I have, on occasion, received suspicious invoices. I recognised them immediately. The sender did not hear back.
Most business owners aren't so fortunate — not because they're careless, but because nobody explained how this works. Allow me to fix that.
Invoice fraud — known in the industry as Business Email Compromise, or BEC — cost Australian businesses over $152 million in 2024. The average small business incident: $55,000. Gone, often unrecoverable, almost always preventable.
Almost always.
What Is Invoice Fraud?
Business Email Compromise is when a scammer intercepts your business communications — usually email — to redirect a payment into their account instead of your supplier's.
It's not a crude hack. These scammers are patient. I respect patience. I do not respect what they do with it.
In security circles, this is called social engineering — attacks that manipulate human behaviour rather than exploit technical systems. BEC is one of the most financially damaging forms of it. You'll see the term on cyber insurance questionnaires. Now you know exactly what it means.
Here's how it unfolds:
They get in. Either your email or your supplier's email gets compromised — usually through a phishing link someone clicked, or a password weak enough that I'm embarrassed on their behalf. Once inside, they don't announce themselves. They watch.
They wait. The scammer studies your email conversations. Your language. Your suppliers. Your payment habits. Some of them wait weeks. I'll give them this: they're thorough. They're still criminals.
They swap the details. At the right moment — usually when a real invoice is due — they send a version with updated bank account details. The email looks right. The invoice looks right. The sender name looks right. The only thing that's changed is where your money goes.
You pay. They disappear. By the time your real supplier calls asking where their payment is, the money is already overseas. Often unrecoverable. Always avoidable.
It works because it exploits trust, not technology. Keep that in mind.
Why Small Businesses Are the Primary Target
You might assume scammers chase big companies with big paydays.
They do not. Big companies have IT departments. Big companies are boring.
Small businesses are targeted precisely because they're easier. Simpler systems. Fewer checks. Close supplier relationships built on years of trust — which makes a familiar invoice name the last thing you'd question.
The numbers are unambiguous. Small businesses lodged the majority of Australia's 87,400 cybercrime reports in the 2023-24 financial year. BEC was among the top three reported cybercrimes with financial loss. Losses surged 66% in a single year.
This is not a big business problem. It has never been a big business problem.
The Warning Signs
Invoice fraud has tells. I spotted them before finishing my morning coffee. You can too.
Unexpected bank detail changes. Any invoice arriving with updated bank details should trigger one thing immediately: a phone call to your supplier. Use a number you already have. Not one listed in the email. Never one listed in the email.
Urgency language. "Please pay today." "Account closing soon." "Urgent payment required." Pressure is a tactic, not a fact. Slow down. Verify.
Slightly wrong email addresses. An extra letter. A different domain. A hyphen that wasn't there yesterday. Scammers are patient but they're not perfect. Check the full address, not just the display name.
Out-of-character requests. Supplier you've paid by EFT for three years suddenly wants a wire transfer? That's not a new preference. That's a flag.
Requests for secrecy. Legitimate suppliers don't ask you to keep payment arrangements quiet from your own team. That's not how legitimate suppliers operate.
Each of these has a simple solution. None of them requires a degree.
If something feels off — it is. Pick up the phone.
What To Do Right Now
I've handled more complex situations before breakfast. These three steps will handle this one.
1. Verify every payment change by phone. Every time.
New bank details on an invoice means one thing: call your supplier directly. Number from your records. Not from the email. This single habit stops the majority of BEC attempts before they start.
2. Turn on multi-factor authentication on your email.
MFA means a scammer with your password still can't get into your account without a second code — usually sent to your phone. Five minutes to set up in Gmail or Outlook. Dramatically harder to compromise. I've had mine on since before it was fashionable.
3. Check your email forwarding rules right now.
Scammers inside your email often set up hidden rules to quietly copy themselves on everything you receive. Go to your email settings. Check for forwarding rules you didn't create. If you find any: delete them, change your password, call your bank.
I've seen the assessment results of businesses like yours. Most are surprised — not because the picture is bleak, but because nobody ever showed them the map. The Essential 8 Gap Assessment does exactly that.
How the Essential 8 Addresses This
The Australian Signals Directorate didn't leave this to chance. They built eight controls — tested, documented, ready to deploy — specifically because threats like this one are predictable. I find that level of preparation admirable.
Multi-factor authentication makes it significantly harder for scammers to compromise your email. Patching applications closes the gaps they exploit. Restricting administrative privileges limits the damage if they do.
Most small businesses know the Essential 8 exists. Most don't know where they stand against it. That's the gap the assessment closes.
Find Out Where You Stand
I've arranged for my businesses to use WISECLICK. The Essential 8 is handled. The gaps are filled. There are no surprises.
I suggest you do the same.
The Essential 8 Gap Assessment takes 20-30 minutes. You get a clear, personalised report — which areas you're covered on, where the gaps are, what to fix first. $149. Fully online. Written for business owners, not IT professionals.
Secure checkout. Australian owned. Report in minutes.
Your business deserves better than hoping for the best.
Stay protected, my friends.
— The Most Secure Man Alive
Leave a comment
This site is protected by hCaptcha and the hCaptcha Privacy Policy and Terms of Service apply.