The fake invoice email that redirects your payment: BEC explained
Here is a scam I wish more business owners knew about before it happened to them, because it is quiet, it is convincing, and it can cost you tens of thousands in a single afternoon. An email arrives, from a supplier you know, with an invoice you were expecting, and a friendly note saying their bank details have changed. So you pay the new account. Weeks later the real supplier chases you for money you thought you had already sent, and you realise the payment went to a criminal. This is business email compromise, and it is now one of the biggest single causes of real financial loss for Australian businesses. Here is exactly how it works, why your spam filter never stood a chance, and the simple habits that stop it cold.
What business email compromise actually is
Business email compromise, usually shortened to BEC, is not a virus and it is not a clumsy phishing email full of spelling mistakes. It is a con, delivered by email, aimed at one thing: getting your money sent to the scammer instead of the person you meant to pay. The classic version is invoice redirection. You are expecting to pay a supplier, and an email turns up saying their account details have changed, please pay the new one. It looks completely normal, so you do, and the money is gone.
The reason it works is that nothing about it feels wrong. There is no strange attachment to open, no link to a fake login page, no obvious tell. It is a plausible business request about a real transaction, arriving at exactly the moment you expected it. That is what makes it so much more dangerous than the junk we have all learned to ignore.
Why it comes from a real, trusted address
The most effective version of this scam does not fake the sender at all. The criminal has broken into a genuine mailbox, often your supplier's, sometimes your own, and is sending from the real address. They have read the recent emails, they know the invoice numbers, they know the names, and they wait for the right moment to slip in the message about changed bank details. To you, it is your supplier, because it literally is your supplier's email account.
When they cannot get inside a real mailbox, they use a look-alike address instead, one so close to the genuine one that the difference is a single swapped letter or an extra dot you would never notice while scanning your inbox. Either way, the sender looks right, and that single fact is what carries the whole con.
Why your spam filter never catches it
People assume their email security should stop this, and are shocked when it does not. But think about what a spam filter is built to do. It looks for junk: dodgy links, malicious attachments, blacklisted senders, the fingerprints of mass-mailed rubbish. A BEC email has none of that. It is a short, well-written, personal message from an address that looks trustworthy, asking a reasonable question about a real invoice.
There is nothing for the filter to flag, because on every technical measure it is a legitimate email. When it comes from a genuinely hacked mailbox, it truly is a legitimate email, sent by a real account, just controlled by the wrong person. This is precisely why you cannot buy your way out of BEC with a better filter. The defence has to sit with your people and your process, not only your software.
The defences that actually stop it
The good news is that the habits that beat this are simple, cheap, and within reach of any business today. You do not need clever technology so much as a few firm rules that everyone follows.
- Verify bank-detail changes by phone, every time. This is the big one. If an email says an account has changed, or a payment feels even slightly off, ring the supplier on a number you already have on file, never a number from the email. One thirty-second phone call defeats almost every one of these scams.
- Turn on multi-factor authentication. Most of these frauds start with a hacked mailbox, and a stolen password is enough to get in. MFA adds a second step, so a criminal with your password still cannot reach your email.
- Make sure your staff know it exists. A team that has heard of invoice-redirection fraud pauses at the right moment. The scam relies on nobody stopping to ask, so awareness alone stops a great deal of it.
- Lock down your own email with DMARC. Proper email settings like DMARC make it far harder for anyone to send email pretending to be your business, which protects your customers and your name.
Notice that the first and most powerful defence costs nothing at all. A phone call to a known number, before the money moves, is the closest thing there is to a guaranteed stop.
If it has already happened to you
If you think you have paid a fake invoice, do not sit on it and hope, and do not waste an hour feeling embarrassed. Speed decides whether the money is recoverable. Phone your bank straight away and ask them to try to recall the payment, because if you catch it fast enough the funds may still be reachable. Then report it to the police and to Scamwatch, and change the password on the affected mailbox and switch on MFA, since the account may still be in the wrong hands. The businesses that recover their money are almost always the ones that made that first call within the hour.
This scam sits alongside your other digital foundations, and it is part of the same picture as your broader cyber security and how you set up your email so that your own messages are trusted and hard to spoof. Getting those right does not just protect you from BEC, it protects everyone who does business with you.
FAQ
What is business email compromise?
Business email compromise, or BEC, is a scam where a criminal uses email to trick your business into sending money to them instead of the person you meant to pay. Usually it is a fake invoice, or a message claiming a supplier's bank details have changed. The email looks completely genuine, often because it comes from a real address that has been hacked, so the request feels normal and the payment goes to the scammer.
Why does the fake invoice get past my spam filter?
Because it is not spam in the usual sense. It often comes from a real mailbox that has been broken into, or from an address that looks almost identical to a genuine one, so there is no dodgy link or virus for the filter to catch. It is a plausible business email asking a plausible question about a real invoice. Spam filters are built to catch junk, not a well-written message from an address that looks trustworthy.
How do I stop invoice-redirection fraud?
The single most effective defence costs nothing: whenever bank details change, or a payment request feels even slightly off, verify it by phoning the supplier on a number you already have, never a number from the email. Add multi-factor authentication so a stolen password cannot open your mailbox, and make sure staff know these scams exist. Those three habits stop almost every one of these frauds before the money leaves.
What is MFA and why does it matter here?
MFA, or multi-factor authentication, means logging in needs a second step beyond your password, usually a code on your phone. It matters here because so many of these scams start with a hacked mailbox, and a stolen password is enough to get in without it. With MFA switched on, a criminal who steals your password still cannot reach your email, which shuts off the most common way these frauds begin.
What should I do if we already paid a fake invoice?
Act fast, because speed is everything. Phone your bank immediately and ask them to try to recall the payment, then report it to the police and to Scamwatch. Change the password on the affected mailbox and turn on MFA, because the account may still be compromised. The sooner the bank acts, the better the chance of stopping or recovering the money, so make that call before anything else.
Can Alien IT protect us from these scams?
Yes. We lock down your email with MFA and proper settings like DMARC that make your business far harder to impersonate, we set up sensible checks for payments and bank-detail changes, and we help your team spot the warning signs. Whether you want to prevent this or you have just been caught, we will get your email and your payment process to a place where one convincing message can no longer cost you thousands.
The bottom line
Business email compromise works because it does not look like an attack. It looks like a normal invoice from a normal supplier, sent from an address you trust, at the moment you expected it, and that is exactly why your spam filter waves it through. The money that walks out the door is real, and for a lot of Australian businesses it is one of the largest single losses they ever take. The defence is refreshingly ordinary: verify every bank-detail change with a phone call to a number you already have, switch on MFA, and make sure your team knows the game. Do that, and the most convincing fake invoice in the world becomes nothing more than a call you were always going to make.
Worried a payment request might not be genuine, or want to make sure this can never catch you out? We will harden your email, set up sensible payment checks, and brief your team. Tell us how your business pays its suppliers and we will help you close the gap.