For a long time, many Australian businesses treated cybersecurity as an IT issue. That thinking is now too narrow. In real life, some of the most important cyber decisions happen in accounts payable, payroll and finance. These teams sit at the point where an email can become a payment, a bank detail change or a salary update. That makes them one of the most attractive targets for scammers. If you run a business in Australia, your accounts team is no longer just handling numbers. They are part of your front line.
What is Business Email Compromise?
The main threat is often called business email compromise, or BEC. According to Cyber.gov.au, BEC is a form of targeted phishing, also called spear phishing. Criminals target organisations to scam them out of money or goods. They also target employees and try to trick them into revealing important business information. In plain terms, this is not random spam. It is a planned attack aimed at the people inside a business who can approve payments, change account details or release sensitive information.
This matters because the scam fits neatly into normal business life. An accounts payable officer expects invoices. A payroll manager expects bank account changes and pay queries. A finance manager expects urgent requests from suppliers, executives and staff. Criminals know this. They do not need to invent a strange story. They only need to send a message that looks close enough to normal to slip past a busy person on a busy day. That is why finance staff are such valuable targets. They have both access and authority.
Cyber.gov.au says criminals can impersonate business representatives by using compromised email accounts or by using a domain name that looks similar to a real business. That means the email may seem genuine at first glance. It may come from what looks like a supplier, a co-worker or even your own business. It may ask for payment of an invoice or request a change to bank account details. These are normal finance tasks, which is exactly why the scam works so well.
Checking Scamwatch
In Australia, Scamwatch highlights one of the most common versions of this crime: the payment redirection scam. In this scam, the victim is deceived into thinking an email is from a real business they know and may already be dealing with. The email looks expected. It may even appear in the same message thread as a real earlier conversation. But one thing has changed: the bank details. Instead of paying the real supplier or service provider, the money goes to the scammer. Scamwatch warns that scammers can also copy business logos and ABNs, making the email even harder to spot.
This is why accounts payable teams are under so much pressure. Their daily job is to process invoices, check supplier details and keep cashflow moving. That workflow is exactly what a criminal wants to exploit. Scamwatch says small businesses are often targeted with emails that include an invoice you were expecting from a client or supplier, but with altered payee and contact details. For an overstretched accounts team, especially near month end or before a public holiday, that sort of message can look routine. A routine-looking scam is far more dangerous than an obvious fake.
Payroll teams are also now a key target. Scamwatch says that in some versions of BEC, a hacker sends an internal email to the accounts team pretending to be the CEO and asking for funds to be urgently transferred. It also says hackers can request that salary payments be directed to a new account. That means payroll staff are being targeted not just because they handle wages, but because a change in payroll details can move money quickly and quietly. For a scammer, that is efficient. For a business, it can create direct financial loss and a major trust problem with staff.
Implementing Better Processes
There is a broader lesson here for Australian business owners. The real risk is not just “bad emails.” The risk is weak process. If your team can change payment details based only on an email, your process is exposed. If one person can approve a large transfer without a second check, your process is exposed. If staff feel pressured to act fast and skip verification, your process is exposed. Cyber.gov.au makes this clear when it says workers should verify unusual or unexpected requests before actioning them and that businesses should introduce policies and procedures to address these risks.
This is where many firms get it wrong. They invest in antivirus, firewalls and software updates, which all matter, but they leave risky payment workflows untouched. Yet Scamwatch’s warning to Australian businesses is practical, not theoretical. It called on businesses to urgently review how they verify and pay accounts and invoices because reports of BEC scams had grown by a third that year. Scamwatch also said businesses reported losses of $2.8 million to these scams in 2018, and that BEC scams accounted for 63 per cent of all business losses reported to Scamwatch, with an average loss of nearly $30,000. Even though those figures are older, the point still lands: email-driven payment fraud causes real damage to Australian businesses.
What Fake Emails?
A skeptical business owner might say, “Surely my staff would spot a fake email.” Maybe. But that misses how these scams work. Scamwatch says the email may be in the same thread as earlier real communication. Cyber.gov.au says criminals may use compromised accounts or lookalike domain names. That means the message can arrive with the right names, the right branding and the right business context. The scam does not rely on poor spelling or silly stories. It relies on trust, habit and timing.
So what should Australian businesses do?
First, treat finance, payroll and accounts payable as high-risk cyber roles. They need stronger procedures, not just occasional awareness emails. Cyber.gov.au recommends introducing an approval process for requests to change payment details or make a large transfer. It also says these requests should be verified by calling the sender on a known and verified phone number, not a number listed in the suspicious email. That is a simple control, but it is powerful because it breaks the scammer’s main weapon: control of the email conversation.
Second, train staff to spot the red flags that matter most in finance. Cyber.gov.au says employees should be cautious of requests for money, especially if they are urgent or overdue, bank account changes, suspicious attachments, unexpected links and requests to confirm login details. Scamwatch adds that scammers rely on three core tactics: impersonation, urgency and emotion. That is useful framing for accounts teams. If a message pushes speed, secrecy or panic, the safest move is usually to slow the process down.
Third, lock down the email side of the problem. Cyber.gov.au recommends turning on multi-factor authentication for email accounts, protecting domain names, registering similar domain names that could be used for confusion, and setting up SPF, DKIM and DMARC to reduce spoofing risk. Those controls sit behind the scenes, but they matter because many BEC scams start with email compromise or email impersonation. If your business email is easier to fake, your finance team is easier to fool.
Fourth, reduce invoice fraud through better systems, not just better instincts. Scamwatch says small businesses should consider eInvoicing to reduce the risk of fake invoice scams. It describes eInvoicing as a standardised, easy and secure way to send and receive invoices directly between suppliers’ and buyers’ software. That is important because it moves invoicing away from the open email channel that scammers love to abuse. For many Australian businesses, especially SMEs, process upgrades like this may do more to reduce fraud than another round of generic cyber posters.
Fifth, plan for the moment something goes wrong. Scamwatch says businesses affected by BEC scams should contact their financial institution immediately and consider professional IT advice to secure their email systems and data. Its business email compromise page also tells victims to act quickly, cut ties with the scammer and call the bank immediately to stop further losses. Speed matters after a fraudulent transfer. A slow response can turn a near miss into a major write-off.
The forward-thinking view is this: accounts teams are not just back-office administrators anymore. In Australia, they are now one of the most exposed groups in the business. They deal with invoices, bank details, large transfers, supplier relationships and payroll data. That gives them operational power, and operational power attracts attackers. Business owners who still think cybersecurity starts and ends with IT are missing where many of the real decisions happen.
The smartest Australian businesses will not just tell their finance teams to “be careful.” They will redesign the workflow around them. They will require call-back checks for bank detail changes. They will use multi-person approval for large payments. They will strengthen email security. They will consider eInvoicing. And they will train staff to slow down when an email tries to create pressure. Because in the end, the question is not whether phishing exists. It does. The real question is whether your accounts team has the authority, process and confidence to stop it. In modern Australian business, that is what the new front line looks like.
