported because businesses are embarrassed to admit they fell for the scam.
Why Small and Medium Businesses Are the Primary Target
Large enterprises typically have multi-layered approval processes, dedicated IT security teams, and fraud detection systems. Small and medium businesses usually do not.
Lean finance teams. When one person handles supplier onboarding, bank detail updates, and payment approvals, there is no separation of duties. A single compromised email can lead to an immediate fraudulent payment.
High trust environments. Smaller organisations operate on trust. When a known supplier sends an email requesting a bank detail change, the default response is to process it — not to question it.
Cloud accounting makes changes easy. Software like Xero is designed to be efficient. Updating a supplier's bank details takes seconds. That efficiency becomes a vulnerability when there are no controls around who can make changes and how those changes are verified.
AI is making attacks more convincing. Generative AI now allows attackers to craft emails that perfectly mimic the tone, formatting, and language of legitimate business communications. The days of spotting a BEC email by its poor grammar are over.
Time pressure. Finance teams processing dozens of payments per week do not have the bandwidth to manually verify every bank detail change, especially when the request looks routine.
BEC Prevention: What Actually Works
Most BEC prevention advice focuses on email security — enable multi-factor authentication, deploy DMARC, train staff to spot phishing. That advice is valid, but it misses a critical point.
Email security stops the email. It does not stop the payment.
If a BEC email gets through — and some will — the question becomes: what controls exist between that email and the money leaving your account? For most SMBs using Xero, the honest answer is very few.
Here is what a practical BEC prevention framework looks like for an Australian SMB.
1. Verify bank detail changes out of band
Never verify a bank detail change using contact information from the same email that requested it. Call your supplier on a phone number you already have on file. This single step would prevent the majority of BEC losses.
2. Separate who changes details from who approves payments
No single person should be able to both update supplier bank details and approve a payment to that supplier. This separation of duties is fundamental to fraud prevention and is a core requirement under most cyber insurance policies.
3. Monitor your accounting system for changes
Email security monitors your inbox. But who monitors your accounting software? When a supplier's bank details change in Xero, your finance team needs to know about it immediately — not the next time someone happens to review the supplier record.
Automated monitoring catches every change in real time, regardless of whether it was triggered by a BEC email, an internal error, or a legitimate update. Manual processes rely on people remembering to check, and people forget.
4. Implement a verification workflow
When a bank detail change is detected, it should trigger a formal verification process: who made the change, when, why, and has it been independently confirmed with the supplier? This creates an audit trail that protects your business legally and operationally.
5. Conduct regular supplier audits
Periodically review your supplier records for anomalies: ghost suppliers with no transaction history, duplicate entries, round-number invoices, and bank details that have changed multiple times. These patterns can indicate fraud that has already occurred or is in progress.
6. Train your team — but do not rely on training alone
Staff awareness is important, but it is not a control. People make mistakes, especially under time pressure. Training should complement automated controls, not replace them.
The Compliance Factor: Australia's Scams Prevention Framework
The regulatory landscape is shifting. Australia's Scams Prevention Framework introduces liability obligations for businesses that fail to implement reasonable scam prevention measures. This means that relying solely on staff vigilance — without documented controls and audit trails — could expose your organisation to regulatory risk.
For CFOs and finance managers, this changes the calculus. Preventing BEC is no longer just about avoiding a direct financial loss. It is about demonstrating that your organisation took reasonable steps to prevent fraud and can prove it with an audit trail.
Protecting Your Xero Organisation
If your business runs on Xero, the practical steps are straightforward:
- Enable two-factor authentication for all Xero users
- Review user permissions — restrict who can edit supplier bank details
- Audit connected apps — remove any third-party integrations you no longer use
- Monitor for bank detail changes — either manually (calendar reminders to review the audit log) or through automated monitoring
- Document your verification process — write it down, train your team, and follow it consistently
For businesses that want automated monitoring without changing their existing processes, tools like OutflowGuard connect to Xero with read-only access to detect supplier bank detail changes, flag anomalies, and enforce verification workflows. It is one option worth evaluating as part of a broader BEC prevention strategy.
The Bottom Line
Business email compromise cost Australian businesses $152.6 million in 2024, up 66 per cent from the year before. The attacks are getting more sophisticated, more targeted, and more difficult to detect.
The businesses that avoid becoming statistics are the ones that build controls into their payment process before an attack happens. Email security is the first line of defence. Monitoring what happens inside your accounting system is the last — and often the most important.
Do not wait for a six-figure lesson. Review your supplier verification process, implement separation of duties, and ensure you have visibility into every bank detail change that occurs in your organisation.