Insuring Against Business Email Compromise

What’s one of the most frequent and financially damaging cyber threats facing small and medium-sized businesses?

It’s business email compromise, or BEC, according to the Australian Cyber Security Centre. BEC is a cyber scam that tricks staff into sending money or sharing sensitive information.

SMEs Very Much in The Frame

Australian SMEs are increasingly realising that cyber threats are not abstract or distant. They are already affecting businesses much like their own.

About seven in ten surveyed SMEs now rate cyber security as a major operational risk, highlighting how central the issue has become in day-to-day planning.

How a Business Email Compromise Scam Usually Unfolds

BEC scams exploit routine and trust. Criminals either gain access to a real mailbox or use lookalike details to blend into everyday email traffic. They observe how invoices are approved and how payments move.

The scam often looks routine and may involve a:

Hacked inbox

A genuine email account is compromised and used to send convincing messages

Lookalike or spoofed email address

Small changes to a domain name that are easy to miss

Impersonated contact

Messages that appear to come from a trusted colleague, manager, supplier, or client

Payment change request

An urgent or time-sensitive instruction to update bank details or pay an invoice

In many cases, the entry point is a simple phishing email that captures a staff member’s login details.

Once inside, scammers could sit quietly for weeks, learning payment patterns before redirecting funds to accounts they control.

The Real-World Impact on Australian Businesses

BEC attacks can be extremely costly for small and mid-sized businesses.

Recent claims data shows business email compromise is the leading trigger for cyber insurance claims among SMEs in Australia and New Zealand, accounting for roughly one in two reported incidents.

Government cybercrime reporting also shows that email compromise, whether or not money was stolen, makes up a substantial share of incidents reported by businesses each year.

BEC may also interrupt daily operations, consume staff time, and expose sensitive information. Customer trust and professional reputation can also take a hit.

Practical Prevention and Early Detection Tips For BEC

Government guidance points to simple, cost-effective steps as some of the strongest defences against BEC. SMEs can reduce exposure by focusing on a few key habits:

Enable multi-factor authentication

Adds a second check before email accounts can be accessed

Pause on unusual requests

Train staff to slow down when payment or detail changes feel out of routine

Verify payment changes

Confirm new bank details through a trusted channel before money moves

Watch for red flags

Look out for urgency, subtle email address changes, or requests that bypass normal approval steps

Use call-back checks

Phone a known contact before approving invoice or account changes

This mix of basic controls and everyday awareness can significantly lower the risk of email-based scams. Step it up a level by having formal cybersecurity policies and frameworks and collaborating with your tech providers, industry groups and regulatory bodies to stay up to date with best practices.

Where Cyber Insurance Fits in Your Overall Risk Strategy

Strong internal controls and staff awareness are essential, but they will not stop every attack. This is where cyber insurance can provide important backup.

A well-structured cyber policy can support your business when BEC or other cyber incidents occur. This can include forensic investigation of the crime as well as response costs to remove the threat and secure the e-mail system. If Cyber Theft coverage is applicable, the direct financial loss the business suffered will be covered as well.

Taken together, this assistance can be the difference between a contained incident and a business-threatening event.

Making Sure Your Cyber Cover Reflects Real Risk

Cyber insurance uptake among SMEs is rising for a simple reason. Owners are seeing the real cost of cybercrime, not just in dollars lost but in disruption and time.

We can’t stop criminals from trying email scams.

We can help check whether your current cyber cover genuinely matches those payment flows and real-world risks, so the money you spend with your adviser is focused on protecting what matters most.

---

Important notice 

This article provides information rather than financial product or other advice. The content of this article, including any information contained in it, has been prepared without taking into account your objectives, financial situation or needs. You should consider the appropriateness of the information, taking these matters into account, before you act on any information. In particular, you should review the product disclosure statement for any product that the information relates to it before acquiring the product. 

Information is current as at the date the article is written as specified within it but is subject to change. BICS make no representation as to the accuracy or completeness of the information. Various third parties have contributed to the production of this content. All information is subject to copyright and may not be reproduced without the prior written consent of BICS.