The $97,000 Email: Why Business Email Compromise Keeps Beating Australian SMEs
BEC fraud now accounts for 15% of all business cybercrime in Australia, with medium businesses losing an average of $97,166 per incident. The defence isn't a tool β it's a process change.
One in three cybercrime incidents reported by Australian businesses now starts with email, and a single successful business email compromise costs the average medium-sized firm $97,166. Those numbers come from the Australian Signals Directorate's Annual Cyber Threat Report 2024β25, and they describe a threat that gets far less attention than ransomware while quietly emptying SME bank accounts every week.
Business email compromise β BEC for short β is not a sophisticated technical attack. It does not need malware, exploits, or zero-days. It works because a person at a small business reads an email that looks routine, follows the instruction it contains, and only later finds out the bank details were swapped, the supplier was impersonated, or the "urgent payment from the director" was never sent by the director at all.
Why BEC is now the dominant threat to Australian SMEs
The ASD's latest threat report puts BEC fraud at 15% of all business-related cybercrime, with email-related compromise that does not result in a direct payment adding another 19%. Combined, that is more than a third of every incident reported by Australian businesses β a bigger share than ransomware, malware, and denial-of-service combined.
The financial weight is just as heavy. The average self-reported cost of a cyber incident across all Australian businesses rose 50% to $80,850 in the 2024β25 financial year. For medium-sized businesses, the average climbed to $97,166. For larger ones it hit $202,691, a 219% jump driven mostly by BEC. Small businesses recorded an average of $56,571 per incident.
The pattern in New Zealand is similar. The National Cyber Security Centre recorded $12.4 million in direct cyber losses between July and September 2025, with scams and fraud β most of it BEC β the most reported category. That was the second-highest quarterly loss figure since the NCSC began publishing its data.
These are not rare, headline-grabbing breaches. They are weekly events at accounting firms, medical practices, engineering consultancies, and freight businesses across Australia and New Zealand.
How the attacks actually work
The cyber.gov.au guidance describes three patterns that account for most reported incidents. In executive fraud, an attacker impersonates a director or owner and instructs a staff member to make an urgent payment to a new account. In invoice fraud β the most financially damaging variant β the attacker either compromises a supplier's email or spoofs it convincingly, then sends a legitimate-looking invoice with altered payment details. In legal impersonation, the attacker poses as a lawyer pressing for a confidential settlement transfer.
The reason BEC works against SMEs is structural rather than technical. Smaller organisations operate on personal trust. The bookkeeper knows the director's email style. The accounts payable clerk has paid the same supplier for years. The processes that would catch a payment redirection at a bank or large enterprise β segregation of duties, mandatory call-back verification, dual approval thresholds β usually do not exist, because they were never built when the business was smaller.
What is changing in 2026 is the quality of the impersonation. The ASD and overseas agencies including CERT NZ have flagged a clear rise in attacks that combine compromised email access with AI-generated voice clips, used to leave a quick voicemail or follow-up call confirming the "urgent transfer". A 30-second sample of a director's voice β taken from a podcast appearance, a webinar recording, or even a corporate video β is enough material to clone. Staff who would have paused at a suspicious email tend not to pause when they recognise the boss's voice.
The defence is process, not product
There is no tool that reliably stops BEC, because the attack does not exploit a system β it exploits a workflow. The ASD's Preventing business email compromise guidance puts the controls in plain order, and they are not expensive.
Multi-factor authentication on every email account is the first step, because most BEC incidents start with a compromised inbox somewhere in the supply chain. Email authentication standards β SPF, DKIM, and DMARC β make it harder for attackers to spoof a domain that is not theirs. But the single most effective control is the one that needs no software at all: a written rule that any change to payment details, and any payment over a defined threshold, must be verified by phone call to a number already on file. Not the number in the email. Not a reply to the email. The number you already had.
The five-minute control that stops most BEC fraud
Write a one-page payments policy and have every person who can move money sign it. The rule: any new bank account details, any change to existing details, and any payment above an agreed threshold must be verbally confirmed by calling the requester on a number from your existing records. No exceptions for urgency, seniority, or after-hours requests. Test it by sending a fake "urgent invoice" to your finance team next month and see who calls.
What to assume from here
The ASD does not expect BEC volume to drop in the next reporting period. Voice cloning is becoming cheaper and more convincing. Compromised supplier inboxes β the source of most invoice fraud β are traded openly on criminal marketplaces. Insurers are starting to push back on social engineering claims where there is no documented call-back process, because the loss was avoidable.
For an Australian SME, the question is not whether a BEC attempt will land in the inbox. It is whether the process the staff member follows when it arrives is robust enough to catch it. That is a question every business owner can answer this week, without buying anything.